reviewdog / action-tfsec Goto Github PK

View Code? Open in Web Editor NEW

70.0 27.0 24.0 616 KB

Run tfsec with reviewdog on pull requests to enforce security best practices

License: MIT License

Shell 76.69% jq 23.31%

reviewdog tfsec terrafrom

action-tfsec's Introduction

GitHub Action: Run tfsec with reviewdog

This action runs tfsec with reviewdog on pull requests to enforce best practices.

Examples

With `github-pr-check`

By default, with reporter: github-pr-check an annotation is added to the line:

With `github-pr-review`

With reporter: github-pr-review a comment is added to the Pull Request Conversation:

Inputs

`github_token`

Required. Must be in form of github_token: ${{ secrets.github_token }}.

`working_directory`

Optional. Directory to run the action on, from the repo root. The default is . ( root of the repository).

`level`

Optional. Report level for reviewdog [info,warning,error]. It's same as -level flag of reviewdog. The default is error.

`tool_name`

Optional. Name of the tool being used. This controls how it will show up in the GitHub UI. The default is tfsec.

`reporter`

Optional. Reporter of reviewdog command [github-pr-check,github-pr-review]. The default is github-pr-check.

`filter_mode`

Optional. Filtering for the reviewdog command [added,diff_context,file,nofilter].

The default is added.

See reviewdog documentation for filter mode for details.

`fail_on_error`

Optional. Exit code for reviewdog when errors are found [true,false].

The default is false.

See reviewdog documentation for exit codes for details.

`flags`

Optional. Additional reviewdog flags. Useful for debugging errors, when it can be set to -tee. The default is ``.

`tfsec_version`

Optional. The version of tfsec to install. The default is latest.

`tfsec_flags`

Optional. List of arguments to send to tfsec. For the output to be parsable by reviewdog --format=checkstyle is enforced. The default is ``.

Outputs

`tfsec-return-code`

The tfsec command return code.

`reviewdog-return-code`

The reviewdog command return code.

Example usage

name: tfsec
on: [pull_request]
jobs:
  tfsec:
    name: runner / tfsec
    runs-on: ubuntu-latest # Windows and macOS are also supported

    steps:
      - name: Clone repo
        uses: actions/checkout@v4

      - name: Run tfsec with reviewdog output on the PR
        uses: reviewdog/action-tfsec@master
        with:
          github_token: ${{ secrets.github_token }}
          working_directory: my_directory # Change working directory
          level: info # Get more output from reviewdog
          reporter: github-pr-review # Change reviewdog reporter
          filter_mode: nofilter # Check all files, not just the diff
          fail_on_error: true # Fail action if errors are found
          flags: -tee # Add debug flag to reviewdog
          tfsec_flags: "" # Optional

Development

Release

haya14busa/action-bumpr

You can bump version on merging Pull Requests with specific labels (bump:major,bump:minor,bump:patch). Pushing tag manually by yourself also work.

haya14busa/action-update-semver

This action updates major/minor release tags on a tag push. e.g. Update v1 and v1.2 tag when released v1.2.3. ref: https://help.github.com/en/articles/about-actions#versioning-your-action

Lint - reviewdog integration

This reviewdog action template itself is integrated with reviewdog to run lints which is useful for Docker container based actions.

Supported linters:

Dependencies Update Automation

This repository uses haya14busa/action-depup to update reviewdog version.

action-tfsec's People

Contributors

Stargazers

Watchers

action-tfsec's Issues

Doesn't work with tfsec v1.28.2

The latest version of tfsec v1.28.2 was just out on Sep 8, 2023. I haven't make sure how it changes. However, our GitHub Actions with tfsec v1.28.2 doesn't work.

If we ping the version of tfsecc with the tfsec_vesion at v1.28.1, the issue disapee. So, I'm assuming the latest version of tfsec v1.28.2 causes the issue.

Version(s)

reviewdog: 1.16.1 and 1.17.0
tfsec : v1.28.2

Actions

      # tfsec
      # NOTE We will compe up with how to use custom policies.
      - name: Run tfsec with reviewdog output on the PR
        id: tfsec
        # SEE https://github.com/reviewdog/action-tfsec
        uses: reviewdog/[email protected]
        with:
          github_token: ${{ secrets.github_token }}
          working_directory: ${{ matrix.working-directory }}
          level: info
          reporter: github-pr-review
          filter_mode: diff_context
          fail_on_error: false
          tfsec_flags: |
            --config-file ${{ github.workspace }}/tfsec/basic-config.yml --exclude-downloaded-modules

