From 7cb3978ed39939c7a3e806285680915f7fbe67a8 Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 12:04:43 -0600 Subject: [PATCH 01/18] add in terraform actions --- .github/workflows/tfactions.yml | 42 +++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/tfactions.yml diff --git a/.github/workflows/tfactions.yml b/.github/workflows/tfactions.yml new file mode 100644 index 0000000..809d872 --- /dev/null +++ b/.github/workflows/tfactions.yml @@ -0,0 +1,42 @@ +name: tfactions +on: + push: + branches: + - main + pull_request: +jobs: + tfactions: + name: tfactions + runs-on: ubuntu-latest + + steps: + - uses: hashicorp/setup-terraform@v3 + with: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + + - name: Terraform fmt execute + id: fmt + run: terraform fmt -recursive + continue-on-error: true + + - name: Terraform fmt check + id: fmt + run: terraform fmt -check + continue-on-error: true + + - name: Terraform init + id: init + run: terraform init + + - name: Terraform validate + id: validate + run: terraform validate -no-color + + - name: Terraform plan + id: plan + run: terraform plan -no-color + + - run: echo ${{ steps.plan.outputs.stdout }} + - run: echo ${{ steps.plan.outputs.stderr }} + - run: echo ${{ steps.plan.outputs.exitcode }} + From 8af1df77f3b3332b088e5e9e10df693a7c94ff99 Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 12:06:58 -0600 Subject: [PATCH 02/18] fixed action --- .github/workflows/tfactions.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/.github/workflows/tfactions.yml b/.github/workflows/tfactions.yml index 809d872..196d7dc 100644 --- a/.github/workflows/tfactions.yml +++ b/.github/workflows/tfactions.yml @@ -8,34 +8,23 @@ jobs: tfactions: name: tfactions runs-on: ubuntu-latest - steps: - uses: hashicorp/setup-terraform@v3 with: cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - - - name: Terraform fmt execute - id: fmt - run: terraform fmt -recursive - continue-on-error: true - - - name: Terraform fmt check + - name: Terraform fmt id: fmt run: terraform fmt -check continue-on-error: true - - name: Terraform init id: init run: terraform init - - name: Terraform validate id: validate run: terraform validate -no-color - - name: Terraform plan id: plan run: terraform plan -no-color - - run: echo ${{ steps.plan.outputs.stdout }} - run: echo ${{ steps.plan.outputs.stderr }} - run: echo ${{ steps.plan.outputs.exitcode }} From 43445f9f4c8bfa735fc92b5815abc4e44322bb17 Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 12:30:55 -0600 Subject: [PATCH 03/18] add in dummy task --- .terraform.lock.hcl | 25 +++++++++++++++++++++++++ main.tf | 7 +++++++ 2 files changed, 32 insertions(+) create mode 100644 .terraform.lock.hcl diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..ef31f06 --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.62.0" + constraints = "~> 5.0" + hashes = [ + "h1:X3LAZdkVhb/77gTlhPwKYCA9oblBCSu866fZDDOojPY=", + "zh:1f366cbcda72fb123015439a42ab19f96e10ce4edb404273f4e1b7e06da20b73", + "zh:25f098454a34b483279e0382b24b4f42e51c067222c6e797eda5d3ec33b9beb1", + "zh:4b59d48b527e3cefd73f196853bfc265b3e1e57b55c1c8a2d12ff6e3534b4f07", + "zh:7bb88c1ca95e2b3f0f1fe8636925133b9813fc5b137cc467ba6a233ddf4b360e", + "zh:8a93dece40e816c92647e762839d0370e9cad2aa21dc4ca95baee9385f116459", + "zh:8dfe82c55ab8f633c1e2a39c687e9ca8c892d1c2005bf5166ac396ce868ecd05", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a754952d69b4860480d5207390e3ab42350c964dbca9a5ac0c6912dd24b4c11d", + "zh:b2a4dbf4abee0e9ec18c5d323b99defdcd3c681f8c4306fb6e02cff7de038f85", + "zh:b57d84be258b571c04271015f03858ab215768b82e47c11ecd86e789d577030a", + "zh:be811b03289407c8d59e6b199bf16e6071165565ffe502148172d0886cf849c4", + "zh:d4144c7366c840eff1ac15ba13d96063f798f0983d24053a832362033624fe6f", + "zh:d88612856d453c4e10c49c76e4ef522b7d068b4f7c3e2e0b03dd74540986eecd", + "zh:e8bd231a5d0786cc4aab8471bb6dabd5a5df1c598afda077a9f27987ada57b67", + "zh:ffb40a66b4d000a8ee4c54227eeb998f887ad867419c3af7d3981587788de074", + ] +} diff --git a/main.tf b/main.tf index e69de29..457f648 100644 --- a/main.tf +++ b/main.tf @@ -0,0 +1,7 @@ +resource "aws_s3_bucket" "my_bucket" { + bucket = test-bucket-42353242213123 # Name of the S3 bucket + tags = { + Name = "MyS3Bucket" + Environment = "Dev" + } +} \ No newline at end of file From 5e573bc6e92978d5e60101e734a467295467659c Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 15:05:59 -0600 Subject: [PATCH 04/18] add in checkout step --- .github/workflows/tfactions.