Add comments to pull requests where tfsec checks have failed

To add the action, add tfsec_pr_commenter.yml into the .github/workflows directory in the root of your Github project.

The contents of tfsec_pr_commenter.yml should be;

Note: The GITHUB_TOKEN injected to the workflow will need permissions to write on pull requests.

This can be achieved by adding a permissions block in your workflow definition.

See: docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs for more details.

name: tfsec-pr-commenter
on:
  pull_request:
jobs:
  tfsec:
    name: tfsec PR commenter
    runs-on: ubuntu-latest

    permissions:
      contents: read
      pull-requests: write

    steps:
      - name: Clone repo
        uses: actions/checkout@master
      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          github_token: ${{ github.token }}

On each pull request and subsequent commit, tfsec will run and add comments to the PR where tfsec has failed.

The comment will only be added once per transgression.

There are a number of optional inputs that can be used in the with: block.

working_directory - the directory to scan in, defaults to ., ie current working directory

tfsec_version - the version of tfsec to use, defaults to latest

tfsec_args - the args for tfsec to use (space-separated)

tfsec_formats - the formats for tfsec to output (comma-separated)

commenter_version - the version of the commenter to use, defaults to latest

soft_fail_commenter - set to true to comment silently without breaking the build

tfsec provides an extensive number of arguments, which can be passed through as in the example below:

name: tfsec-pr-commenter
on:
  pull_request:
jobs:
  tfsec:
    name: tfsec PR commenter
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@master
      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          tfsec_args: --soft-fail
          github_token: ${{ github.token }}

tfsec provides multiple possible formats for the output:

• default
• json
• csv
• checkstyle
• junit
• sarif
• gif

The json format is required and included by default. To add additional formats, set the tfsec_formats option to comma-separated values:

tfsec_formats: sarif,csv

The screenshot below demonstrates the comments that can be expected when using the action