Error message

 Running tfsec with reviewdog 🐶 ...
  + export REVIEWDOG_GITHUB_API_TOKEN=***
  + REVIEWDOG_GITHUB_API_TOKEN=***
  + set +Eeuo pipefail
  + /tmp/tmp.73gZtHUy3P/reviewdog/reviewdog -f=rdjson -name=tfsec -reporter=github-pr-review -level=info -fail-on-error=false -filter-mode=diff_context
  + jq -r -f /home/runner/work/_actions/reviewdog/action-tfsec/v1.17.0/to-rdjson.jq
  + /tmp/tmp.73gZtHUy3P/tfsec/tfsec --format=json --config-file /home/runner/work/****/****/tfsec/basic-config.yml --exclude-downloaded-modules .
  parse error: Invalid numeric literal at line 3, column 0
  reviewdog: parse error: failed to unmarshal rdjson (DiagnosticResult): proto: syntax error (line 1:1): unexpected token 
  + tfsec_return=141
  + reviewdog_return=1
  + exit_code=1
  + echo tfsec-return-code=141
  ::endgroup::

Action fails to download tfsec

Hi there 👋

I noticed there were a few tfsec releases in the last 24 hours which broke this action as some extra binaries were introduced.

The result of:

wget -q https://api.github.com/repos/liamg/tfsec/releases/latest -O - | grep -o -E "https://.+?-linux-amd64"

now yields:

https://github.com/tfsec/tfsec/releases/download/v0.32.1/tfsec-checkgen-linux-amd64
https://github.com/tfsec/tfsec/releases/download/v0.32.1/tfsec-linux-amd64

So it fails to download into a tfsec binary. I'll raise a PR request shortly for the fix.

Show which tfsec rule prompted the error

It would be nice to show the tfsec rule identifier in the comments that reviewdog leaves. This is important for false positives / acceptable risk, because it tells the developer which rule to ignore with a comment on that line.

$ tfsec

Problem 1

  [AWS002][ERROR] Resource 'module.blah.aws_s3_bucket.default' does not have logging enabled.

The AWS002 is the critical part that's missing.

curl breaks after github org name change of tfsec

curl breaks after github org name change of tfsec.

##[group*** Installing tfsec (latest) ... https://github.com/tfsec/tfsec
curl: (22) The requested URL returned error: 404

Old: https://github.com/tfsec/tfsec
New: https://github.com/aquasecurity/tfsec

The relevant code:
https://github.com/reviewdog/action-tfsec/blob/master/script.sh#L39

echo "::group:: Installing tfsec (${INPUT_TFSEC_VERSION}) ... https://github.com/tfsec/tfsec"
  test ! -d "${TFSEC_PATH}" && install -d "${TFSEC_PATH}"

  if [[ "${INPUT_TFSEC_VERSION}" = "latest" ]]; then
    tfsec_version=$(curl --silent https://api.github.com/repos/tfsec/tfsec/releases/latest | jq -r .tag_name)

Support ARM64

Presently, the action will only support/download the Intel/AMD version of binaries it needs.

It should be able to download the ARM64 binaries as well, for self-hosted runners that use ARM64.

Happy to open a PR if it will get reviewed in the near-term.

GitHub Action Marketplace version not Updating

@haya14busa I've noticed that this action, action-tflint, and action-ansiblelint were all listed as versions behind on the Marketplace. I was able to update tflint and ansiblelint by editing the release in the repo and unchecking and then checking Publish this Action to the GitHub Marketplace and updating the release. I'm not familiar enough with the Marketplace to know if this is a problem and how to fix it.

Add a test for no warning cases

We should add a test case with no warnings/errors. https://github.com/reviewdog/action-tfsec/blob/master/.github/workflows/tests.yml

ref: #27

@dhansen-gw @jplanckeel @Vlaaaaaaad /cc @reviewdog/actions-maintainer

Can anyone take this issue?

Allow separate GitHub.com and GitHub Enterprise credentials.

We need a public GitHub.com credential for downloading Reviewdog and tfsec.

We need a GitHub Enterprise credential to download the code hosted on GHE.

These need to be separate.

Happy to open a PR if it will get reviewed in the near-term.

reviewdog: parse error: failed to unmarshal rdjson (DiagnosticResult): proto: syntax error (line 1:1): unexpected token

Just putting it here to help people debug for Terraform 1.5, if import flag is used this would be the error raised in reviewdog
https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1673920879

Only trivy supports the import keyword, tfsec would fail otherwise.

Deprecation warning for `set-output`, new release needed

Github Actions emits this warning for every run of this action (latest release version, 1.15.2)

The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-sav

I see that the necessary change is already in the main branch, most probably it just needs to be tagged/released.

Move the action to composite run steps

On August 7 2020, GitHub announced composite run steps actions which are basically "run this shell script"-based actions.