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/tfactions.yml b/.github/workflows/tfactions.yml index 196d7dc..e3efb25 100644 --- a/.github/workflows/tfactions.yml +++ b/.github/workflows/tfactions.yml @@ -9,22 +9,30 @@ jobs: name: tfactions runs-on: ubuntu-latest steps: + - name: Checkout repository + uses: actions/checkout@v4 + - uses: hashicorp/setup-terraform@v3 with: cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + - name: Terraform fmt id: fmt run: terraform fmt -check continue-on-error: true + - name: Terraform init id: init run: terraform init + - name: Terraform validate id: validate run: terraform validate -no-color + - name: Terraform plan id: plan run: terraform plan -no-color + - run: echo ${{ steps.plan.outputs.stdout }} - run: echo ${{ steps.plan.outputs.stderr }} - run: echo ${{ steps.plan.outputs.exitcode }} From f6bbb460a72e085e09ff0b537dca96b4f73732ea Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 15:26:13 -0600 Subject: [PATCH 05/18] check gh actions --- .github/workflows/tfsec.yml | 27 +++++++++++++++++++++++++++ main.tf | 2 +- variables.tf | 13 +++++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 32a9446..7c6b0d6 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -16,3 +16,30 @@ jobs: uses: aquasecurity/tfsec-action@v1.0.0 with: soft_fail: true + + - name: Post tfsec results as PR comment + if: ${{ github.event_name == 'pull_request' }} + uses: actions/github-script@v6 + with: + script: | + const { exec } = require('@actions/exec'); + let output = ''; + await exec('tfsec', [], { + listeners: { + stdout: (data) => { + output += data.toString(); + }, + }, + }); + const comment = ` + ## tfsec Scan Results + \`\`\` + ${output} + \`\`\` + `; + github.rest.issues.createComment({ + issue_number: github.context.issue.number, + owner: github.context.repo.owner, + repo: github.context.repo.repo, + body: comment, + }); \ No newline at end of file diff --git a/main.tf b/main.tf index 457f648..6e30e34 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,5 @@ resource "aws_s3_bucket" "my_bucket" { - bucket = test-bucket-42353242213123 # Name of the S3 bucket + bucket = "test-bucket-42353242213123" tags = { Name = "MyS3Bucket" Environment = "Dev" diff --git a/variables.tf b/variables.tf index e69de29..85c5bf1 100644 --- a/variables.tf +++ b/variables.tf @@ -0,0 +1,13 @@ +variable "name" { + type = string +} + +variable "region" { + description = "AWS region to create resources in" + type = string + default = "us-east-1" +} + +variable "aws_account" { + description = "Account number to create AWS resources in. This variable should be defined in the Terraform Cloud workspace settings" +} \ No newline at end of file From 2eb272ccd102d4df2bcc950822ed8dc5fca898f2 Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 15:37:02 -0600 Subject: [PATCH 06/18] fix gh actions --- .github/workflows/tfsec.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 7c6b0d6..58e71a8 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -1,9 +1,11 @@ name: tfsec + on: push: branches: - main pull_request: + jobs: tfsec: name: tfsec @@ -11,8 +13,10 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@master - - name: tfsec + uses: actions/checkout@v4 + + - name: Run tfsec + id: tfsec uses: aquasecurity/tfsec-action@v1.0.0 with: soft_fail: true @@ -22,9 +26,8 @@ jobs: uses: actions/github-script@v6 with: script: | - const { exec } = require('@actions/exec'); let output = ''; - await exec('tfsec', [], { + await github.exec('tfsec', [], { listeners: { stdout: (data) => { output += data.toString(); From 6ff24bf903add6344ea9f82f365acb02d33fd870 Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 