aquasecurity / tfsec-pr-commenter-action Goto Github PK

View Code? Open in Web Editor NEW

161.0 7.0 64.0 594 KB

Add comments to pull requests where tfsec checks have failed

License: MIT License

Go 60.80% Dockerfile 2.22% Shell 36.54% Makefile 0.44%

tfsec tfsec-checks pr pr-comment hacktoberfest

tfsec-pr-commenter-action's Introduction

tfsec-pr-commenter-action

Add comments to pull requests where tfsec checks have failed

To add the action, add tfsec_pr_commenter.yml into the .github/workflows directory in the root of your Github project.

The contents of tfsec_pr_commenter.yml should be;

Note: The GITHUB_TOKEN injected to the workflow will need permissions to write on pull requests.

This can be achieved by adding a permissions block in your workflow definition.

See: docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs for more details.

name: tfsec-pr-commenter
on:
  pull_request:
jobs:
  tfsec:
    name: tfsec PR commenter
    runs-on: ubuntu-latest

    permissions:
      contents: read
      pull-requests: write

    steps:
      - name: Clone repo
        uses: actions/checkout@master
      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          github_token: ${{ github.token }}

On each pull request and subsequent commit, tfsec will run and add comments to the PR where tfsec has failed.

The comment will only be added once per transgression.

Optional inputs

There are a number of optional inputs that can be used in the with: block.

working_directory - the directory to scan in, defaults to ., ie current working directory

tfsec_version - the version of tfsec to use, defaults to latest

tfsec_args - the args for tfsec to use (space-separated)

tfsec_formats - the formats for tfsec to output (comma-separated)

commenter_version - the version of the commenter to use, defaults to latest

soft_fail_commenter - set to true to comment silently without breaking the build

tfsec_args

tfsec provides an extensive number of arguments, which can be passed through as in the example below:

name: tfsec-pr-commenter
on:
  pull_request:
jobs:
  tfsec:
    name: tfsec PR commenter
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@master
      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          tfsec_args: --soft-fail
          github_token: ${{ github.token }}

tfsec_formats

tfsec provides multiple possible formats for the output:

default
json
csv
checkstyle
junit
sarif
gif

The json format is required and included by default. To add additional formats, set the tfsec_formats option to comma-separated values:

tfsec_formats: sarif,csv

Example PR Comment

The screenshot below demonstrates the comments that can be expected when using the action

tfsec-pr-commenter-action's People

Contributors

Stargazers

Watchers

Forkers

kruc pradnya-glitch natecrisler hecg119 mugioka matchingagent giorgiocerruti bqjxiao mc-benchmarkcorp sambacha tuxtitlan phogolabs yowatari geraldine2222 uakbr bholagond otyamura nerdyboycool multani aidy reedloden adamdecaf smaeda-ks harmw murilopmachado ymktmk telia-actions ahmedqazi444 compasspathways commarla shmokmt kolomied toasttab l3m0nb4tt3ry marcofranssen akashs3curity kwesibomah1 tfo1857 kathleenfrench hgdata cmodi-cogito jon-hall hi-artem szymonpk bermannoah mandeepgcp mandeeps13k commercetools zendesk jbouyoud saerosv anaisurlichs ben-verkada linjie1231 jlosito pankajazlearn rbs-path habakke stroeer forkstest1 3shapeactionsbackup

tfsec-pr-commenter-action's Issues

Major tag v0 doesn't exist

First of all I want to thank you for your useful GitHub action.
May be it's time to release v1 because pointing to v0 is quite odd.

Anyway major tag v0 doesn't exist.

Regarding to official GitHub recommendations and here

Make the new release available to those binding to the major version tag: Move the major version tag (v1, v2, etc.) to point to the ref of the current release. This will act as the stable release for that major version. You should keep this tag updated to the most recent stable minor/patch release.

Because of that I can't use v0 tag and should point it to specific tag like v0.1.10

      - name: tfsec
        uses: aquasecurity/[email protected]

Only way I can see it right now is use main branch which is not good for production usage

      - name: tfsec
        uses: aquasecurity/tfsec-pr-commenter-action@main

You can use other GitHub actions like actions-tagger or update-major-minor-semver for this purpose.

strconv.Atoi: parsing "<nil>": invalid syntax

I am trying to use tfsec pr commenter github action on our terraform repo. I am using the below in github workflow:

name: tfsec-pr-commenter
on:
  push:
jobs:
  tfsec_commenter:
    name: tfsec PR commenter
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Github Repo
        uses: actions/checkout@master
      - name: Run PR Commenter
        uses: tfsec/tfsec-pr-commenter-action@main
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

But I am getting the below error:

WARNING: skipped aws-iam-no-policy-wildcards due to error(s): HasDynamicTypes does not support the given type
WARNING: skipped aws-iam-no-policy-wildcards due to error(s): HasDynamicTypes does not support the given type
+ echo 'tfsec violations were identified, running commenter...'
+ commenter
tfsec violations were identified, running commenter...
Starting the github commenter...
The commenter failed with the following error:
strconv.Atoi: parsing "<nil>": invalid syntax

add input parameter version and fix Dockerfile

Now, the Dockerfile provided with this action will fetch the latest release version when building.
https://github.com/aquasecurity/tfsec-pr-commenter-action/blob/main/Dockerfile

So even if you want to use the specified version when using this action, you will always be provided with the latest version.
There is nothing wrong with using the latest version, but some users may want to fix the version for fear of destructive changes.

My suggestion is to add version as input information in action.yml.

inputs:
  version:
     description: use tfsec version
     default: latest

And this information is then passed as the docker arg.
https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action#creating-an-action-metadata-file

I think this way users can specify the version flexibly.

Thanks

bug: Check with module defaults

Is your feature request related to a problem? Please describe.

I'd want to run TfSec before publishing my TF module. It seems like tfsec is not validating the code with default values filled in.

Describe the solution you'd like

Run TFSec with module defaults

Describe alternatives you've considered

Add TFVars file with the same default values?

Additional context

Commenter failing on PNG images

This is strange, as it was working just fine last week. No commiting PNG file to the repo (for documentation purposes) results in a following build failing:

+ echo 'tfsec violations were identified, running commenter...'
tfsec violations were identified, running commenter...
+ commenter
Starting the github commenter...
The commenter failed with the following error:
failed to create a new commenter. there were errors processing the PR files.
the patch details could not be resolved

Is there anything we can enable to debug this more?
We are using v0.1.10

Multiple Issues with commenter

The acton is being rate limited?
Below is repeated 100's if not 1000's of time and then it hits the github API ratelimit and errors out

there were errors processing the PR files.
the patch details could not be resolved
the patch details could not be resolved
the patch details could not be resolved
the patch details could not be resolved
the patch details could not be resolved

Other times the action cannot seem to find the PR it is being ran against?

tfsec violations were identified, running commenter...
Starting the github commenter...
The commenter failed with the following error:
failed to create a new commenter. PR number [<LEGIT_PR_NUMBER_HERE>] not found for <REPO>

Add severity to comments

I thought it would be nice to have severity in comments, what do you think?
I think it will help us to know which one to start with when we deal with it.

