Add comments to pull requests where tfsec checks have failed
To add the action, add tfsec_pr_commenter.yml
into the .github/workflows
directory in the root of your Github project.
The contents of tfsec_pr_commenter.yml
should be;
Note: The GITHUB_TOKEN injected to the workflow will need permissions to write on pull requests.
This can be achieved by adding a permissions block in your workflow definition.
See: docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs for more details.
name: tfsec-pr-commenter
on:
pull_request:
jobs:
tfsec:
name: tfsec PR commenter
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Clone repo
uses: actions/checkout@master
- name: tfsec
uses: aquasecurity/tfsec-pr-commenter-action@v1.2.0
with:
github_token: ${{ github.token }}
On each pull request and subsequent commit, tfsec will run and add comments to the PR where tfsec has failed.
The comment will only be added once per transgression.
There are a number of optional inputs that can be used in the with:
block.
working_directory - the directory to scan in, defaults to .
, ie current working directory
tfsec_version - the version of tfsec to use, defaults to latest
tfsec_args - the args for tfsec to use (space-separated)
tfsec_formats - the formats for tfsec to output (comma-separated)
commenter_version - the version of the commenter to use, defaults to latest
soft_fail_commenter - set to true
to comment silently without breaking the build
tfsec
provides an extensive number of arguments, which can be passed through as in the example below:
name: tfsec-pr-commenter
on:
pull_request:
jobs:
tfsec:
name: tfsec PR commenter
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@master
- name: tfsec
uses: aquasecurity/tfsec-pr-commenter-action@v1.2.0
with:
tfsec_args: --soft-fail
github_token: ${{ github.token }}
tfsec
provides multiple possible formats for the output:
- default
- json
- csv
- checkstyle
- junit
- sarif
- gif
The json
format is required and included by default. To add additional formats, set the tfsec_formats
option to comma-separated values:
tfsec_formats: sarif,csv
The screenshot below demonstrates the comments that can be expected when using the action