15:39:20 -0600 Subject: [PATCH 07/18] more gh actions fixes --- .github/workflows/tfsec.yml | 17 +++++------------ provider.tf | 2 +- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 58e71a8..ed6ad76 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -17,23 +17,16 @@ jobs: - name: Run tfsec id: tfsec - uses: aquasecurity/tfsec-action@v1.0.0 - with: - soft_fail: true + run: | + tfsec > tfsec_output.txt - name: Post tfsec results as PR comment if: ${{ github.event_name == 'pull_request' }} uses: actions/github-script@v6 with: script: | - let output = ''; - await github.exec('tfsec', [], { - listeners: { - stdout: (data) => { - output += data.toString(); - }, - }, - }); + const fs = require('fs'); + const output = fs.readFileSync('tfsec_output.txt', 'utf8'); const comment = ` ## tfsec Scan Results \`\`\` @@ -45,4 +38,4 @@ jobs: owner: github.context.repo.owner, repo: github.context.repo.repo, body: comment, - }); \ No newline at end of file + }); diff --git a/provider.tf b/provider.tf index c8305b0..9403982 100644 --- a/provider.tf +++ b/provider.tf @@ -14,7 +14,7 @@ provider "aws" { allowed_account_ids = [var.aws_account] assume_role { - role_arn = "arn:aws:iam::${var.aws_account}:role/svc_terraform" + role_arn = "arn:aws:iam::${var.aws_account}:role/terraform-service" session_name = "Terraform" } From 6b25a1412db9e8af98b5d06c23f3cd8bebd2bcbd Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 15:44:07 -0600 Subject: [PATCH 08/18] more fixes --- .github/workflows/tfsec.yml | 31 ++++--------------------------- 1 file changed, 4 insertions(+), 27 deletions(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index ed6ad76..b72a25c 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -1,11 +1,9 @@ name: tfsec - on: push: branches: - main pull_request: - jobs: tfsec: name: tfsec @@ -13,29 +11,8 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v4 - - - name: Run tfsec - id: tfsec - run: | - tfsec > tfsec_output.txt - - - name: Post tfsec results as PR comment - if: ${{ github.event_name == 'pull_request' }} - uses: actions/github-script@v6 + uses: actions/checkout@master + - name: tfsec + uses: aquasecurity/tfsec-action@v1.0.0 with: - script: | - const fs = require('fs'); - const output = fs.readFileSync('tfsec_output.txt', 'utf8'); - const comment = ` - ## tfsec Scan Results - \`\`\` - ${output} - \`\`\` - `; - github.rest.issues.createComment({ - issue_number: github.context.issue.number, - owner: github.context.repo.owner, - repo: github.context.repo.repo, - body: comment, - }); + soft_fail: true \ No newline at end of file From d53360de72d0673cb879c7318a738cf20859e3b3 Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 15:50:25 -0600 Subject: [PATCH 09/18] more action changes' --- .github/workflows/tfactions.yml | 26 ++++++++++++------------ .github/workflows/tfsec.yml | 35 ++++++++++++++++++++++++++++++--- 2 files changed, 45 insertions(+), 16 deletions(-) diff --git a/.github/workflows/tfactions.yml b/.github/workflows/tfactions.yml index e3efb25..9549cef 100644 --- a/.github/workflows/tfactions.yml +++ b/.github/workflows/tfactions.yml @@ -18,22 +18,22 @@ jobs: - name: Terraform fmt id: fmt - run: terraform fmt -check + run: terraform fmt -recursive continue-on-error: true - - name: Terraform init - id: init - run: terraform init + # - name: Terraform init + # id: init + # run: terraform init - - name: Terraform validate - id: validate - run: terraform validate -no-color + # - name: Terraform validate + # id: validate + # run: terraform validate -no-color - - name: Terraform plan - id: plan - run: terraform plan -no-color + # - name: Terraform plan + # id: plan + # run: terraform plan -no-color - - run: echo ${{ steps.plan.outputs.stdout }} - - run: echo ${{ steps.plan.outputs.stderr }} - - run: echo ${{ steps.plan.outputs.exitcode }} + # - run: echo ${{ steps.plan.outputs.stdout }} + # - run: echo ${{ steps.plan.outputs.stderr }} + # - run: echo ${{ steps.plan.outputs.exitcode }} diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index b72a25c..23adf48 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -4,6 +4,7 @@ on: branches: - main pull_request: + jobs: tfsec: name: tfsec @@ -11,8 +12,36 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@master - - name: tfsec + uses: actions/checkout@v4 + + - name: Run tfsec + id: tfsec uses: aquasecurity/tfsec-action@v1.0.0 with: - soft_fail: true \ No newline at end of file + soft_fail: true + + - name: Extract tfsec results + id: extract + run: | + results=$(grep -A 6 "results" ${{ steps.tfsec.outputs.report }} | tail -n 6) + echo "TFSEC_RESULTS<> $GITHUB_ENV + echo "$results" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - name: Post tfsec summary as PR comment + if: ${{ github.event_name == 'pull_request' }} + uses: actions/github-script@v6 + with: + script: | + const comment = ` + ## tfsec Scan Summary + \`\`\` + ${process.env.TFSEC_RESULTS} + \`\`\` + `; + github.rest.issues.createComment({ + issue_number: github.context.issue.number, + owner: github.context.repo.owner, + repo: github.context.repo.repo, + body: comment, + }); From a4d6d7c2efaf1e487cbf0d8c1f837ffadbf8969e Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 15:51:59 -0600 Subject: [PATCH 10/18] more action changes' --- .github/workflows/tfsec.yml | 9 +++++---- main.tf | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 23adf48..50bca54 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -23,7 +23,7 @@ jobs: - name: Extract tfsec results id: extract run: | - results=$(grep -A 6 "results" ${{ steps.tfsec.outputs.report }} | tail -n 6) + results=$(grep -A 6 "results" tfsec_output.txt | tail -n 6) echo "TFSEC_RESULTS<> $GITHUB_ENV echo "$results" >> $GITHUB_ENV echo "EOF" >> $GITHUB_ENV @@ -33,6 +33,7 @@ jobs: uses: actions/github-script@v6 with: script: | + const { issue, repo } = github.context; const comment = ` ## tfsec Scan Summary \`\`\` @@ -40,8 +41,8 @@ jobs: \`\`\` `; github.rest.issues.createComment({ - issue_number: github.context.issue.number, - owner: github.context.repo.owner, - repo: github.context.repo.repo, + issue_number: issue.number, + owner: repo.owner, + repo: repo.repo, body: comment, }); diff --git a/main.tf b/main.tf index 6e30e34..c61715c 100644 --- a/main.tf +++ b/main.tf @@ -2,6 +2,6 @@ resource "aws_s3_bucket" "my_bucket" { bucket = "test-bucket-42353242213123" tags = { Name = "MyS3Bucket" - Environment = "Dev" + Environment = "Dev" } } \ No newline at end of file From 55b7d02d8366242ba47fb1b96d70ea7bbe12ff01 Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 15:54:10 -0600 Subject: [PATCH 11/18] more action changes' --- .github/workflows/tf-fmt-check.yml | 22 +++++++++++++++++ .github/workflows/tfactions.yml | 39 ------------------------------ .github/workflows/tfsec.yml | 21 ++++++++++------ 3 files changed, 35 insertions(+), 47 deletions(-) create mode 100644 .github/workflows/tf-fmt-check.yml delete mode 100644 .github/workflows/tfactions.yml diff --git a/.github/workflows/tf-fmt-check.yml b/.github/workflows/tf-fmt-check.yml new file mode 100644 index 0000000..c18302c --- /dev/null +++ b/.github/workflows/tf-fmt-check.yml @@ -0,0 +1,22 @@ +name: tfactions +on: + push: + branches: + - main + pull_request: +jobs: + tfactions: + name: tfactions + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - uses: hashicorp/setup-terraform@v3 + with: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + + - name: Terraform fmt + id: fmt + run: terraform fmt -check + continue-on-error: true \ No newline at end of file diff --git a/.github/workflows/tfactions.yml b/.github/workflows/tfactions.yml deleted file mode 100644 index 9549cef..0000000 --- a/.github/workflows/tfactions.