This is an example.
Added severity to the end of the first line

tfsec check aws-s3-no-public-access-with-acl failed. [HIGH]

Resource 'aws_s3_bucket.my-bucket' has an ACL which allows public access.

For more information, see:

- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-access-with-acl
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/

Bug: tfsec warning about `tfvars` file not being used

We've hit a bug with the action that I think is related to aquasecurity/tfsec#641. Here's the error we're getting in our workflow:

+ tfsec --format=json ./config/terraform/aws
+ echo 'tfsec violations were identified, running commenter...'
+ commenter
tfsec violations were identified, running commenter...
Starting the github commenter...
The commenter failed with the following error:
invalid character '\x1b' looking for beginning of value

Our project has a variables.auto.tfvars and if we run tfsec --format=json ./config/terraform/aws locally, we get the warning output in the results.json which makes the json.Unmarshal unhappy:

�[0m
�[33mWarning: A tfvars file was found but not automatically used. 
Did you mean to specify the --tfvars-file flag?�[39m
�[0m{
	"results": [
		{

Warning about needing to terraform init and commenter not created

I am experiencing a confusing issue with tfsec. At 18 Jan 2022 21:36:36 -0500 I pushed a commit that included numerous new records to my PR branch. A coworker identified a typo in a resource name and so using the GitHub suggestion I committed that change directly to the PR branch at Wed, 19 Jan 2022 23:47:39 -0500. There were no changes to the step definition or the workflow in general.

I see there were a number of commits merged yesterday. Would the --soft-fail change have potentially introduced this issue? I'm especially curious about the new WARNING about needing to run terraform init that we were not seeing before.

Thank you for your help!

Workflow step:

  tfsec:
    name: tfsec - PR commenter
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: tfsec
        uses: tfsec/tfsec-pr-commenter-action@main
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

Output:

+ tfsec --out=results.json --format=json --soft-fail .
WARNING: Failed to load module: missing module with source 'github.com/org/modules.git?ref=v0.2.0/path/to/module' -  try to 'terraform init' first
WARNING: Failed to load module: missing module with source 'github.com/org/modules.git?ref=v0.2.0/path/to/module' -  try to 'terraform init' first
WARNING: skipped aws-iam-no-policy-wildcards due to error(s): HasDynamicTypes does not support the given type
WARNING: skipped aws-iam-no-policy-wildcards due to error(s): HasDynamicTypes does not support the given type
+ commenter
Starting the github commenter...
The commenter failed with the following error:
failed to create a new commenter. there were errors processing the PR files.
the patch details could not be resolved

Frequent usage causes rate limit errors

Thanks for the handy Action to run on projects. We've found it useful in several projects.

There's an issue we've ran into when opening PR's during normal working hours. After looking at the script I can see there are 8 wget calls to github services, which can pretty easily exceed the limit of 60/hour from a single IP address.

Would y'all be open to using secrets.GITHUB_TOKEN (I think this would work) and better management of the wget calls in the script?

Module Input Changes are not written as comments

The commenter misses leaving comments on changes from module inputs e.g.

module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-bucket
  acl    = "private"

  block_public_acls       = true -> false
}

would not leave a comment. It would receive Public access block does not block public ACLs .... not writing as not part of the current PR

Unlike other outputs, the tfsec JSON output does not support "via". I think once that is added to tfsec, the commenter can additionally parse "via" links to get localized files rather than just module paths which do not show as a PR change.

Comment not relevant error when scanning specific folders

Hi,

I have a PR open here: ministryofjustice/opg-lpa#541
which has an action with multiple tfsec scans on different specific folders. the action is based on the example in the readme, but with a matrix for the terraform_path.

On a violation I am seeing errors similar to the following.

Comment not written [Resource aws_s3_bucket.mailbox has no associated aws_s3_bucket_public_access_block.], not part of the current PR

The commit to remove the ignore is also in this PR branch. can you advise why this might be happening?
Please see example here in a run:

https://github.com/ministryofjustice/opg-lpa/pull/541/checks?check_run_id=3056251557#step:4:13

Any advice will be greatly appreciated.

The reference to the document in the commenter's comment is incorrect.

Hi,

The commenter will include a link to the document in their comments, but that link is not currently valid (not sure if it is for all comments)

see: mugioka/tfsec-example-project#1

tfsec doesnt fail the test when it finds vulnerabilities or commenter is failing

After adding a public 0.0.0.0/0 ingress rule, GA doesnt seem to fail the Github Action job or add comments to the PR. It does find the vulnerability when I run tfsec . locally.

Github Action:

name: tfsec-pr-commenter
on:
  pull_request:
jobs:
  tfsec:
    name: tfsec PR commenter
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@master
      - name: tfsec
        uses: aquasecurity/tfsec-pr-commenter-action@main
        with:
          github_token: ${{ github.token }}

Output:

+ TFSEC_VERSION=latest
+ '[' latest '!=' latest ']'
++ wget -q https://api.github.com/repos/aquasecurity/tfsec/releases/latest -O -
++ head -n1
++ grep -o -E 'https://.+?tfsec-linux-amd64'
+ wget -O - -q https://github.com/aquasecurity/tfsec/releases/download/v0.63.1/tfsec-linux-amd64
+ install tfsec /usr/local/bin/
+ COMMENTER_VERSION=latest
+ '[' latest '!=' latest ']'
++ wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/latest -O -
++ grep -o -E 'https://.+?commenter-linux-amd64'
+ wget -O - -q https://github.com/aquasecurity/tfsec-pr-commenter-action/releases/download/v0.1.10/commenter-linux-amd64
+ install commenter /usr/local/bin/
+ '[' -n /github/workspace ']'
+ cd /github/workspace
+ tfsec --format=json .
+ echo 'tfsec violations were identified, running commenter...'
+ commenter
tfsec violations were identified, running commenter...
Starting the github commenter...
There were 2 errors:
there were errors processing the PR files.
the patch details could not be resolved
there were errors processing the PR files.
the patch details could not be resolved

Error in latest version (v1.3.0)

After an update to this action earlier today (v1.3.0) we started getting the following error in our builds:

+ install commenter-linux-amd64 /usr/local/bin/commenter
commenter-linux-amd64: OK
+ '[' -n /github/workspace ']'
+ cd /github/workspace
+ '[' -n '' ']'
+ TFSEC_FORMAT_OPTION=json
+ TFSEC_OUT_OPTION=results.json
+ '[' -n '' ']'
+ tfsec --out=results.json --format=json --soft-fail '' .
Usage:
  tfsec [directory] [flags]

...

