terrascan-action
terrascan-action copied to clipboard
tenable
Document using ~/.terraformrc and/or the TF_CLI_CONFIG_FILE environment variable
Some documentation on how to use .terraformrc (or the TF_CLI_CONFIG_FILE environment variable when it is available) with this GitHub Action might be useful to others. It took me a bit to figure this out, and there could very well be a better way to do it:
on:
pull_request:
push:
branches: [main]
jobs:
terrascan_job:
runs-on: ubuntu-latest
name: terrascan-action
steps:
- name: create $HOME/.terraformrc
run: |
mkdir -p $HOME/work/_temp/_github_home
echo $TERRAFORMRC > $HOME/work/_temp/_github_home/.terraformrc
env:
TERRAFORMRC: ${{ secrets.TERRAFORMRC }}
- name: Checkout repository
uses: actions/checkout@v2
- name: Run Terrascan
id: terrascan
uses: tenable/terrascan-action@main
with:
iac_type: 'terraform'
iac_version: 'v14'
policy_type: 'all'
only_warn: true
non_recursive: true
It would be very useful if I could set the TF_CLI_CONFIG_FILE environment variable to point to a credential file to allow use with Terraform modules pulled from a Terraform Registry.
https://runterrascan.io/docs/_print/#scanning-private-terraform-module-repositories
Edit: I didn't realize that this functionality was just released today at the time I submitted this issue :-). I made a fork and uped the Dockerfile to use 1.15.1 but I still can't seem to get it to work setting with this code
on:
pull_request:
push:
branches: [main]
jobs:
terrascan_job:
runs-on: ubuntu-latest
name: terrascan-action
steps:
- name: create $HOME/.terraformrc
run: |
echo $TERRAFORMRC > $HOME/.terraformrc
env:
TERRAFORMRC: ${{ secrets.TERRAFORMRC }}
- name: Checkout repository
uses: actions/checkout@v2
- name: Run Terrascan
id: terrascan
uses: umich-vci/terrascan-action@main
with:
iac_type: 'terraform'
iac_version: 'v14'
policy_type: 'all'
only_warn: true
non_recursive: true
env:
TF_CLI_CONFIG_FILE: /github/home/.terraformrc