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: tfactions -on: - push: - branches: - - main - pull_request: -jobs: - tfactions: - name: tfactions - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - - - name: Terraform fmt - id: fmt - run: terraform fmt -recursive - continue-on-error: true - - # - name: Terraform init - # id: init - # run: terraform init - - # - name: Terraform validate - # id: validate - # run: terraform validate -no-color - - # - name: Terraform plan - # id: plan - # run: terraform plan -no-color - - # - run: echo ${{ steps.plan.outputs.stdout }} - # - run: echo ${{ steps.plan.outputs.stderr }} - # - run: echo ${{ steps.plan.outputs.exitcode }} - diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 50bca54..4dc6536 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -33,16 +33,21 @@ jobs: uses: actions/github-script@v6 with: script: | - const { issue, repo } = github.context; - const comment = ` + const tfsecResults = process.env.TFSEC_RESULTS; + const issueNumber = github.context.payload.pull_request.number; + const repoName = github.context.repo.repo; + const repoOwner = github.context.repo.owner; + + const commentBody = ` ## tfsec Scan Summary \`\`\` - ${process.env.TFSEC_RESULTS} + ${tfsecResults} \`\`\` `; - github.rest.issues.createComment({ - issue_number: issue.number, - owner: repo.owner, - repo: repo.repo, - body: comment, + + await github.rest.issues.createComment({ + owner: repoOwner, + repo: repoName, + issue_number: issueNumber, + body: commentBody, }); From 1b845690f46283eadd06021e2c178eb428571670 Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 15:58:23 -0600 Subject: [PATCH 12/18] update tfsec --- .github/workflows/tfsec.yml | 40 +++---------------------------------- 1 file changed, 3 insertions(+), 37 deletions(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 4dc6536..ba7fa55 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -4,7 +4,6 @@ on: branches: - main pull_request: - jobs: tfsec: name: tfsec @@ -12,42 +11,9 @@ jobs: steps: - name: Clone repo - uses: actions/checkout@v4 - - - name: Run tfsec - id: tfsec + uses: actions/checkout@master + - name: tfsec uses: aquasecurity/tfsec-action@v1.0.0 with: soft_fail: true - - - name: Extract tfsec results - id: extract - run: | - results=$(grep -A 6 "results" tfsec_output.txt | tail -n 6) - echo "TFSEC_RESULTS<> $GITHUB_ENV - echo "$results" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - - - name: Post tfsec summary as PR comment - if: ${{ github.event_name == 'pull_request' }} - uses: actions/github-script@v6 - with: - script: | - const tfsecResults = process.env.TFSEC_RESULTS; - const issueNumber = github.context.payload.pull_request.number; - const repoName = github.context.repo.repo; - const repoOwner = github.context.repo.owner; - - const commentBody = ` - ## tfsec Scan Summary - \`\`\` - ${tfsecResults} - \`\`\` - `; - - await github.rest.issues.createComment({ - owner: repoOwner, - repo: repoName, - issue_number: issueNumber, - body: commentBody, - }); + additional_args: '--gif --sort-severity --run-statistics --allow-checks-to-panic' \ No newline at end of file From ea254e70ac896756addb85d7a00ed48afc6d9a7c Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 20:20:22 -0600 Subject: [PATCH 13/18] update tfsec action --- .github/workflows/tfsec.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index ba7fa55..f7d3cde 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -6,14 +6,25 @@ on: pull_request: jobs: tfsec: - name: tfsec + name: tfsec sarif report runs-on: ubuntu-latest - + permissions: + actions: read + contents: read + security-events: write steps: - name: Clone repo - uses: actions/checkout@master + uses: actions/checkout@v2 + with: + persist-credentials: false + - name: tfsec - uses: aquasecurity/tfsec-action@v1.0.0 + uses: aquasecurity/tfsec-sarif-action@v0.1.0 + with: + sarif_file: tfsec.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 with: - soft_fail: true - additional_args: '--gif --sort-severity --run-statistics --allow-checks-to-panic' \ No newline at end of file + # Path to SARIF file relative to the root of the repository + sarif_file: tfsec.sarif \ No newline at end of file From dd641c8b014668e071f9df44e3f926d784fe3e8a Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 20:28:48 -0600 Subject: [PATCH 14/18] update actions --- .github/workflows/tf-fmt-check.yml | 3 ++- .github/workflows/tfsec.