search

tenable / terrascan-action

Terrascan GitHub action. Scan infrastructure as code including Terraform, Kubernetes, Helm, and Kustomize file for security best practices.
Apache License 2.0
51 stars 30 forks source link

Document using ~/.terraformrc and/or the TF_CLI_CONFIG_FILE environment variable #62

Open adarobin opened 2 years ago

adarobin commented 2 years ago

Some documentation on how to use .terraformrc (or the TF_CLI_CONFIG_FILE environment variable when it is available) with this GitHub Action might be useful to others. It took me a bit to figure this out, and there could very well be a better way to do it:

on:
  pull_request:
  push:
    branches: [main]

jobs:
  terrascan_job:
    runs-on: ubuntu-latest
    name: terrascan-action
    steps:
    - name: create $HOME/.terraformrc
      run: |
        mkdir -p $HOME/work/_temp/_github_home
        echo $TERRAFORMRC > $HOME/work/_temp/_github_home/.terraformrc
      env:
        TERRAFORMRC: ${{ secrets.TERRAFORMRC }}
    - name: Checkout repository
      uses: actions/checkout@v2
    - name: Run Terrascan
      id: terrascan
      uses: tenable/terrascan-action@main
      with:
        iac_type: 'terraform'
        iac_version: 'v14'
        policy_type: 'all'
        only_warn: true
        non_recursive: true

It would be very useful if I could set the TF_CLI_CONFIG_FILE environment variable to point to a credential file to allow use with Terraform modules pulled from a Terraform Registry.

https://runterrascan.io/docs/_print/#scanning-private-terraform-module-repositories

Edit: I didn't realize that this functionality was just released today at the time I submitted this issue :-). I made a fork and uped the Dockerfile to use 1.15.1 but I still can't seem to get it to work setting with this code

on:
  pull_request:
  push:
    branches: [main]

jobs:
  terrascan_job:
    runs-on: ubuntu-latest
    name: terrascan-action
    steps:
    - name: create $HOME/.terraformrc
      run: |
        echo $TERRAFORMRC > $HOME/.terraformrc
      env:
        TERRAFORMRC: ${{ secrets.TERRAFORMRC }}
    - name: Checkout repository
      uses: actions/checkout@v2
    - name: Run Terrascan
      id: terrascan
      uses: umich-vci/terrascan-action@main
      with:
        iac_type: 'terraform'
        iac_version: 'v14'
        policy_type: 'all'
        only_warn: true
        non_recursive: true
      env:
        TF_CLI_CONFIG_FILE: /github/home/.terraformrc