github-shared-workflows/docs/security-tfsec.md at master · clouddrove/github-shared-workflows

TFSec Security Scan Workflow

This reusable workflow runs TFSec to scan Terraform code for security misconfigurations. It supports GitHub's security dashboard via SARIF upload and adds PR comments with security findings.

Overview

TFSec is a static analysis security scanner for Terraform code that identifies security misconfigurations and compliance issues. This workflow integrates TFSec scanning with GitHub's security features and provides PR feedback.

Features

✅ Reusable workflow_call - Modular implementation for easy integration
📄 SARIF Upload - Results appear in GitHub Security tab
💬 PR Comments - Automatic comments on pull requests with security findings
🔍 Full Repository Scan - Scans entire repository or specified directory
🛡️ Advanced Security Scan - Additional Terraform security scanning with PR comments

Usage

Basic Example

name: Security Scan

on:
  pull_request:
    branches: [master, main]
    types: [opened, synchronize]

jobs:
  tfsec-scan:
    uses: clouddrove/github-shared-workflows/.github/workflows/security-tfsec.yml@v2
    secrets:
      GITHUB: ${{ secrets.GITHUB_TOKEN }}

With Custom Working Directory

name: Security Scan

on:
  pull_request:
    branches: [master]

jobs:
  tfsec-scan:
    uses: clouddrove/github-shared-workflows/.github/workflows/security-tfsec.yml@v2
    secrets:
      GITHUB: ${{ secrets.GITHUB_TOKEN }}
    with:
      working_directory: './terraform/'

Inputs

Input	Description	Required	Default
`working_directory`	Directory where Terraform files exist	No	`./examples/`

Secrets

Secret	Description	Required
`GITHUB`	GitHub Personal Access Token (PAT) with appropriate permissions	Yes

Workflow Steps

Clone Repository - Checks out the repository code
Run TFSec - Scans Terraform files for security issues
Upload SARIF - Uploads results to GitHub Security tab
PR Comment - Adds comment to PR with security findings
Advanced Scan - Runs additional Terraform security scan (on PRs only)

Security Dashboard Integration

The workflow uploads SARIF results to GitHub's Security tab, where you can:

View all security findings in one place
Track security issues over time
Integrate with GitHub Advanced Security features

PR Comments

When run on pull requests, the workflow automatically:

Adds comments summarizing security findings
Highlights specific issues in the code
Provides recommendations for fixing issues

Best Practices

Run on PRs - Catch security issues before merging
Use PAT - Ensure GITHUB secret has appropriate permissions
Review Findings - Regularly check GitHub Security tab
Fix Issues - Address security findings promptly

Related Workflows

Security Checkov - IaC security scanning with Checkov
Security Prowler - Cloud security assessment
Security Powerpipe - Compliance checking

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TFSec Security Scan Workflow

Overview

Features

Usage

Basic Example

With Custom Working Directory

Inputs

Secrets

Workflow Steps

Security Dashboard Integration

PR Comments

Best Practices

Related Workflows

Additional Resources

FilesExpand file tree

security-tfsec.md

Latest commit

History

security-tfsec.md

File metadata and controls

TFSec Security Scan Workflow

Overview

Features

Usage

Basic Example

With Custom Working Directory

Inputs

Secrets

Workflow Steps

Security Dashboard Integration

PR Comments

Best Practices

Related Workflows

Additional Resources