This action runs Terrascan, a static code analyzer for infrastructure as code(IaC) security best practices. It supports displaying the results of the scan in the GitHub repository's Security tab under code scanning alerts, when the sarif_upload
input variable is included.
Required IaC type (helm, k8s, kustomize, terraform).
Path to a directory containing one or more IaC files. Default "."
.
IaC version (helm: v3, k8s: v1, kustomize: v3, terraform: v12, v14).
Do not scan directories and modules recursively
Policy path directory for custom policies.
Policy type (all, aws, azure, gcp, github, k8s). Default all
.
One or more rules to skip while scanning (example: "ruleID1,ruleID2").
Config file path.
The action will only warn and not error when violations are found.
If this variable is included, a sarif file named terrascan.sarif will be generated with the results of the scan.
on: [push]
jobs:
terrascan_job:
runs-on: ubuntu-latest
name: terrascan-action
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Run Terrascan
id: terrascan
uses: accurics/terrascan-action@main
with:
iac_type: 'terraform'
iac_version: 'v14'
policy_type: 'aws'
only_warn: true
#sarif_upload: true
#non_recursive:
#iac_dir:
#policy_path:
#skip_rules:
#config_path:
Using the SARIF output option, the results of the scan will be displayed in the security tab of the repository being scanned. The example below shows how to accomplish this. More information on GitHub code scanning is available here.
on: [push]
jobs:
terrascan_job:
runs-on: ubuntu-latest
name: terrascan-action
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Run Terrascan
id: terrascan
uses: accurics/terrascan-action@main
with:
iac_type: 'terraform'
iac_version: 'v14'
policy_type: 'aws'
only_warn: true
sarif_upload: true
#non_recursive:
#iac_dir:
#policy_path:
#skip_rules:
#config_path:
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: terrascan.sarif