From 3384948d1eb352d96041978c66e258e813a55a4b Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 06:53:40 -0500 Subject: [PATCH 01/16] break down into reusable workflows --- .github/workflows/cd.yml | 45 ++++++++++++++++++++++++++++------- .github/workflows/checkov.yml | 25 +++++++++++++++++++ .github/workflows/ci.yml | 44 +++++----------------------------- .github/workflows/lint.yml | 29 ++++++++++++++++++++++ 4 files changed, 97 insertions(+), 46 deletions(-) create mode 100644 .github/workflows/checkov.yml create mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 180c745..30e7cd2 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -1,11 +1,10 @@ name: Deploy App on: - workflow_run: - workflows: ["Build and Lint"] - types: [requested] + pull_request: + types: [opened, reopened, synchronize] concurrency: - group: cd-${{ github.workflow }}-${{ github.ref }} + group: cd-${{ github.ref }} cancel-in-progress: true env: @@ -14,15 +13,45 @@ env: jobs: deploy-vault: - uses: ./.github/workflows/vault.yml - secrets: inherit + runs-on: ubuntu-22.04 + + steps: + - name: set env + shell: bash + run: | + if [ ${GITHUB_REF##*/} = "main" ]; then + echo "VAULT_TOKEN=${{ secrets.STAGING_VAULT_ROOT_TOKEN }}" >> $GITHUB_ENV + elif [[ ${GITHUB_REF##*/} =~ ^v[0-9]+\.[0-9]+\.[0-9] ]]; then + echo "VAULT_TOKEN=${{ secrets.PROD_VAULT_ROOT_TOKEN }}" >> $GITHUB_ENV + else + echo "VAULT_TOKEN=${{secrets.DEV_VAULT_ROOT_TOKEN}}" >> $GITHUB_ENV + fi + - name: deploy vault instance + uses: sudo-bot/action-docker-compose@latest + with: + cli-args: "up -d" + + - uses: eLco/setup-vault@v1 + with: + vault_version: 1.8.7 + + - name: debug + run: | + docker ps + docker images + docker network ls + docker logs workspace-vault-1 + + - name: check vault secrets + run: | + vault secrets list deploy-app: needs: [deploy-vault] + runs-on: ubuntu-22.04 defaults: run: - working-directory: "${{ github.workspace }}/tf" - runs-on: ubuntu-22.04 + working-directory: "tf" steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml new file mode 100644 index 0000000..8571a7f --- /dev/null +++ b/.github/workflows/checkov.yml @@ -0,0 +1,25 @@ +name: Checkov +on: + workflow_call: + +concurrency: + group: checkov-${{ github.ref }} + cancel-in-progress: true + +jobs: + + checkov: + runs-on: ubuntu-22.04 + + steps: + - name: checkout repo + uses: actions/checkout@v3 + + - uses: bridgecrewio/checkov-action@v12 + name: scan-terraform + with: + directory: tf/ + framework: terraform + output_format: github_failed_only + download_external_modules: true + diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1c3fc79..58db245 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,7 +1,7 @@ -name: Build and Lint +name: CI Pipeline on: pull_request: - type: [opened, reopened, synchronize] + types: [opened, reopened, synchronize] push: branches: - main @@ -9,48 +9,16 @@ on: - v\d+\.\d+\.\d+ concurrency: - group: ci-${{ github.workflow }}-${{ github.ref }} + group: ci-${{ github.ref }} cancel-in-progress: true -env: - VAULT_ADDR: "http://localhost:8200" - jobs: checkov: - runs-on: ubuntu-22.04 - - steps: - - name: checkout repo - uses: actions/checkout@v3 - - - uses: bridgecrewio/checkov-action@v12 - name: scan-terraform - with: - directory: tf/ - framework: terraform - output_format: github_failed_only - download_external_modules: true + uses: "./.github/workflows/checkov.yml" lint: defaults: run: - working-directory: "${{ github.workspace }}/tf" - runs-on: ubuntu-22.04 - - steps: - - uses: actions/checkout@v3 - - - uses: hashicorp/setup-terraform@v2 - - - id: init - run: | - terraform init - - - id: validate - run: | - terraform validate -no-color - - - id: plan - run: | - terraform plan -no-color + working-directory: "tf" + uses: "./.github/workflows/lint.yml" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..79de96d --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,29 @@ +name: Lint +on: + workflow_call: + +concurrency: + group: lint-${{ github.ref }} + cancel-in-progress: true + +jobs: + + lint: + runs-on: ubuntu-22.04 + + steps: + - uses: actions/checkout@v3 + + - uses: hashicorp/setup-terraform@v2 + + - id: init + run: | + terraform init + + - id: validate + run: | + terraform validate -no-color + + - id: plan + run: | + terraform plan -no-color From 9f861caab6e5f700a29c1cbc29f70c3b1113e1bc Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 06:57:28 -0500 Subject: [PATCH 02/16] add missing checkout --- .github/workflows/cd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 30e7cd2..ffb1744 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -26,6 +26,7 @@ jobs: else echo "VAULT_TOKEN=${{secrets.DEV_VAULT_ROOT_TOKEN}}" >> $GITHUB_ENV