Error: accepts between 0 and 1 arg(s), received 2

For now we've version locked to v1.2.0 which works fine.

no such file or directory

Starting the github commenter... The commenter failed with the following error: failed to load results. open results.json: no such file or directory

Entrypoint.sh does not respect action version

The entrypoint.sh script download the latest release if the version is not specified.
https://github.com/aquasecurity/tfsec-pr-commenter-action/blob/main/entrypoint.sh#L17-L23

I think it should download the binary corresponding to the version used in the github workflow:

Action fails with API rate limit

      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          working_directory: ${{ matrix.module }}
          tfsec_args: --soft-fail
          github_token: ${{ secrets.GITHUB_TOKEN }}

Using the action as following consequently fails with the following. Despite adding the GITHUB token for higher rate limits.

/bin/docker run --name bea70de1c4c008ef342d927c3d1ac_9489f7 --label 765292 --workdir /github/workspace --rm -e "INPUT_WORKING_DIRECTORY" -e "INPUT_TFSEC_ARGS" -e "INPUT_GITHUB_TOKEN" -e "INPUT_TFSEC_VERSION" -e "INPUT_TFSEC_FORMATS" -e "INPUT_COMMENTER_VERSION" -e "INPUT_SOFT_FAIL_COMMENTER" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/opt/actions-runner/_work/_temp/_github_home":"/github/home" -v "/opt/actions-runner/_work/_temp/_github_workflow":"/github/workflow" -v "/opt/actions-runner/_work/_temp/_runner_file_commands":"/github/file_commands" -v "/opt/actions-runner/_work/fiesta-terraform-examples/fiesta-terraform-examples":"/github/workspace" 765292:366bea70de1c4c008ef342d927c3d1ac
+ TFSEC_VERSION=
+ '[' latest '!=' latest ']'
++ head -n1
++ grep -m 1 -o -E 'https://.+?tfsec-linux-amd64'
++ wget -q https://api.github.com/repos/aquasecurity/tfsec/releases -O -
wget: server returned error: HTTP/1.1 403 rate limit exceeded
+ wget -O - -q ''
wget: bad address ''

GITHUB_EVENT_PATH variable is not respected

The action does not use the value from GITHUB_EVENT_PATH env variable, always trying to load the event file from
/github/workflow/event.json.

Expected behavior
GITHUB_EVENT_PATH is respected, if provided. If omitted, default value of /github/workflow/event.json should be used.

Next release ?

Hi,

Thanks for your work on this action. It is really helpful. I think I encounter a bug fixed since the latest release v1.2.0.

Did you planned to do a new release soon ?

Thanks,

Laurent.

fail to run tf-pr-commenter

First, thank you for the tfsec :)

I've tried to use these action and found some error during execution:

WARNING: Failed to load module: missing module with source 'cloudposse/cloudtrail-s3-bucket/aws' -  try to 'terraform init' first
WARNING: Failed to load module: missing module with source 'USSBA/inspector/aws' -  try to 'terraform init' first
+ echo 'tfsec errors occurred, running commenter...'
tfsec errors occurred, running commenter...

Is it works when tf is using modules?

tfsec fails with `strconv.Atoi: parsing "<nil>": invalid syntax` error

Hi,
I still getting this error on my pipeline

The commenter failed with the following error:
strconv.Atoi: parsing "<nil>": invalid syntax

this is my workflow

name: Terraform CI
on:
  issue_comment:
    types:
      - created
    branches:
      - master
jobs:
  tfsec:
   name: Terraform tests
   if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test') }}
   runs-on: ubuntu-20.04
   steps:
     - name: Checkout the project
       uses: actions/checkout@v2
     - name: Debug
       run: ls -al
     - name: Run tfsec
       uses: aquasecurity/tfsec-pr-commenter-action@main
       if: always()
       with:
        github_token: ${{ github.token }}
        working_directory: ./innovation1

What am I doing wrong here?

Thank you.

Missing asset in release v0.1.8

It appears that the go binary was not published as part of the release v0.1.8. The container build fails on step 4/6 as a result. Can't revert to previous releases as they point at invalid urls now.

verification of checksums/signatures on downloads

I've noticed downloading the release from the github repo doesn't verify checksums or the signature. This should probably be fixed.

Or, maybe I'm missing something?

Allow for just running tfsec without PR commenting

I know it's in the name of the Action, but due to the lack of alternatives, I'd wish for there to be the possibility of just installing tfsec and receiving its output in a workflow without the commenter being run.

Right now, I fear for the results getting lost because they're directly piped into results.json without any remedy if the workflow isn't triggered by a PR (see #40).

The added value would be that you could use this Actions also for installing tfsec and running it on every single commit instead of just for PRs, and while there are other Actions also supporting this behavior, this Action in particular is directly maintained by the company behind tfsec 🙂

commenter fails to run after results are found

The recent update to Actions workflow has broken the commenter:

+ tfsec --out=results.json --format=json --soft-fail .
+ commenter
Starting the github commenter...
The commenter failed with the following error:
strconv.Atoi: parsing "<nil>": invalid syntax

Relevant workflow file: https://github.com/moritzheiber/terraform-aws-oidc-github-actions-module/blob/main/.github/workflows/test.yaml#L19-L21
Relevant finding (which I'm going to ignore going forward): https://github.com/moritzheiber/terraform-aws-oidc-github-actions-module/blob/main/tests/mocks/mock_provider.tf
The result.json looks like this:

{
	"results": [
		{
			"rule_id": "aws-misc-no-exposing-plaintext-credentials",
			"legacy_rule_id": "AWS044",
			"rule_description": "AWS provider has access credentials specified.",
			"rule_provider": "aws",
			"rule_service": "misc",
			"impact": "Exposing the credentials in the Terraform provider increases the risk of secret leakage",
			"resolution": "Don't include access credentials in plain text",
			"links": [
				"https://aquasecurity.github.io/tfsec/latest/checks/aws/misc/no-exposing-plaintext-credentials",
				"https://registry.terraform.io/providers/hashicorp/aws/latest/docs#argument-reference",
				"https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html"
			],
			"description": "Provider 'provider.aws' has an access key specified.",
			"severity": "CRITICAL",
			"status": "failed",
			"location": {
				"filename": "terraform-aws-oidc-github-actions-module/mock_provider.tf",
				"start_line": 2,
				"end_line": 2
			},
			"resource": "provider.aws"
		},
		{
			"rule_id": "general-secrets-sensitive-in-attribute",
			"legacy_rule_id": "GEN003",
			"rule_description": "Potentially sensitive data stored in block attribute.",
			"rule_provider": "general",
			"rule_service": "secrets",
			"impact": "Block attribute could be leaking secrets",
			"resolution": "Don't include sensitive data in blocks",
			"links": [
				"https://aquasecurity.github.io/tfsec/latest/checks/general/secrets/sensitive-in-attribute",
				"https://www.terraform.io/docs/state/sensitive-data.html"
			],
			"description": "Block 'provider.aws' includes a potentially sensitive attribute which is defined within the project.",
			"severity": "CRITICAL",
			"status": "failed",
			"location": {
				"filename": "terraform-aws-oidc-github-actions-module/mock_provider.tf",
				"start_line": 5,
				"end_line": 5
			},
			"resource": "provider.aws"
		}
	]
}

