Skip to content

Run tfsec with reviewdog on pull requests to enforce security best practices

License

Notifications You must be signed in to change notification settings

jasonjanderson/action-tfsec

 
 

Repository files navigation

GitHub Action: Run tfsec with reviewdog

Tests Lint depup release GitHub release (latest SemVer) action-bumpr supported

This action runs tfsec with reviewdog on pull requests to enforce best practices.

Examples

With github-pr-check

By default, with reporter: github-pr-check an annotation is added to the line:

Example comment made by the action, with github-pr-check

With github-pr-review

With reporter: github-pr-review a comment is added to the Pull Request Conversation:

Example comment made by the action, with github-pr-review

Inputs

github_token

Required. Must be in form of github_token: ${{ secrets.github_token }}.

working_directory

Optional. Directory to run the action on, from the repo root. The default is . ( root of the repository).

level

Optional. Report level for reviewdog [info,warning,error]. It's same as -level flag of reviewdog. The default is error.

tool_name

Optional. Name of the tool being used. This controls how it will show up in the GitHub UI. The default is tfsec.

reporter

Optional. Reporter of reviewdog command [github-pr-check,github-pr-review]. The default is github-pr-check.

filter_mode

Optional. Filtering for the reviewdog command [added,diff_context,file,nofilter].

The default is added.

See reviewdog documentation for filter mode for details.

fail_on_error

Optional. Exit code for reviewdog when errors are found [true,false].

The default is false.

See reviewdog documentation for exit codes for details.

flags

Optional. Additional reviewdog flags. Useful for debugging errors, when it can be set to -tee. The default is ``.

tfsec_version

Optional. The version of tfsec to install. The default is latest.

tfsec_flags

Optional. List of arguments to send to tfsec. For the output to be parsable by reviewdog --format=checkstyle is enforced. The default is ``.

Outputs

tfsec-return-code

The tfsec command return code.

reviewdog-return-code

The reviewdog command return code.

Example usage

name: tfsec
on: [pull_request]
jobs:
  tfsec:
    name: runner / tfsec
    runs-on: ubuntu-latest # Windows and macOS are also supported

    steps:
      - name: Clone repo
        uses: actions/checkout@v2

      - name: Run tfsec with reviewdog output on the PR
        uses: reviewdog/action-tfsec@master
        with:
          github_token: ${{ secrets.github_token }}
          working_directory: my_directory # Change working directory
          level: info # Get more output from reviewdog
          reporter: github-pr-review # Change reviewdog reporter
          filter_mode: nofilter # Check all files, not just the diff
          fail_on_error: true # Fail action if errors are found
          flags: -tee # Add debug flag to reviewdog
          tfsec_flags: "" # Optional

Development

Release

You can bump version on merging Pull Requests with specific labels (bump:major,bump:minor,bump:patch). Pushing tag manually by yourself also work.

This action updates major/minor release tags on a tag push. e.g. Update v1 and v1.2 tag when released v1.2.3. ref: https://help.github.com/en/articles/about-actions#versioning-your-action

Lint - reviewdog integration

This reviewdog action template itself is integrated with reviewdog to run lints which is useful for Docker container based actions.

Supported linters:

Dependencies Update Automation

This repository uses haya14busa/action-depup to update reviewdog version.

About

Run tfsec with reviewdog on pull requests to enforce security best practices

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 79.1%
  • jq 20.9%