fi + - uses: actions/checkout@v3 - name: deploy vault instance uses: sudo-bot/action-docker-compose@latest with: From f4e5c66758d026a9cebcb9f344e5c3e430cc3423 Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 07:33:21 -0500 Subject: [PATCH 03/16] fix vault addr and workflow --- .github/workflows/cd.yml | 2 +- .github/workflows/vault.yml | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index ffb1744..57fd0e5 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -8,7 +8,7 @@ concurrency: cancel-in-progress: true env: - VAULT_ADDR: "https://localhost:8200" + VAULT_ADDR: "http://localhost:8200" jobs: diff --git a/.github/workflows/vault.yml b/.github/workflows/vault.yml index 3fb8d05..a38eebe 100644 --- a/.github/workflows/vault.yml +++ b/.github/workflows/vault.yml @@ -1,14 +1,9 @@ name: Deploy Vault on: - pull_request: - type: [opened, reopened, synchronize] workflow_call: -env: - VAULT_ADDR: "http://localhost:8200" - concurrency: - group: vault-${{ github.workflow }}-${{ github.ref }} + group: vault-${{ github.ref }} cancel-in-progress: true jobs: From b8429a3842c56684e98822db14ef8c35d937595b Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 07:50:49 -0500 Subject: [PATCH 04/16] need to combine jobs as vault instance is required for app deployment --- .github/workflows/cd.yml | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 57fd0e5..6f55a9e 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -12,8 +12,12 @@ env: jobs: - deploy-vault: + deploy-app: + needs: [deploy-vault] runs-on: ubuntu-22.04 + defaults: + run: + working-directory: "tf" steps: - name: set env @@ -47,22 +51,6 @@ jobs: run: | vault secrets list - deploy-app: - needs: [deploy-vault] - runs-on: ubuntu-22.04 - defaults: - run: - working-directory: "tf" - - steps: - - uses: actions/checkout@v3 - - - name: debug - run: | - docker ps - docker images - docker network ls - - uses: hashicorp/setup-terraform@v2 - id: init From 691c04a9ac099efadf6476ffc245b5e3de0f40e1 Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 07:58:33 -0500 Subject: [PATCH 05/16] remove left job dependency and add tfsec --- .github/workflows/cd.yml | 1 - .github/workflows/ci.yml | 7 +++++++ .github/workflows/tfsec.yml | 27 +++++++-------------------- 3 files changed, 14 insertions(+), 21 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 6f55a9e..d0f8098 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -13,7 +13,6 @@ env: jobs: deploy-app: - needs: [deploy-vault] runs-on: ubuntu-22.04 defaults: run: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58db245..b10f605 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,3 +22,10 @@ jobs: run: working-directory: "tf" uses: "./.github/workflows/lint.yml" + + checkov: + defaults: + run: + working-directory: "tf" + uses: "./.github/workflows/tfsec.yml" + diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 2fb0ba5..d9d3474 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -1,39 +1,26 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - name: tfsec on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - schedule: - - cron: '20 8 * * 0' + workflow_call: jobs: tfsec: - name: Run tfsec sarif report - runs-on: ubuntu-latest + name: tfsec sarif report + runs-on: ubuntu-22.04 permissions: actions: read contents: read security-events: write steps: - - name: Clone repo - uses: actions/checkout@v3 + - uses: actions/checkout@v3 - - name: Run tfsec + - name: run tfsec uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: - working_directory: tf/ - sarif_file: tfsec.sarif + sarif_file: /tmp/tfsec.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: - # Path to SARIF file relative to the root of the repository - sarif_file: tfsec.sarif + sarif_file: /tmp/tfsec.sarif From 934ff6c2befc4ad4dba90b87d0cfc9e67b8f73a7 Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 08:02:28 -0500 Subject: [PATCH 06/16] fix working directory --- .github/workflows/cd.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index d0f8098..d6409b5 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -14,9 +14,6 @@ jobs: deploy-app: runs-on: ubuntu-22.04 - defaults: - run: - working-directory: "tf" steps: - name: set env @@ -29,7 +26,9 @@ jobs: else echo "VAULT_TOKEN=${{secrets.DEV_VAULT_ROOT_TOKEN}}" >> $GITHUB_ENV fi + - uses: actions/checkout@v3 + - name: deploy vault instance uses: sudo-bot/action-docker-compose@latest with: @@ -53,17 +52,21 @@ jobs: - uses: hashicorp/setup-terraform@v2 - id: init + working-directory: tf run: | terraform init - id: plan + working-directory: tf run: | terraform plan -no-color - id: apply + working-directory: tf run: | terraform