tfsec-pr-commenter-action
tfsec-pr-commenter-action copied to clipboard
aquasecurity
".... not writing as not part of the current PR" - what does this mean / how to have it include all .tf files in scan?
We have .tf files in various, nested subdirs and are seeing this error. The action is outputting nothing to the PR and seems to print this in the logs for every check.
For example:
No public access block so not restricting public buckets .... not writing as not part of the current PR
Bucket does not have a corresponding public access block. .... not writing as not part of the current PR
Using aquasecurity/[email protected]
@richstokes - the action runs tfsec against he whole repo and then cross references the results from the tfsec against the Hunk changes in the commit of the PR. if there error is part of an active change then it writes the comment.
The message you're seeing suggests that tfsec has found an issue with the s3 bucket not having a corresponding public access block, but as the bucket isn't part of the PR its not going to include a comment
@owenrumney, can I configure the action to comment every alert, even if it isn't part of the PR?
Hello @owenrumney, I'm seeing the same message "not writing as not part of the current PR". I don't understand why if I commit insecure code, commenter is not creating any comment on my PR. This is my pipeline
name: Checks
on:
pull_request_target:
jobs:
terraform-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Install tfenv & correct terraform version
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
run: |
git clone https://github.com/tfutils/tfenv.git ~/.tfenv
echo "$HOME/.tfenv/bin" >> $GITHUB_PATH
- name: Terraform format
run: |
tfenv install
tfenv use
echo "terraform format"
terraform fmt -check -diff -recursive
- uses: aquasecurity/[email protected]
name: Tfsec check
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
working_directory: terraform
tfsec_args: --out ./results.json
@kmcarvalho - not at the moment, but this is something I could add - it would have to be a comment direct in the PR rather than against the commit file though so might lose its value
@njimenezotto - I'm not sure - I see you're setting the working directory which might be causing an issue with the commenter matching against the commit paths. Can you run the action output for the tfsec-pr-commenter-action step?
Hello, I would add an use case where it could be great to have a configuration to ask tfsec to publish a comment even if the change is not in the PR.
I am currently testing terraspace. Terraspace is a wrapper of terraform. It means that we will define some Terraform code wrapped with a Ruby layer. This allows to add some further functionalities, follow some Terraform good practices etc ..
When we launch Terraspace (during a github-action), the "real" Terraform code will be generated into a cache folder. Of course this cache folder is not pushed to the git repository. Then I would launch tfsec on this cache folder to check that the generated code follow securities guidelines and write a comment in the pull request if it is not the case.
However, because the cache folder is not in the git repository, tfsec will never write a comment in the PR.
Sorry if my explanation is not clear enough.
Have a nice day
I have been playing around with debugging this bad boy locally and found out that it points to the function that determines ( hardcoded for us ) if the file being commented on is relevant.
https://github.com/owenrumney/go-github-pr-commenter/blob/8aed49544a3f1352d15b059e0113a06182ac3bef/commenter/commenter.go#L155-L170
There might be more the the whole setup than just this - but I decided to quickly write up my own action using tfsec with JQ and other commenting framework 😎 as at the end I never got this one to run for me
Hi @RafPe, good find! Would you mind sharing your action on the Marketplace? I'm running into the same issue and would like to try it out, at least until this is updated 😄
