name: Terraform security scanner on: workflow_dispatch: push: branches: - main - "release/**" paths: - "**.tf" - "./github/workflows/test-tfsec.yml" pull_request: paths: - "**.tf" - "./github/workflows/test-tfsec.yml" permissions: contents: read pull-requests: write jobs: tfsec: name: tfsec runs-on: ubuntu-22.04 steps: - name: Checkout uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} - name: tfsec uses: aquasecurity/tfsec-pr-commenter-action@7a44c5dcde5dfab737363e391800629e27b6376b with: soft_fail_commenter: true tfsec_formats: default,text tfsec_args: --force-all-dirs github_token: ${{ github.token }} - name: tfsec summary shell: bash run: tail -n 27 results.text >> "$GITHUB_STEP_SUMMARY"