I have moved this Action to here now - https://github.com/ministryofjustice/github-actions/tree/main/terraform-static-analysis
This action combines TFSEC, Checkov and tflint into one action, loosely based on the TFSEC action and Checkov actions here.
The main reason for combining these is to add logic to perform different scan options for repos with multiple Terraform folders:
Full scan (full) - scan all folders with *.tf files in a repository.
Changes only (changed) - scan only folders with *.tf files that have had changes since the last commit.
Single folder (single) - standard scan of a given folder.
See the action.yml for other input options.
jobs:
terraform-static-analysis:
name: Terraform Static Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
with:
fetch-depth: 0
- name: Run Analysis
uses: davidkelliott/terraform-static-analysis@main
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: changed