Module issues

Started getting following issue in the builds today:

go: downloading github.com/tfsec/tfsec v0.45.8
go get: github.com/tfsec/[email protected] updating to
	github.com/tfsec/[email protected]: parsing go.mod:
	module declares its path as: github.com/aquasecurity/tfsec
	        but was required as: github.com/tfsec/tfsec
/entrypoint.sh: line 34: /go/bin/tfsec: No such file or directory

I feel the commit which is causing this is dea8bac

As a side note, I see that we now have releases https://github.com/aquasecurity/tfsec-pr-commenter-action/releases
Would it be better to update the README to use something like

      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          github_token: ${{ github.token }}

instead of

      - name: tfsec
        uses: aquasecurity/tfsec-pr-commenter-action@main
        with:
          github_token: ${{ github.token }}

tfsec not returning anything after being invoked

As soon as tfsec --format=json . is printed, the action moves directly onto the Post Clone repo workflow

Investigatte intelligent commenting

When an ignore rule is removed from a resource block, it would be good to include the resulting tfsec failures in the PR. At the moment, the comment will only be placed if the PR changes the code to cause an issue.

Unable to scan across all directories in a Git repo with tfsec-pr-commenter-action

Hi Team,

I'm using tfsec-pr-commenter-action in Github Actions, but it does not scans within ALL the directories.
Hence, even when there are findings in PRs where the code is deep within the directories, they do not get the comments.
I do not have a specific directory to scan but I need something like --force-all-dirs.

Can you suggest a workaround for this ?

Appreciate your response.

All Actions Failing : Repositories Not Found

Action setup does not seem to be working correctly. See output below, specifically the last line.

This is happening in multiple repositories that have not had any changes to their tfsec github action, but they all use the latest @main pr commenter.

tfsec:
    runs-on: ubuntu-latest
    steps:
      - name: Clone repo
        uses: actions/checkout@v3

      - name: Get Rules
        uses: actions/checkout@v3
        with:
          repository: '<removed>'
          path: '.tfsec'
          token: ${{ secrets.GH_ACCESS_TOKEN }}
        
      - name: tfsec
        uses: aquasecurity/tfsec-pr-commenter-action@main
        with:
          github_token: ${{ github.token }}

Output of action:

Current runner version: '2.289.1'
Operating System
Ubuntu
20.04.4
LTS
Virtual Environment
Environment: ubuntu-20.04
Version: 20220227.1
Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220227.1/images/linux/Ubuntu2004-Readme.md
Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220227.1
Virtual Environment Provisioner
1.0.0.0-main-20220307-1
GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Error: Unable to resolve actions. Repositories not found :

Failed to upload configuration files .tfsec, permission denied when combining with remote terraform

This action downloads/creates files that the are not accessible outside of the action step.

When using a remote terraform backend, this leads to an error like

Error: Failed to upload configuration files: open /home/runner/work/orchestration/orchestration/infra/.tfsec: permission denied

with the latest version of tfsec which automatically downloads remote modules https://github.com/aquasecurity/tfsec/releases/tag/v1.15.0

My first attempt to fix this was using .terraformignore to ignore the .tfsec folder. However, it seems like terraform tries a recursive listing of files and directories before applying the .terraformignore. And the .tfsec folder is not executable (listable) for the github action user after running this action.

Workaround is doing terraform init before the tfsec step and adding the --no-module-downloads:

      - name: tfsec
        uses: aquasecurity/[email protected]
        if: github.event_name == 'pull_request'
        with:
          github_token: ${{ github.token }}
          tfsec_args: --no-module-downloads

and making sure I do terraform init before I run this tfsec action.

It would be great if the tfsec action would use a user that allows the github action steps after the docker run to list and/or remove the created .tfsec directory.

Potentially Incorrect release - broken action

Started getting following error in builds today.

Build container for action use: '/home/runner/work/_actions/aquasecurity/tfsec-pr-commenter-action/v0.1.7/Dockerfile'.
  /usr/bin/docker build -t 48c179:0de79bb338664d1bb08987acd8692b1c -f "/home/runner/work/_actions/aquasecurity/tfsec-pr-commenter-action/v0.1.7/Dockerfile" "/home/runner/work/_actions/aquasecurity/tfsec-pr-commenter-action/v0.1.7"
  Sending build context to Docker daemon  2.293MB
  
  Step 1/6 : FROM alpine:3.12
   ---> 48b8ec4ed9eb
  Step 2/6 : RUN apk --no-cache --update add bash git     && rm -rf /var/cache/apk/*
   ---> Running in cb274213397d
  fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
  fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
  (1/10) Installing ncurses-terminfo-base (6.2_p20200523-r0)
  (2/10) Installing ncurses-libs (6.2_p20200523-r0)
  (3/10) Installing readline (8.0.4-r0)
  (4/10) Installing bash (5.0.17-r0)
  Executing bash-5.0.17-r0.post-install
  (5/10) Installing ca-certificates (20191127-r4)
  (6/10) Installing nghttp2-libs (1.41.0-r0)
  (7/10) Installing libcurl (7.79.1-r0)
  (8/10) Installing expat (2.2.9-r1)
  (9/10) Installing pcre2 (10.35-r0)
  (10/10) Installing git (2.26.3-r0)
  Executing busybox-1.31.1-r20.trigger
  Executing ca-certificates-20191127-r4.trigger
  OK: 24 MiB in 24 packages
  Removing intermediate container cb274213397d
   ---> 1598f05e932a
  Step 3/6 : RUN wget -O - -q "$(wget -q https://api.github.com/repos/tfsec/tfsec/releases/latest -O - | grep -o -E "https://.+?tfsec-linux-amd64" | head -n1)" > tfsec     && install tfsec /usr/local/bin/
   ---> Running in a482abbb67bc
  Removing intermediate container a482abbb67bc
   ---> 855eeed92f9a
  Step 4/6 : RUN wget -O - -q "$(wget -q https://api.github.com/repos/tfsec/tfsec-pr-commenter-action/releases/latest -O - | grep -o -E "https://.+?commenter-linux-amd64")" > commenter     && install commenter /usr/local/bin/
   ---> Running in 5ac790de8b6a
  wget: bad address ''
  The command '/bin/sh -c wget -O - -q "$(wget -q https://api.github.com/repos/tfsec/tfsec-pr-commenter-action/releases/latest -O - | grep -o -E "https://.+?commenter-linux-amd64")" > commenter     && install commenter /usr/local/bin/' returned a non-zero code: 1

Actions file

name: tfsec

on:
  push:
    branches:
      - main
      
  pull_request:

jobs:
  tfsec:
    name: Terraform Security Scan and PR Commenter
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@master

      - name: Pull Request Commenter
        if: ${{ github.event_name == 'pull_request' }}
        uses: aquasecurity/tfsec-pr-commenter-action@main
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Terraform security scan
        uses: triat/[email protected]
        with :
          tfsec_output_format: JSON

@owenrumney I tried checking https://api.github.com/repos/tfsec/tfsec-pr-commenter-action/releases/latest , but it does not have text commenter-linux-amd64. Can you please check what happened?