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tf-fmt-check.yml b/.github/workflows/tf-fmt-check.yml index c18302c..6d14614 100644 --- a/.github/workflows/tf-fmt-check.yml +++ b/.github/workflows/tf-fmt-check.yml @@ -19,4 +19,5 @@ jobs: - name: Terraform fmt id: fmt run: terraform fmt -check - continue-on-error: true \ No newline at end of file + with: + soft_fail: true \ No newline at end of file diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index f7d3cde..6e4fb9d 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -21,7 +21,8 @@ jobs: - name: tfsec uses: aquasecurity/tfsec-sarif-action@v0.1.0 with: - sarif_file: tfsec.sarif + sarif_file: tfsec.sarif + additional_args: '--severity HIGH' - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 From 9bcc9dc5557838edd1094353def590f186484404 Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 20:30:46 -0600 Subject: [PATCH 15/18] update soft fail --- .github/workflows/tf-fmt-check.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/tf-fmt-check.yml b/.github/workflows/tf-fmt-check.yml index 6d14614..361320c 100644 --- a/.github/workflows/tf-fmt-check.yml +++ b/.github/workflows/tf-fmt-check.yml @@ -15,9 +15,8 @@ jobs: - uses: hashicorp/setup-terraform@v3 with: cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + soft_fail: true - name: Terraform fmt id: fmt run: terraform fmt -check - with: - soft_fail: true \ No newline at end of file From 5a665cc3f71a27b373a01ca826d8e741990430a2 Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 20:41:36 -0600 Subject: [PATCH 16/18] final gh action changes --- .github/workflows/tf-fmt-check.yml | 2 +- .github/workflows/tfsec.yml | 28 +++++++++++++++++----------- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/.github/workflows/tf-fmt-check.yml b/.github/workflows/tf-fmt-check.yml index 361320c..c18302c 100644 --- a/.github/workflows/tf-fmt-check.yml +++ b/.github/workflows/tf-fmt-check.yml @@ -15,8 +15,8 @@ jobs: - uses: hashicorp/setup-terraform@v3 with: cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - soft_fail: true - name: Terraform fmt id: fmt run: terraform fmt -check + continue-on-error: true \ No newline at end of file diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 6e4fb9d..b29f5d3 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -1,31 +1,37 @@ +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + name: tfsec + on: push: - branches: - - main + branches: [ "main" ] pull_request: + branches: [ "main" ] + schedule: + - cron: '27 20 * * 5' + jobs: tfsec: - name: tfsec sarif report + name: Run tfsec sarif report runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write + steps: - name: Clone repo - uses: actions/checkout@v2 - with: - persist-credentials: false + uses: actions/checkout@v4 - - name: tfsec - uses: aquasecurity/tfsec-sarif-action@v0.1.0 + - name: Run tfsec + uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 with: - sarif_file: tfsec.sarif - additional_args: '--severity HIGH' + sarif_file: tfsec.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif \ No newline at end of file From 5d50e61d465e356788fa87144e7260dc98417cad Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 20:42:54 -0600 Subject: [PATCH 17/18] final gh action changes --- .github/workflows/tf-fmt-check.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/tf-fmt-check.yml b/.github/workflows/tf-fmt-check.yml index c18302c..4cb931c 100644 --- a/.github/workflows/tf-fmt-check.yml +++ b/.github/workflows/tf-fmt-check.yml @@ -18,5 +18,4 @@ jobs: - name: Terraform fmt id: fmt - run: terraform fmt -check - continue-on-error: true \ No newline at end of file + run: terraform fmt -check \ No newline at end of file From 4f5c43ebe3fdcaf84b37909502f6beaa563bcc1d Mon Sep 17 00:00:00 2001 From: cybershady Date: Sun, 11 Aug 2024 20:43:50 -0600 Subject: [PATCH 18/18] delete fake resource --- main.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/main.tf b/main.tf index c61715c..e69de29 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +0,0 @@ -resource "aws_s3_bucket" "my_bucket" { - bucket = "test-bucket-42353242213123" - tags = { - Name = "MyS3Bucket" - Environment = "Dev" - } -} \ No newline at end of file