From 5596b73841fd97643e1870773d96d9475bbfb5f4 Mon Sep 17 00:00:00 2001 From: Jashwanth Date: Thu, 25 Jun 2026 19:56:04 +0530 Subject: [PATCH] added a error free Iac tool scaning --- .github/workflows/terrasecure-scan.yml | 38 +++++++++++++++----------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/.github/workflows/terrasecure-scan.yml b/.github/workflows/terrasecure-scan.yml index 3a3f17a..8d2565e 100644 --- a/.github/workflows/terrasecure-scan.yml +++ b/.github/workflows/terrasecure-scan.yml @@ -1,6 +1,4 @@ name: TerraSecure IaC Security Scan -# only runs when infra code changes. -# this is separate from app build/test workflows. on: push: branches: [main, develop] @@ -11,11 +9,12 @@ on: branches: [main, develop] paths: - 'infra/terraform/**' - workflow_dispatch: {} + - '.github/workflows/terrasecure-scan.yml' + workflow_dispatch: {} permissions: contents: read - security-events: write + security-events: write concurrency: group: terrasecure-${{ github.ref }} @@ -29,27 +28,34 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Run TerraSecure + - name: Run TerraSecure (SARIF) uses: JashwanthMU/TerraSecure@v2.0.0 with: - path: 'infra/terraform' + path: '${{ github.workspace }}/infra/terraform' format: 'sarif' - fail-on: 'high' - upload-sarif: 'true' + output: '${{ github.workspace }}/terrasecure-results.sarif' + fail-on: 'critical' + + - name: Upload SARIF to GitHub Security tab + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: '${{ github.workspace }}/terrasecure-results.sarif' - - name: Re-run for human-readable JSON artifact - if: always() + - name: Run TerraSecure (JSON report) + if: always() + continue-on-error: true uses: JashwanthMU/TerraSecure@v2.0.0 with: - path: 'infra/terraform' + path: '${{ github.workspace }}/infra/terraform' format: 'json' - fail-on: 'none' - upload-sarif: 'false' - - - name: Upload JSON scan report as artifact + output: '${{ github.workspace }}/terrasecure-report.json' + fail-on: 'critical' + + - name: Upload JSON report artifact if: always() uses: actions/upload-artifact@v4 with: name: terrasecure-report - path: '**/report.json' + path: '${{ github.workspace }}/terrasecure-report.json' retention-days: 30 \ No newline at end of file