Support multiple format output

If I want to have tfsec comment on PR and output SARIF for GitHub Advanced Security, I have to use both https://github.com/aquasecurity/tfsec-pr-commenter-action and https://github.com/aquasecurity/tfsec-sarif-action, which means running tfsec twice. Instead, would be nice to have this action optionally output in multiple formats, so I could just upload the sarif output file.

Request: optionally disable logging `.... not writing as not part of the current PR`

Is it possible to disable these messages?

When running tfsec against a large repo that is nested using --force-all-dirs it makes it very difficult to debug issues when you have to filter through hundreds of these messages.

Alternatively, is there a way to pass a list of paths to check so --force-all-dirs isn't necessary? I know tfsec can take a single path, any option to pass it an array?

Error: Docker build failed with exit code 1 (wget: bad address '')

I think the latest release (v0.1.8) has broken this action. I was running v0.1.7 and it began failing....saw a new release and updated to v0.1.8 and it's failing all the same:

log

Build container for action use: '/home/runner/work/_actions/aquasecurity/tfsec-pr-commenter-action/v0.1.8/Dockerfile'.
  /usr/bin/docker build -t 48c179:272224442a2a4b6a93c2d83f1133664e -f "/home/runner/work/_actions/aquasecurity/tfsec-pr-commenter-action/v0.1.8/Dockerfile" "/home/runner/work/_actions/aquasecurity/tfsec-pr-commenter-action/v0.1.8"
  Sending build context to Docker daemon  2.293MB
  
  Step 1/6 : FROM alpine:3.12
   ---> 48b8ec4ed9eb
  Step 2/6 : RUN apk --no-cache --update add bash git     && rm -rf /var/cache/apk/*
   ---> Running in a9d3026194c6
  fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
  fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
  (1/10) Installing ncurses-terminfo-base (6.2_p20200523-r0)
  (2/10) Installing ncurses-libs (6.2_p20200523-r0)
  (3/10) Installing readline (8.0.4-r0)
  (4/10) Installing bash (5.0.17-r0)
  Executing bash-5.0.17-r0.post-install
  (5/10) Installing ca-certificates (20191127-r4)
  (6/10) Installing nghttp2-libs (1.41.0-r0)
  (7/10) Installing libcurl (7.79.0-r0)
  (8/10) Installing expat (2.2.9-r1)
  (9/10) Installing pcre2 (10.35-r0)
  (10/10) Installing git (2.26.3-r0)
  Executing busybox-1.31.1-r20.trigger
  Executing ca-certificates-20191127-r4.trigger
  OK: 24 MiB in 24 packages
  Removing intermediate container a9d3026194c6
   ---> e2b31c53e5a8
  Step 3/6 : RUN wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec/releases/latest -O - | grep -o -E "https://.+?tfsec-linux-amd64" | head -n1)" > tfsec     && install tfsec /usr/local/bin/
   ---> Running in 4648f589d691
  Removing intermediate container 4648f589d691
   ---> d793f8bc9176
  Step 4/6 : RUN wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/latest -O - | grep -o -E "https://.+?commenter-linux-amd64")" > commenter     && install commenter /usr/local/bin/
   ---> Running in 7449ac79db7d
  wget: bad address ''
  The command '/bin/sh -c wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/latest -O - | grep -o -E "https://.+?commenter-linux-amd64")" > commenter     && install commenter /usr/local/bin/' returned a non-zero code: 1
  
  Warning: Docker build failed with exit code 1, back off 4.312 seconds before retry.
  /usr/bin/docker build -t 48c179:272224442a2a4b6a93c2d83f1133664e -f "/home/runner/work/_actions/aquasecurity/tfsec-pr-commenter-action/v0.1.8/Dockerfile" "/home/runner/work/_actions/aquasecurity/tfsec-pr-commenter-action/v0.1.8"
  Sending build context to Docker daemon  2.293MB
  
  Step 1/6 : FROM alpine:3.12
   ---> 48b8ec4ed9eb
  Step 2/6 : RUN apk --no-cache --update add bash git     && rm -rf /var/cache/apk/*
   ---> Using cache
   ---> e2b31c53e5a8
  Step 3/6 : RUN wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec/releases/latest -O - | grep -o -E "https://.+?tfsec-linux-amd64" | head -n1)" > tfsec     && install tfsec /usr/local/bin/
   ---> Using cache
   ---> d793f8bc9176
  Step 4/6 : RUN wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/latest -O - | grep -o -E "https://.+?commenter-linux-amd64")" > commenter     && install commenter /usr/local/bin/
   ---> Running in 61eb1b1f4cfc
  wget: bad address ''
  The command '/bin/sh -c wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/latest -O - | grep -o -E "https://.+?commenter-linux-amd64")" > commenter     && install commenter /usr/local/bin/' returned a non-zero code: 1
  
  Warning: Docker build failed with exit code 1, back off 5.456 seconds before retry.
  /usr/bin/docker build -t 48c179:272224442a2a4b6a93c2d83f1133664e -f "/home/runner/work/_actions/aquasecurity/tfsec-pr-commenter-action/v0.1.8/Dockerfile" "/home/runner/work/_actions/aquasecurity/tfsec-pr-commenter-action/v0.1.8"
  Sending build context to Docker daemon  2.293MB
  
  Step 1/6 : FROM alpine:3.12
   ---> 48b8ec4ed9eb
  Step 2/6 : RUN apk --no-cache --update add bash git     && rm -rf /var/cache/apk/*
   ---> Using cache
   ---> e2b31c53e5a8
  Step 3/6 : RUN wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec/releases/latest -O - | grep -o -E "https://.+?tfsec-linux-amd64" | head -n1)" > tfsec     && install tfsec /usr/local/bin/
   ---> Using cache
   ---> d793f8bc9176
  Step 4/6 : RUN wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/latest -O - | grep -o -E "https://.+?commenter-linux-amd64")" > commenter     && install commenter /usr/local/bin/
   ---> Running in 5423231f0450
  wget: bad address ''
  The command '/bin/sh -c wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/latest -O - | grep -o -E "https://.+?commenter-linux-amd64")" > commenter     && install commenter /usr/local/bin/' returned a non-zero code: 1
  
Error: Docker build failed with exit code 1

Perhaps related to your latest updates @owenrumney ?

tfsec not finding low level severities in Github Actions

When I run tfsec . locally on my laptop, it seems to find the LOW severity but not when I run it in Github Actions using aquasecurity/tfsec-pr-commenter-action. All terraform files are in repo's base directory