apply -auto-approve -no-color ${{ steps.plan.outputs.stdout }} - run: | + working-directory: tf terraform show docker ps From dbcec8ade870a762a21f3962e531cc7aa4e1bf0d Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 08:48:42 -0500 Subject: [PATCH 07/16] wrap terrafrom plan in quotes --- .github/workflows/cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index d6409b5..8757c51 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -64,7 +64,7 @@ jobs: - id: apply working-directory: tf run: | - terraform apply -auto-approve -no-color ${{ steps.plan.outputs.stdout }} + terraform apply -auto-approve -no-color '${{ steps.plan.outputs.stdout }}' - run: | working-directory: tf From 77912b576b336a8a92d986cea48d4d396db36a54 Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 08:52:33 -0500 Subject: [PATCH 08/16] pass plan using echo --- .github/workflows/cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 8757c51..ee1fb3e 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -64,7 +64,7 @@ jobs: - id: apply working-directory: tf run: | - terraform apply -auto-approve -no-color '${{ steps.plan.outputs.stdout }}' + echo "${{ steps.plan.outputs.stdout }}" | terraform apply -auto-approve -no-color - - run: | working-directory: tf From 1dd14b7ca39d7fc3ed74f09ca98798c3c3e54deb Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 08:56:58 -0500 Subject: [PATCH 09/16] use out to store plan file --- .github/workflows/cd.yml | 4 ++-- .github/workflows/checkov.yml | 4 ++-- .github/workflows/lint.yml | 3 ++- .github/workflows/tfsec.yml | 3 ++- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index ee1fb3e..7d8493e 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -59,12 +59,12 @@ jobs: - id: plan working-directory: tf run: | - terraform plan -no-color + terraform plan -no-color -out=/tmp/tfplan.tfplan - id: apply working-directory: tf run: | - echo "${{ steps.plan.outputs.stdout }}" | terraform apply -auto-approve -no-color - + terraform apply -auto-approve -no-color /tmp/tfplan.tfplan - run: | working-directory: tf diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml index 8571a7f..ac3da05 100644 --- a/.github/workflows/checkov.yml +++ b/.github/workflows/checkov.yml @@ -1,8 +1,9 @@ +--- name: Checkov on: workflow_call: -concurrency: +concurrency: group: checkov-${{ github.ref }} cancel-in-progress: true @@ -22,4 +23,3 @@ jobs: framework: terraform output_format: github_failed_only download_external_modules: true - diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 79de96d..d383e20 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,8 +1,9 @@ +--- name: Lint on: workflow_call: -concurrency: +concurrency: group: lint-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index d9d3474..9424c14 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -1,11 +1,12 @@ +--- name: tfsec on: workflow_call: jobs: + tfsec: - name: tfsec sarif report runs-on: ubuntu-22.04 permissions: actions: read From 9e9c916cd77cfc3a853f6482d8c13e865f2869d9 Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 08:59:33 -0500 Subject: [PATCH 10/16] fix debug code --- .github/workflows/cd.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 7d8493e..fc2bdca 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -51,22 +51,23 @@ jobs: - uses: hashicorp/setup-terraform@v2 - - id: init + - name: init working-directory: tf run: | terraform init - - id: plan + - name: plan working-directory: tf run: | terraform plan -no-color -out=/tmp/tfplan.tfplan - - id: apply + - name: apply working-directory: tf run: | terraform apply -auto-approve -no-color /tmp/tfplan.tfplan - - run: | + - name: debug + run: | working-directory: tf terraform show docker ps From 6b305e2e7958669440387143cc05e4029e2d3763 Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Fri, 16 Dec 2022 11:51:57 -0500 Subject: [PATCH 11/16] fix options for run --- .github/workflows/cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index fc2bdca..7107d4a 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -67,7 +67,7 @@ jobs: terraform apply -auto-approve -no-color /tmp/tfplan.tfplan - name: debug - run: | working-directory: tf + run: | terraform show docker ps From d6e4f803fd77c52e28e9349d83e53f1fca238e58 Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Sat, 17 Dec 2022 16:06:57 -0500 Subject: [PATCH 12/16] fix duplicate entry --- .github/workflows/ci.yml | 12 +++--------- .github/workflows/lint.yml | 3 +++ .github/workflows/tfsec.yml | 3 +++ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b10f605..aede4a8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,4 @@ +--- name: CI Pipeline on: pull_request: @@ -8,7 +9,7 @@ on: tags: - v\d+\.