name: Terraform security scanner on: workflow_dispatch: push: branches: - main - "release/**" paths: - "**.tf" - ".github/workflows/test-tfsec.yml" pull_request: paths: - "**.tf" - ".github/workflows/test-tfsec.yml" jobs: tfsec: name: tfsec runs-on: ubuntu-22.04 permissions: contents: read pull-requests: write steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: tfsec uses: aquasecurity/tfsec-pr-commenter-action@5b483d46fb4fd0cbe2259cf68354a3fb23aa70fe with: soft_fail_commenter: true tfsec_formats: default,text tfsec_args: --force-all-dirs github_token: ${{ github.token }} - name: tfsec summary shell: bash run: tail -n 27 results.text >> "$GITHUB_STEP_SUMMARY"