Github workflow:

name: tfsec-pr-commenter
on:
  pull_request:
jobs:
  tfsec:
    name: tfsec PR commenter
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@master
      - name: tfsec
        uses: aquasecurity/tfsec-pr-commenter-action@main
        with:
          github_token: ${{ github.token }}

Output in GA:

+ TFSEC_VERSION=latest
+ '[' latest '!=' latest ']'
++ grep -o -E 'https://.+?tfsec-linux-amd64'
++ wget -q https://api.github.com/repos/aquasecurity/tfsec/releases/latest -O -
++ head -n1
+ wget -O - -q https://github.com/aquasecurity/tfsec/releases/download/v0.63.1/tfsec-linux-amd64
+ install tfsec /usr/local/bin/
+ COMMENTER_VERSION=latest
+ '[' latest '!=' latest ']'
++ wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/latest -O -
++ grep -o -E 'https://.+?commenter-linux-amd64'
+ wget -O - -q https://github.com/aquasecurity/tfsec-pr-commenter-action/releases/download/v0.1.10/commenter-linux-amd64
+ install commenter /usr/local/bin/
+ '[' -n /github/workspace ']'
+ cd /github/workspace
+ tfsec --format=json .

Output when I run it locally:

{
	"results": [
		{
			"rule_id": "aws-vpc-add-description-to-security-group",
			"legacy_rule_id": "AWS018",
			"rule_description": "Missing description for security group/security group rule.",
			"rule_provider": "aws",
			"rule_service": "vpc",
			"impact": "Descriptions provide context for the firewall rule reasons",
			"resolution": "Add descriptions for all security groups and rules",
			"links": [
				"https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/add-description-to-security-group",
				"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group",
				"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
				"https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html"
			],
			"description": "Resource 'aws_security_group.additional_ec2_sg' has ingress without description.",
			"severity": "LOW",
			"status": "failed",
			"location": {
				"filename": "***/main.tf",
				"start_line": 18,
				"end_line": 36
			},
			"resource": "aws_security_group.additional_ec2_sg"
		}
	]
}

Unable to find PR

'[' -n /github/workspace ']'
cd /github/workspace
tfsec --format=json .
echo 'tfsec violations were identified, running commenter...'
tfsec violations were identified, running commenter...
commenter
Starting the github commenter...
The commenter failed with the following error:
PR number [8] not found for DSC/github_actions

This is my workflow:

name: tfsec-pr-commenter
on:
  pull_request:
jobs:
  tfsec:
    name: tfsec PR commenter
    runs-on: [ self-hosted ]

    steps:
      - name: Clone repo
        uses: actions/checkout@master

      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

Am I missing something?

400 Bad Request while installing tfsec

Partial .github/workflows/tfsec.yaml file contents

name: tfsec

on: [push, pull_request]

jobs:
  tfsec:
    name: Terraform Security Scan and PR Commenter
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@master

      - name: Pull Request Commenter
        uses: tfsec/tfsec-pr-commenter-action@main
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

The Github action fails intermittently with following log:

Build container for action use: '/home/runner/work/_actions/tfsec/tfsec-pr-commenter-action/main/Dockerfile'.
  /usr/bin/docker build -t 8a33c1:b550b8a0a509483d98f061f4371b7545 -f "/home/runner/work/_actions/tfsec/tfsec-pr-commenter-action/main/Dockerfile" "/home/runner/work/_actions/tfsec/tfsec-pr-commenter-action/main"
  Sending build context to Docker daemon  2.292MB
  
  Step 1/6 : FROM alpine:3.12
   ---> 13621d1b12d4
  Step 2/6 : RUN apk --no-cache --update add bash git     && rm -rf /var/cache/apk/*
   ---> Running in ad0873bae2ba
  fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
  fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
  (1/10) Installing ncurses-terminfo-base (6.2_p20200523-r0)
  (2/10) Installing ncurses-libs (6.2_p20200523-r0)
  (3/10) Installing readline (8.0.4-r0)
  (4/10) Installing bash (5.0.17-r0)
  Executing bash-5.0.17-r0.post-install
  (5/10) Installing ca-certificates (20191127-r4)
  (6/10) Installing nghttp2-libs (1.41.0-r0)
  (7/10) Installing libcurl (7.77.0-r0)
  (8/10) Installing expat (2.2.9-r1)
  (9/10) Installing pcre2 (10.35-r0)
  (10/10) Installing git (2.26.3-r0)
  Executing busybox-1.31.1-r20.trigger
  Executing ca-certificates-20191127-r4.trigger
  OK: 24 MiB in 24 packages
  Removing intermediate container ad0873bae2ba
   ---> 9c9a4e675717
  Step 3/6 : RUN wget -O - -q "$(wget -q https://api.github.com/repos/tfsec/tfsec/releases/latest -O - | grep -o -E "https://.+?tfsec-linux-amd64")" > tfsec     && install tfsec /usr/local/bin/
   ---> Running in 81c221f9a015
  wget: server returned error: HTTP/1.1 400 Bad Request
  The command '/bin/sh -c wget -O - -q "$(wget -q https://api.github.com/repos/tfsec/tfsec/releases/latest -O - | grep -o -E "https://.+?tfsec-linux-amd64")" > tfsec     && install tfsec /usr/local/bin/' returned a non-zero code: 1
  
  Warning: Docker build failed with exit code 1, back off 3.727 seconds before retry.

I am not sure how to debug the issue.

PR Comment uses ID instead of friendly name

Hi, I just wondered if this was expected behaviour? The vscode extension / cli highlights the following code with the message:

variable "env_analytics_token" {
  description = "Google Analytics token"
  type        = string
  default     = "token"
}

Result #1 CRITICAL Variable includes a potentially sensitive default value. 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 services/frontend-app/variables.tf Line 176
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  173  │ variable "env_analytics_token" {
  174  │   description = "Google Analytics token"
  175  │   type        = string
  176  │   default     = "token"
  177  │ }
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
          **ID general-secrets-no-plaintext-exposure**

However the PR commenter returns the ID instead, as shown below:

.... not writing as not part of the current PR

Integrated the commenter in my pipeline. It finds issues after some tweaking of the working directory.

But now it doenst write them to the PR as a comment. It keeps saying that the issue found is not part of the PR.

I've explicitly made an extea change to the file (keyvault.tf) in this case but that still results in the same logging output.

Any ideas?

Request: commenter could support any json from any random code scanner

The commenter tool is really cool how it targets comments in a PR directly to any offending line which will change in that PR, and equally cool is how it doesn't spam a PR with comments relating to lines which aren't changing in a PR. I've googled around a bunch and this tool was the only one I could find which had that capability.

