richstokes
commented
2 years ago Just tried aquasecurity/tfsec-pr-commenter-action@v1.0.3 -- same issue
Open richstokes opened 2 years ago
richstokes
commented
2 years ago Just tried aquasecurity/tfsec-pr-commenter-action@v1.0.3 -- same issue
owenrumney
commented
2 years ago @richstokes - the action runs tfsec against he whole repo and then cross references the results from the tfsec against the Hunk changes in the commit of the PR. if there error is part of an active change then it writes the comment.
The message you're seeing suggests that tfsec has found an issue with the s3 bucket not having a corresponding public access block, but as the bucket isn't part of the PR its not going to include a comment
kmcarvalho
commented
2 years ago @owenrumney, can I configure the action to comment every alert, even if it isn't part of the PR?
njimenezotto
commented
2 years ago Hello @owenrumney, I'm seeing the same message "not writing as not part of the current PR". I don't understand why if I commit insecure code, commenter is not creating any comment on my PR. This is my pipeline
name: Checks
on:
pull_request_target:
jobs:
terraform-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Install tfenv & correct terraform version
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
run: |
git clone https://github.com/tfutils/tfenv.git ~/.tfenv
echo "$HOME/.tfenv/bin" >> $GITHUB_PATH
- name: Terraform format
run: |
tfenv install
tfenv use
echo "terraform format"
terraform fmt -check -diff -recursive
- uses: aquasecurity/tfsec-pr-commenter-action@v1.0.5
name: Tfsec check
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
working_directory: terraform
tfsec_args: --out ./results.json@kmcarvalho - not at the moment, but this is something I could add - it would have to be a comment direct in the PR rather than against the commit file though so might lose its value
owenrumney
commented
2 years ago @njimenezotto - I'm not sure - I see you're setting the working directory which might be causing an issue with the commenter matching against the commit paths. Can you run the action output for the tfsec-pr-commenter-action step?
laurentvasseurtekos
commented
2 years ago Hello, I would add an use case where it could be great to have a configuration to ask tfsec to publish a comment even if the change is not in the PR.
I am currently testing terraspace. Terraspace is a wrapper of terraform. It means that we will define some Terraform code wrapped with a Ruby layer. This allows to add some further functionalities, follow some Terraform good practices etc ..
When we launch Terraspace (during a github-action), the "real" Terraform code will be generated into a cache folder. Of course this cache folder is not pushed to the git repository. Then I would launch tfsec on this cache folder to check that the generated code follow securities guidelines and write a comment in the pull request if it is not the case.
However, because the cache folder is not in the git repository, tfsec will never write a comment in the PR.
Sorry if my explanation is not clear enough.
Have a nice day
RafPe
commented
2 years ago I have been playing around with debugging this bad boy locally and found out that it points to the function that determines ( hardcoded for us ) if the file being commented on is relevant.
There might be more the the whole setup than just this - but I decided to quickly write up my own action using tfsec with JQ and other commenting framework 😎 as at the end I never got this one to run for me
clrung
commented
2 years ago Hi @RafPe, good find! Would you mind sharing your action on the Marketplace? I'm running into the same issue and would like to try it out, at least until this is updated 😄
We have .tf files in various, nested subdirs and are seeing this error. The action is outputting nothing to the PR and seems to print this in the logs for every check.
For example:
Using
aquasecurity/tfsec-pr-commenter-action@v1.0.2