\d+\.\d+ -concurrency: +concurrency: group: ci-${{ github.ref }} cancel-in-progress: true @@ -18,14 +19,7 @@ jobs: uses: "./.github/workflows/checkov.yml" lint: - defaults: - run: - working-directory: "tf" uses: "./.github/workflows/lint.yml" - checkov: - defaults: - run: - working-directory: "tf" + tfsec: uses: "./.github/workflows/tfsec.yml" - diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d383e20..bf26799 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,6 +8,9 @@ concurrency: cancel-in-progress: true jobs: + defaults: + run: + working-directory: "tf" lint: runs-on: ubuntu-22.04 diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 9424c14..cb043d8 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -5,6 +5,9 @@ on: workflow_call: jobs: + defaults: + run: + working-directory: "tf" tfsec: runs-on: ubuntu-22.04 From 5336d2c6a8cc369c8677fec4f84735d102a6abe0 Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Sat, 17 Dec 2022 21:14:36 -0500 Subject: [PATCH 13/16] limit permissions --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aede4a8..7e67663 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,8 @@ on: tags: - v\d+\.\d+\.\d+ +permissions: {} + concurrency: group: ci-${{ github.ref }} cancel-in-progress: true From cb04dbf60351103a2daa53b5a242ddd93e2ecf7d Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Sat, 17 Dec 2022 21:16:22 -0500 Subject: [PATCH 14/16] limit permissions --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7e67663..aede4a8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,8 +9,6 @@ on: tags: - v\d+\.\d+\.\d+ -permissions: {} - concurrency: group: ci-${{ github.ref }} cancel-in-progress: true From dab057a26fb48f535d2ce672c09d613b2004a762 Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Sat, 17 Dec 2022 21:40:56 -0500 Subject: [PATCH 15/16] fix syntax --- .github/workflows/checkov.yml | 1 - .github/workflows/ci.yml | 5 ++++- .github/workflows/lint.yml | 19 ++++++++++++++----- .github/workflows/tfsec.yml | 15 ++++++--------- 4 files changed, 24 insertions(+), 16 deletions(-) diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml index ac3da05..a73c9ed 100644 --- a/.github/workflows/checkov.yml +++ b/.github/workflows/checkov.yml @@ -1,4 +1,3 @@ ---- name: Checkov on: workflow_call: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aede4a8..ecc8b41 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,3 @@ ---- name: CI Pipeline on: pull_request: @@ -22,4 +21,8 @@ jobs: uses: "./.github/workflows/lint.yml" tfsec: + permissions: + actions: read + contents: read + security-events: write uses: "./.github/workflows/tfsec.yml" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index bf26799..db02fe3 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,4 +1,3 @@ ---- name: Lint on: workflow_call: @@ -8,15 +7,25 @@ concurrency: cancel-in-progress: true jobs: - defaults: - run: - working-directory: "tf" lint: + defaults: + run: + working-directory: "tf" + runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - name: checkout repo + uses: actions/checkout@v3 + + - uses: bridgecrewio/checkov-action@v12 + name: scan-terraform + with: + directory: tf/ + framework: terraform + output_format: github_failed_only + download_external_modules: true - uses: hashicorp/setup-terraform@v2 diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index cb043d8..9990ca6 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -1,30 +1,27 @@ ---- name: tfsec - on: workflow_call: jobs: - defaults: - run: - working-directory: "tf" tfsec: - runs-on: ubuntu-22.04 + defaults: + run: + working-directory: "tf" permissions: actions: read contents: read security-events: write + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 - - name: run tfsec - uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + - uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: sarif_file: /tmp/tfsec.sarif - - name: Upload SARIF file + - name: upload sarif file uses: github/codeql-action/upload-sarif@v2 with: sarif_file: /tmp/tfsec.sarif From 3ce1c75982712e8ee582f4d7cdd8de414af8b973 Mon Sep 17 00:00:00 2001 From: Adrian Bienkowski Date: Sat, 17 Dec 2022 22:10:45 -0500 Subject: [PATCH 16/16] fix tfsec version --- .github/workflows/tfsec.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 9990ca6..2cde846 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -17,11 +17,11 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + - uses: aquasecurity/tfsec-sarif-action@v0.1.4 with: - sarif_file: /tmp/tfsec.sarif + sarif_file: tfsec.sarif - name: upload sarif file uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: /tmp/tfsec.sarif + sarif_file: tfsec.sarif