Converting this action to composite run steps would both simplify the code and lower the runtime of the action( and thus the costs).

Inspiration: reviewdog/action-golangci-lint#46 + reviewdog/action-golangci-lint#48

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

chore(deps): update terraform aws to ~> 5.59.0
chore(deps): update terraform azurerm to ~> 3.113.0
chore(deps): update peter-evans/create-pull-request action to v6
Click on this checkbox to rebase all open PRs at once

Detected dependencies

github-actions

.github/workflows/depup.yml

actions/checkout v4

haya14busa/action-depup v1

peter-evans/create-pull-request v5

.github/workflows/labels.yml

lannonbr/issue-label-manager-action 4.0.0

.github/workflows/lint.yml

actions/checkout v4

haya14busa/action-cond v1

reviewdog/action-shellcheck v1

actions/checkout v4

reviewdog/action-misspell v1

.github/workflows/release.yml

actions/checkout v4

haya14busa/action-bumpr v1

haya14busa/action-update-semver v1

haya14busa/action-cond v1

actions/checkout v4

haya14busa/action-bumpr v1

.github/workflows/tests.yml

actions/checkout v4

actions/checkout v4

actions/checkout v4

actions/checkout v4

terraform

testdata/main.tf

aws ~> 5.53.0

azurerm ~> 3.107.0

hashicorp/terraform ~> 1.0

Check this box to trigger a request for Renovate to run again on this repository

tfsec does not download if the wget for latest release number returns >1 results

Example:

$ wget -q https://api.github.com/repos/liamg/tfsec/releases/latest -O - | grep -o -E 'https://.+?tfsec-linux-amd64'
https://github.com/tfsec/tfsec/releases/download/v0.39.36/tfsec-linux-amd64
https://github.com/tfsec/tfsec/releases/download/v0.39.36/tfsec-linux-amd64

$ curl -vvvv "$(wget -q https://api.github.com/repos/liamg/tfsec/releases/latest -O - | grep -o -E 'https://.+?tfsec-linux-amd64')"
* Illegal characters found in URL
* Closing connection -1
curl: (3) Illegal characters found in URL

The fix is to use head or tail:

$ curl -vvvv "$(wget -q https://api.github.com/repos/liamg/tfsec/releases/latest -O - | grep -o -E 'https://.+?tfsec-linux-amd64' | head -1)"
*   Trying 140.82.114.3...
* TCP_NODELAY set
* Connected to github.com (140.82.114.3) port 443 (#0)

This guards against the multiline return value from the version lookup. PR to follow.

Migratie to Trivy

Overview

Thank you for the great Action. It enables us to keep good quality of terraform at scale. As you may know, tfsec was merged to Trivy. It would be great to use Trivy instead of tfsec. For instance,tfsec doesn't support new features in terraform 1.5+ any more.

Proposal

We may want to archive the repository and create a new repository copes with Trivy by reusing the great knowledge in the repository. Please let me know, if there is anything I can help.

parse error: XML syntax error on line 4: illegal character code U+001B

Running your action with latest tfsec gives in some of my repos the following error. Just executing tfsec locally on the repo does not give any error:


Run reviewdog/action-tfsec@master
  with:
    github_token: ***
    working_directory: .
    reporter: github-pr-review
    fail_on_error: true
    filter_mode: nofilter
    level: error
  env:
    TERRAFORM_CLOUD_TOKENS: app.terraform.io=***
  
    TERRAFORM_CLI_PATH: /home/runner/work/_temp/15db2891-4ea4-43ca-8855-5a6d51c41258
/usr/bin/docker run --name e4582c4557a2a045d4828fdc1cc985d72a_4a58b4 --label 5588e4 --workdir /github/workspace --rm -e TERRAFORM_CLOUD_TOKENS -e TERRAFORM_CLI_PATH -e INPUT_GITHUB_TOKEN -e INPUT_WORKING_DIRECTORY -e INPUT_REPORTER -e INPUT_FAIL_ON_ERROR -e INPUT_FILTER_MODE -e INPUT_FLAGS -e INPUT_LEVEL -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/base-landingzone/base-landingzone":"/github/workspace" 5588e4:582c4557a2a045d4828fdc1cc985d72a
reviewdog: parse error: XML syntax error on line 4: illegal character code U+001B

Any idea what could possible go wrong?

reviewdog / action-tfsec Goto Github PK

action-tfsec's Introduction

GitHub Action: Run tfsec with reviewdog

Examples

With github-pr-check

With github-pr-review

Inputs

github_token

working_directory

level

tool_name

reporter

filter_mode

fail_on_error

flags

tfsec_version

tfsec_flags