It could be even cooler if that commenter tool supported json from any random code scanner, rather than being hardcoded for tfsec json keys. For example, here's a sample of output from ansible-lint:

[
  {
    "categories": [
      "idempotency"
    ],
    "check_name": "package-latest",
    "content": {
      "body": "Task/Handler: Install some package"
    },
    "description": "Package installs should not use latest.",
    "fingerprint": "160155f8da48226ca74e3ed55a307c2bd93f5e06960ec650556220bf56974797",
    "location": {
      "lines": {
        "begin": 376
      },
      "path": "ansible/roles/common/tasks/main.yml"
    },
    "severity": "info",
    "type": "issue"
  }
]

Those fields don't exactly map to the fields commenter looks for, but they're pretty close. It would be cool if I could remap fields when calling the commenter tool to make it work on any json from any code scanner. In the above example, I might call the commenter tool like this:

commenter \
--rule-id 'json:"check_name"' \
--file-name 'json:"location.path"' \
... and so on...

And of course the default behavior could be kept if I didn't explicitly remap any fields, so it's behavior with tfsec json could be unchanged.

".... not writing as not part of the current PR" - what does this mean / how to have it include all .tf files in scan?

We have .tf files in various, nested subdirs and are seeing this error. The action is outputting nothing to the PR and seems to print this in the logs for every check.

For example:

No public access block so not restricting public buckets .... not writing as not part of the current PR
Bucket does not have a corresponding public access block. .... not writing as not part of the current PR

Using aquasecurity/[email protected]

Support non-ephemeral runners

If docker changes a file / folder on a mounted volume the permissions at borked, probably to root root. On a subsequent run the actions/checkout will fail as it can't clean the repo. You will get errors on any file this action touches, I think for this action the implications are just on the .terraform/ folder?

Example of the errors:

Command failed: rm -rf "/actions-runner/_work/repo/repo/.terraform"
rm: cannot remove '/actions-runner/_work/repo/repo/.terraform/modules/my_module/wrappers/main.tf': Permission denied

Here is an example of a fix another author did once I raised the issue with them:

dflook/terraform-github-actions@v1.17.0...v1.17.1

You can work around this by:

      - name: Get Actions user id
        id: get_uid
        run: |
          actions_user_id=`id -u $USER`
          echo $actions_user_id
          echo ::set-output name=uid::$actions_user_id
      - name: Correct Ownership in GITHUB_WORKSPACE directory
        uses: peter-murray/reset-workspace-ownership-action@v1
        with:
          user_id: ${{ steps.get_uid.outputs.uid }}
      - uses: actions/checkout@v2

but this is a faff and should be handled by the action natively

Cannot upload reports as artifacts due to permission issues

- name: Run tfsec
  uses: aquasecurity/[email protected]
  with:
    github_token: ${{ secrets.token }}
    working_directory: ${{ inputs.path }}
    tfsec_version: ${{ inputs.tfsec-version }}
    tfsec_args: ${{ inputs.tfsec-args }}
    tfsec_formats: junit,sarif
    commenter_version: latest

- uses: actions/upload-artifact@v3
  with:
    name: tfsec reports
    path: results.*

The files are found - but the upload action reports something like the following:

Run actions/upload-artifact@v3
With the provided path, there will be 4 files uploaded
Starting artifact upload
For more detailed logs during the artifact upload process, enable step-debugging: https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging#enabling-step-debug-logging
Artifact name is valid!
Container for artifact "tfsec results" successfully created. Starting upload of file(s)
node:events:3[6](https://github.com/my-org/my-project/runs/6570977067?check_suite_focus=true#step:5:7)8
      throw er; // Unhandled 'error' event
      ^

Error: EACCES: permission denied, open '/home/runner/work/my-project/my-project/results.json'
Emitted 'error' event on ReadStream instance at:
    at emitErrorNT (node:internal/streams/destroy:15[7](https://github.com/my-org/my-project/runs/6570977067?check_suite_focus=true#step:5:8):[8](https://github.com/my-org/my-project/runs/6570977067?check_suite_focus=true#step:5:9))
    at emitErrorCloseNT (node:internal/streams/destroy:[12](https://github.com/my-org/my-project/runs/6570977067?check_suite_focus=true#step:5:13)2:3)
    at processTicksAndRejections (node:internal/process/task_queues:83:21) {
  errno: -[13](https://github.com/my-org/my-project/runs/6570977067?check_suite_focus=true#step:5:14),
  code: 'EACCES',
  syscall: 'open',
  path: '/home/runner/work/my-project/my-project/results.json'
}

I even tried non-wildcard versions, globbed paths, non-globbed and adding a step that first copied reports to another directory but that also got a permission denied

no such file or directory on symbolic link

Hi,
Having multiple environments deployed on AWS, we created symbolic links between the files defining common ressources needed in our environment and specific ones, which give the following files hierarchy:

├── common
│   └── common_ressource.tf
├── preprod
│   ├── dedicated_ressource.tf
│   └── common_ressource.tf -> ../common/common_ressource.tf

Running TFsec locally in my preprod folder doesn't raise any error but running the PR commenter action does:

+ TFSEC_VERSION=latest
+ '[' latest '!=' latest ']'
++ wget -q https://api.github.com/repos/aquasecurity/tfsec/releases/latest -O -
++ grep -o -E 'https://.+?tfsec-linux-amd64'
++ head -n1
+ wget -O - -q https://github.com/aquasecurity/tfsec/releases/download/v1.4.2/tfsec-linux-amd64
+ install tfsec /usr/local/bin/
+ COMMENTER_VERSION=latest
+ '[' latest '!=' latest ']'
++ grep -o -E 'https://.+?commenter-linux-amd64'
++ wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/latest -O -
+ wget -O - -q https://github.com/aquasecurity/tfsec-pr-commenter-action/releases/download/v1.0.5/commenter-linux-amd64
+ install commenter /usr/local/bin/
+ '[' -n /github/workspace ']'
+ cd /github/workspace
+ '[' -n '' ']'
+ tfsec --out=results.json --format=json --soft-fail terraform/preprod
WARNING: A tfvars file was found but not automatically used. Did you mean to specify the --tfvars-file flag?
Scan error: open /github/workspace/terraform/preprod/common_ressource.tf: no such file or directory
+ commenter
Starting the github commenter...
The commenter failed with the following error:
failed to load results. open results.json: no such file or directory

My github workflow is written as follows:

name: tfsec-pr-commenter
on:
  pull_request:
jobs:
  tfsec:
    name: tfsec PR commenter
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@master
      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          github_token: ${{ github.token }}
          working_directory: terraform/preprod

Note that setting working_directory on terraform/common works perfecly.

The commenter fails with the error "invalid character '/' looking for beginning of value"

Hi,

I'm running the latest @main version of the action. When I run it, it fails and in the logs it says:

Starting the github commenter... The commenter failed with the following error: invalid character '/' looking for beginning of value

Looking at the cmd/commenter/commenter.go code and the error message, it seems to come from the JSON-library, so maybe parsing the event.json file or the results.json file fails?

