diff --git a/.github/workflows/terraform-plan.yaml b/.github/workflows/terraform-plan.yaml index f56cc45..e7ce331 100644 --- a/.github/workflows/terraform-plan.yaml +++ b/.github/workflows/terraform-plan.yaml @@ -43,4 +43,5 @@ jobs: env: MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }} with: - path: ".github/test_files/tfplan/plan.json" + path: ".github/test_files/tfplan/" + plan-file: plan.json diff --git a/terraform-plan/README.md b/terraform-plan/README.md index aadc370..064282b 100644 --- a/terraform-plan/README.md +++ b/terraform-plan/README.md @@ -1,18 +1,19 @@ # Mondoo Terraform Plan Action -A [GitHub Action](https://github.com/features/actions) for testing [HashiCorp Terraform](https://terraform.io) code for security misconfigurations. Mondoo policies will verity [Terraform's HCL syntax](https://www.terraform.io/language/syntax/configuration). +A [GitHub Action](https://github.com/features/actions) for testing [HashiCorp Terraform](https://terraform.io) plan files for security misconfigurations. Plan files must be saved in JSON format before they are scanned. ## Properties The Terraform Action has properties which are passed to the underlying image. These are passed to the action using `with`. -| Property | Required | Default | Description | -| ----------------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `log-level` | false | info | Sets the log level: error, warn, info, debug, trace (default "info") | -| `output` | false | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact") | -| `path` | true | | Path to the Terraform working directory. | -| `score-threshold` | false | 0 | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). | -| `service-account-credentials` | false | | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform. You can also use the environment variable mentioned below. | +| Property | Required | Default | Description | +| ----------------------------- | -------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `log-level` | false | info | Sets the log level: error, warn, info, debug, trace (default "info") | +| `output` | false | compact | Set the output format for scan results: compact, yaml, json, junit, csv, summary, full, report (default "compact") | +| `path` | false | ./terraform | Path to the Terraform working directory (default "./terraform") | +| `path-file` | false | plan.json | Name of plan file to scan (default "plan.json") | +| `score-threshold` | false | 0 | Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). | +| `service-account-credentials` | false | | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform. You can also use the environment variable mentioned below. | Additionally, you need to specify the service account credentials as an environment variable. @@ -20,23 +21,49 @@ Additionally, you need to specify the service account credentials as an environm | ---------------------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `MONDOO_CONFIG_BASE64` | true | | Base64 encoded [service account credentials](https://mondoo.com/docs/platform/service_accounts/#creating-service-accounts) used to authenticate with Mondoo Platform | -## Scan Terraform working directory +## Scan Terraform plan file -You can use the Action as follows: +The following example uses HashiCorp's [setup-terraform](https://github.com/hashicorp/setup-terraform) to generate a Terraform plan file and convert it to JSON before running scan with cnspec. ```yaml -name: Mondoo Terraform Plan scan +name: Mondoo Terraform plan security scan + on: + pull_request: push: - paths: - - "terraform/main.tf" + branches: [main] + +defaults: + run: + working-directory: ./terraform + jobs: - scan-tf: + generate-and-scan-terraform-plan: steps: - uses: actions/checkout@v3 - - uses: mondoohq/actions/terraform-plan@v0.9.2 + - uses: hashicorp/setup-terraform@v2 + with: + terraform_wrapper: false + + - name: Terraform Init + id: terraform-init + run: terraform init + + - name: Convert Terraform plan to json + id: plan-to-json + run: | + terraform plan -no-color -out plan.tfplan + terraform show -json plan.tfplan >> plan.json + continue-on-error: true + + - name: Scan Terraform plan file for security misconfigurations + id: scan-tf-plan + env: + MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_CONFIG_BASE64 }} + - uses: mondoohq/actions/terraform-plan@v0.10.0 env: MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }} with: path: terraform + plan-file: plan.json ``` diff --git a/terraform-plan/action.yaml b/terraform-plan/action.yaml index 2156d60..fe69ef3 100644 --- a/terraform-plan/action.yaml +++ b/terraform-plan/action.yaml @@ -1,5 +1,5 @@ name: "Mondoo Terraform Plan GitHub Action" -description: "Scan HashiCorp Terraform Plan for misconfigurations with Mondoo" +description: "Scan HashiCorp Terraform Plan (JSON) for misconfigurations with Mondoo" branding: icon: "shield" color: "purple" @@ -15,8 +15,13 @@ inputs: default: compact required: false path: - description: Path to the Terraform working directory. - required: true + description: Path to the directory containing the plan file. + default: terraform + required: false + plan-file: + description: JSON plan file to scan. + default: plan.json + required: false score-threshold: description: >- Sets the score threshold for scans. Scores that fall below the threshold will exit 1. (default "0" - job continues regardless of the score returned by a scan). @@ -32,7 +37,7 @@ runs: - scan - terraform - plan - - ${{ inputs.path }} + - ${{ inputs.path }}/${{ inputs.plan-file }} - --output - ${{ inputs.output }} - --score-threshold