constellation/.github/workflows/test-tfsec.yml
Fabian Kammel 48c8a66114
Minimal GitHub Action token permissions. (#1104)
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2023-01-30 16:11:27 +01:00

41 lines
1012 B
YAML

name: Terraform security scanner
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
paths:
- "**.tf"
- "./github/workflows/test-tfsec.yml"
pull_request:
paths:
- "**.tf"
- "./github/workflows/test-tfsec.yml"
jobs:
tfsec:
name: tfsec
runs-on: ubuntu-22.04
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: tfsec
uses: aquasecurity/tfsec-pr-commenter-action@7a44c5dcde5dfab737363e391800629e27b6376b
with:
soft_fail_commenter: true
tfsec_formats: default,text
tfsec_args: --force-all-dirs
github_token: ${{ github.token }}
- name: tfsec summary
shell: bash
run: tail -n 27 results.text >> "$GITHUB_STEP_SUMMARY"