Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 22 additions & 16 deletions .github/workflows/terrasecure-scan.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
name: TerraSecure IaC Security Scan
# only runs when infra code changes.
# this is separate from app build/test workflows.
on:
push:
branches: [main, develop]
Expand All @@ -11,11 +9,12 @@ on:
branches: [main, develop]
paths:
- 'infra/terraform/**'
workflow_dispatch: {}
- '.github/workflows/terrasecure-scan.yml'
workflow_dispatch: {}

permissions:
contents: read
security-events: write
security-events: write

concurrency:
group: terrasecure-${{ github.ref }}
Expand All @@ -29,27 +28,34 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Run TerraSecure
- name: Run TerraSecure (SARIF)
uses: JashwanthMU/TerraSecure@v2.0.0
with:
path: 'infra/terraform'
path: '${{ github.workspace }}/infra/terraform'
format: 'sarif'
fail-on: 'high'
upload-sarif: 'true'
output: '${{ github.workspace }}/terrasecure-results.sarif'
fail-on: 'critical'

- name: Upload SARIF to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: '${{ github.workspace }}/terrasecure-results.sarif'

- name: Re-run for human-readable JSON artifact
if: always()
- name: Run TerraSecure (JSON report)
if: always()
continue-on-error: true
uses: JashwanthMU/TerraSecure@v2.0.0
with:
path: 'infra/terraform'
path: '${{ github.workspace }}/infra/terraform'
format: 'json'
fail-on: 'none'
upload-sarif: 'false'

- name: Upload JSON scan report as artifact
output: '${{ github.workspace }}/terrasecure-report.json'
fail-on: 'critical'
- name: Upload JSON report artifact
if: always()
uses: actions/upload-artifact@v4
with:
name: terrasecure-report
path: '**/report.json'
path: '${{ github.workspace }}/terrasecure-report.json'
retention-days: 30
Loading