Security scanning of code, before, during, and after deployment is a great way to enhance the security of any project. Knowing that your code is being analysed for issues before deployment, during the build phase, and then after deployment when you are in the support/run phase, can really help to improve the security posture of an environment, with minimal effort required to conduct the scanning. Whilst, in an ideal world, all of these checks would take place before the deployment – it still makes sense to analyse retrospectively, as you can then remediate environments as additional scans or tools are added and updated.
I have recently been using this with my own repositories and leveraging GitHub actions to perform analysis and log security issues that I can then address. In this case, the repo contains Terraform code that is used to deploy Azure Resources – so I am using two security tools within GitHub Actions. Both of the tools below are easy to deploy and really useful when working with Terraform across Public Cloud providers:
- TFSec – tfsec | A static analysis security scanner for your Terraform code. Discover problems with your infrastructure before hackers do.
- Terrascan – Terrascan – Accurics
Worth noting here that there are lots of other tools out there that offer similar capability – and cover different code bases and requirements!
Both of these tools provide a scanning capability that allows me to scan code within my repo as required, and then log these (by creating SARIF files) as a Code Scanning Alert within the repo:
When the scans have completed, I can then look into the open alerts:
We now have a long list of open alerts we can work through!
GitHub Actions Setup
To setup either of these scans, we need to create actions within the GitHub repo. Thankfully, both are super easy to do – we just need to create a new YAML file and store it in the usual .github/workflows folder. The YAML for both scans I am using is available below:
name: Run TFSec Analysis on: [workflow_dispatch] jobs: tfsec: name: tfsec sarif report runs-on: ubuntu-latest steps: - name: Clone repo uses: actions/checkout@master - name: tfsec uses: tfsec/tfsec-sarif-action@master with: sarif_file: tfsec.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: # Path to SARIF file relative to the root of the repository sarif_file: tfsec.sarif
name: Run Terrascan on: [workflow_dispatch] jobs: terrascan_job: runs-on: ubuntu-latest name: terrascan-action steps: - name: Checkout repository uses: actions/checkout@v2 - name: Run Terrascan id: terrascan uses: accurics/terrascan-action@main with: iac_type: 'terraform' iac_version: 'v14' policy_type: 'azure' only_warn: true sarif_upload: true #non_recursive: #iac_dir: #policy_path: #skip_rules: #config_path: - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: sarif_file: terrascan.sarif
As you can see, I am using [workflow_dispatch] so I can run these scans manually as required – but you may wish to change this to [push] if you are wanting automated scanning every time changes are made to the code, or use a schedule if you want these to run at specified intervals. If you use the sample YAML files I’ve created above, running the scans is a manual step, which is outlined below:
As you can see, this is a quick and easy way to bring additional security scanning and checks into your code, and the use of GitHub actions provides a great way to automate this. It makes sense to include a basic level of checking even when there is no requirement for continual checks. Just having this type of scan setup can assist in preventing issues before they make it to a real environment, or help to identify an issue post deployment as new checks/scans are introduced.