Skip to content

LogixDevCo/tf-security-scan

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
action.yaml
action.yaml
 
 

Repository files navigation

Terraform Security Scan Action

A GitHub Action that runs tfsec security scanner on your Terraform code and generates detailed vulnerability reports.

Features

  • 🔒 Comprehensive security scanning for Terraform code
  • 📊 Detailed GitHub Step Summary with severity breakdown
  • 🎯 File annotations for security issues
  • 📈 Severity-based categorization (CRITICAL, HIGH, MEDIUM, LOW)
  • 🔗 Links to remediation documentation
  • ⚙️ Configurable working directory

Usage

Basic Usage

name: Terraform Security Scan
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      pull-requests: read
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      
      - name: Run Terraform Security Scan
        uses: LogixDevCo/terraform-security-scan-action@v1.0.0

With Custom Working Directory

name: Terraform Security Scan
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      pull-requests: read
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      
      - name: Run Terraform Security Scan
        uses: LogixDevCo/terraform-security-scan-action@v1.0.0
        with:
          working-directory: './infrastructure'

Multiple Directories

name: Terraform Security Scan
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      pull-requests: read
    strategy:
      matrix:
        directory: ['./aws/dev', './aws/staging', './aws/production']
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
      
      - name: Run Security Scan on ${{ matrix.directory }}
        uses: LogixDevCo/terraform-security-scan-action@v1.0.0
        with:
          working-directory: ${{ matrix.directory }}

Inputs

Input Description Required Default
working-directory Working directory to scan No .

Outputs

This action generates:

  • GitHub Step Summary: Formatted table with severity counts and detailed findings
  • File Annotations: Error annotations on files with security issues
  • Exit Code: Fails the workflow if security issues are found

Example Output

The action creates a summary like:

🔒 Terraform Security Scan Results

Working Directory: ./infrastructure

Summary
| Severity | Count |
|----------|-------|
| 🔴 CRITICAL | 2 |
| 🟠 HIGH | 5 |
| 🟡 MEDIUM | 8 |
| 🟢 LOW | 3 |
| Total | 18 |

Issues Found
### 🔴 CRITICAL - aws-s3-enable-bucket-encryption
Description: S3 Bucket does not have encryption enabled
File: main.tf (Lines: 45-52)
Resolution: Enable encryption for S3 bucket
More Info: https://...

Required Permissions

permissions:
  contents: read       # For checking out code
  pull-requests: read  # For PR context

Requirements

  • Terraform code in your repository
  • GitHub Actions enabled

Common Security Checks

tfsec checks for:

  • Unencrypted resources
  • Public access configurations
  • Missing security groups
  • Weak IAM policies
  • Exposed secrets
  • Insecure network configurations
  • And 100+ more security rules

License

MIT

Author

TahaDekmak

About

GitHub Action for tf-security-scan

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Initial Release Latest
Jan 22, 2026

Packages

No packages published