Argument error after new release of v1.3.0

After the new release of tfsec-pr-commenter-action (v1.3.0) PR Check is broke with the following error:

tfsec --out=results.json --format=json --soft-fail '' ./infrastructure
Usage:
  tfsec [directory] [flags]

Flags:
      --code-theme string            Theme for annotated code. Either 'light' or 'dark'. (default "dark")
      --concise-output               Reduce the amount of output and no statistics
      --config-file string           Config file to use during run
      --config-file-url string       Config file to download from a remote location. Must be json or yaml
      --custom-check-dir string      Explicitly set the custom checks dir location
      --custom-check-url string      Download a custom check file from a remote location. Must be json or yaml
      --debug                        Enable debug logging (same as verbose)
  -G, --disable-grouping             Disable grouping of similar results
  -e, --exclude string               Provide comma-separated list of rule IDs to exclude from run.
      --exclude-downloaded-modules   Remove results for downloaded modules in .terraform folder
  -E, --exclude-ignores string       Provide comma-separated list of ignored rule to exclude from run.
      --exclude-path strings         Folder path to exclude, can be used multiple times and evaluated in order of specification
      --filter-results string        Filter results to return specific checks only (supports comma-delimited input).
      --force-all-dirs               Don't search for tf files, include everything below provided directory.
  -f, --format string                Select output format: lovely, json, csv, checkstyle, junit, sarif, text, markdown, html, gif. To use multiple formats, separate with a comma and specify a base output filename with --out. A file will be written for each type. The first format will additionally be written stdout. (default "lovely")
  -h, --help                         help for tfsec
      --ignore-hcl-errors            Do not report an error if an HCL parse error is encountered
      --include-ignored              Include ignored checks in the result output
      --include-passed               Include passed checks in the result output
      --migrate-ignores              Migrate ignore codes to the new ID structure
  -m, --minimum-severity string      The minimum severity to report. One of CRITICAL, HIGH, MEDIUM, LOW.
      --no-code                      Don't include the code snippets in the output.
      --no-color                     Disable colored output (American style!)
      --no-colour                    Disable coloured output
      --no-ignores                   Do not apply any ignore rules - normally ignored checks will fail
      --no-module-downloads          Do not download remote modules.
  -O, --out string                   Set output file. This filename will have a format descriptor appended if multiple formats are specified with --format
      --print-rego-input             Print a JSON representation of the input supplied to rego policies.
      --rego-only                    Run rego policies exclusively.
      --rego-policy-dir string       Directory to load rego policies from (recursively).
      --run-statistics               View statistics table of current findings.
      --single-thread                Run checks using a single thread
  -s, --soft-fail                    Runs checks but suppresses error code
      --tfvars-file strings          Path to .tfvars file, can be used multiple times and evaluated in order of specification
      --update                       Update to latest version
      --var-file strings             Path to .tfvars file, can be used multiple times and evaluated in order of specification (same functionality as --tfvars-file but consistent with Terraform)
      --verbose                      Enable verbose logging (same as debug)
  -v, --version                      Show version information and exit
  -w, --workspace string             Specify a workspace for ignore limits (default "default")

Error: accepts between 0 and 1 arg(s), received 2

The current workflow file is:

name: tfsec-pr-commenter
on:
  pull_request:
jobs:
  tfsec:
    name: tfsec PR commenter
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@master

      - name: tfsec
        uses: aquasecurity/tfsec-pr-commenter-action@main
        with:
          working_directory: ./infrastructure
          github_token: ${{ secrets.GITHUB_TOKEN }}

1.3.x Upgrade is Breaking Pipeline with Custom `working_directory`

We have a huge monorepo with multiple entrypoints for Terraform. The 1.3.x release is breaking our pipeline.

The example of pipeline:

name: iac-scan
on:
  pull_request:
jobs:
  changed-files:
    name: Get changed files
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - name: Clone repo
        uses: actions/checkout@master

      - name: Get changed dir-names
        id: changed-files
        uses: hi-artem/changed-files@main
        with:
          dir_names: "true"
          json: "true"
          max_fetch_depth: "2147483647"
          files: |
            terraform/**
      - name: List all changed files
        run: |
          echo '${{ steps.changed-files.outputs.all_changed_files }}'
      - id: set-matrix
        run: echo "matrix={\"files\":${{ steps.changed-files.outputs.all_changed_files }}}" >> "$GITHUB_OUTPUT"

  tfsec:
    name: IaC Scan with tfsec
    runs-on: ubuntu-latest
    needs: [changed-files]
    strategy:
      matrix: ${{ fromJSON(needs.changed-files.outputs.matrix) }}
      max-parallel: 4
      fail-fast: false
    steps:
      - name: Clone repo
        uses: actions/checkout@master
      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          tfsec_args: --custom-check-dir .tfsec
          soft_fail_commenter: true
          github_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          working_directory: ${{  matrix.files }}

It works fine if we pin commenter to 1.2.0, but the latest (1.3.1) is acting weird. Here's an example of logs:

+ tfsec --out=results.json --format=json --soft-fail --soft-fail terraform/aws/develop/shared
1 file(s) written: results.json
+ commenter
Starting the github commenter
Working in repository terraform
Working in PR 9999
TFSec found 21 issues
Working in GITHUB_WORKSPACE /github/workspace/
Preparing comment for violation of rule aws-ec2-enable-at-rest-encryption in terraform/aws/develop/shared/terraform/aws/develop/shared/test.tf
Ignoring - change not part of the current PR
Preparing comment for violation of rule aws-ec2-enable-at-rest-encryption in terraform/aws/develop/shared/terraform/aws/develop/shared/test.tf
Ignoring - change not part of the current PR
Preparing comment for violation of rule aws-ec2-enforce-http-token-imds in terraform/aws/develop/shared/terraform/aws/develop/shared/test.tf
Ignoring - change not part of the current PR
Preparing comment for violation of rule aws-ec2-enforce-http-token-imds in terraform/aws/develop/shared/terraform/aws/develop/shared/test.tf
Ignoring - change not part of the current PR
# blablabla and they all are ignored!

It appaers to append the working directory to filename twice! For example, terraform/aws/develop/shared/terraform/aws/develop/shared/test.tf should be terraform/aws/develop/shared/test.tf.

how to load config file correctly

I'm testing --config-file-url option, I'm loading it from here - https://github.com/anurag1192/customtfsecchecks/blob/main/config.json

I'm using the git action here - https://github.com/anurag1192/test-terraform/blob/main/.github/workflows/tfsec-pr-commenter.yml#L15

I tested both the options:
tfsec_args: --config-file-url https://github.com/anurag1192/customtfsecchecks/config.json AND
tfsec_args: --config-file-url https://github.com/anurag1192/customtfsecchecks/blob/main/config.json

However when I create a PR, its scanning for other rules also. Example it is scanning for s3 versioning enabled, aws-s3-encryption-customer-key. These rules are not included in the config file.

See this test PR - achdc-1192/test-terraform#2