Integrate with GitHub Action

The Accurics GitHub Action integration scans the IaC files in your repository and can fail a pipeline build when it finds violations or errors. You can view the scan results in the pipeline results or in Tenable Cloud Security.

Before you begin:

  • Download the configuration file for your repository from Tenable Cloud Security.

  • Create GitHub secrets to store the Environment ID and Application Token.

    1. Navigate to your repository and click Settings under your repository name.

    2. In the left navigation bar, click Secrets > New Repository Secret.

    3. Create the following two secrets:

      • ACCURICS_APP_ID: Provide the value of the app parameter in the configuration file you downloaded from Tenable Cloud Security.

      • ACCURICS_ENV_ID: Provide the value of the env parameter in the configuration file.

To set up Accurics GitHub Action:

  1. On the GitHub Marketplace, In the search box, type Accurics.

  2. In the search results, click Accurics GitHub Action.

    The Accurics GitHub Actions page appears.

  3. Copy and paste the following code to the action.yml file to set up the latest version of Accurics GitHub Action:

          - name: Accurics
            uses: accurics/
            id: accurics
              app-id: ${{ secrets.ACCURICS_APP_ID }}
              env-id: ${{ secrets.ACCURICS_ENV_ID }}
              repo: "<URL of the repository>"
    Note: (Optional) You can specify input parameters to customize your scan. For more information about parameters that you can specify, see Input Parameters for GitHub Action.

Input Parameters for GitHub Action

Specify the following required and optional parameters to customize the scan and view results from GitHub Action:

Name Description Required/Optional Default Value
app-id The application token ID. Required  
env-id The environment ID. Required  
repo The repository location URL. Required  
terraform-version The Terraform version used to process the files in this repository. Optional latest
plan-args The Terraform variables along with other required command-line parameters when running terraform plan. Optional  
directories A directory to scan within this repository. Optional ./
fail-on-violations When true, Tenable Cloud Security fails the build if violations are found. Optional true
fail-on-all-errors When true, Tenable Cloud Security fails the build if it encounters any errors. Optional true
scan-mode Specify the scan mode to either Terraform (plan) or Terrascan (scan) for scanning. Optional plan
url The URL of the target endpoint. For example, Optional
pipeline Set this parameter to true if the mode is pipeline. Optional  

AWS Parameters for Terraform Plan-Based Scan

Specify the following environment parameters under the env section for your AWS Terraform files.

Name Description Required/Optional
AWS_ACCESS_KEY_ID An AWS access key associated with the IAM user or role. Required
AWS_SECRET_ACCESS_KEY The secret key associated with the access key. This is essentially the "password" for the access key. Required
REPO_URL The GitHub repository location URL. Required
GIT_BRANCH The name of the current GitHub branch. Required
GIT_COMMIT The GitHub commit ID (SHA). Required

Name of the file that contains the API token of the Terraform Cloud in the following format:

credentials "" {
    # valid user API token:
    token = "API Token from Terraform Cloud site"
Note: This file must be in the GitHub repository.
Required if repository uses modules from Terraform Cloud.

Output Parameters for GitHub Action

Specify the following output parameters to customize your scan results.

Parameter Description
$env_name Environment name
$num_violations Violation count
$num_resources Resource count
$high High-severity violations
$medium Medium-severity violations
$low Low-severity violations
$native Native resources
$has_errors Scan has errors


The following example shows an IaC scan configuration using the latest Terraform version, custom variables, and output scan status:

      - name: Checkout
        uses: actions/
      - name: Accurics
        uses: accurics/
        id: accurics
          # Required by Terraform
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          REPO_URL: ${{ github.repositoryUrl }}
          GIT_BRANCH:  ${{ github.ref_name }}
          GIT_COMMIT:  ${{ github.sha }}
          TF_CLI_CONFIG_FILE: fileNamewithHostAndToken
          # Required by Accurics
          app-id: ${{ secrets.ACCURICS_APP_ID }}
          env-id: ${{ secrets.ACCURICS_ENV_ID }}
          repo: ""
          # Optional args
          plan-args: '-var myvar1=val1 -var myvar2=val2'
          fail-on-violations: true
          url: ""
          scan-mode: "scan"
          pipeline: true
      - name: Display statistics
        run: '
            echo ""
            echo "Environment Name           : ${{ steps.accurics.outputs.env-name }}";
            echo "Repository                 : ${{ steps.accurics.outputs.repo }}";
            echo "Violation Count            : ${{ steps.accurics.outputs.num-violations }}";
            echo "Resource Count             : ${{ steps.accurics.outputs.num-resources }}";
            echo ""
            echo "Native Resources           : ${{ steps.accurics.outputs.native }}";
            echo "Inherited Resources        : ${{ steps.accurics.outputs.inherited }}";
            echo ""
            echo "High-Severity Violations   : ${{ steps.accurics.outputs.high }}";
            echo "Medium-Severity Violations : ${{ steps.accurics.outputs.medium }}";
            echo "Low-Severity Violations    : ${{ steps.accurics.outputs.low }}";
            echo ""
            echo "Drift                      : ${{ steps.accurics.outputs.drift }}";
            echo "IaC Drift                  : ${{ steps.accurics.outputs.iacdrift }}";
            echo "Cloud Drift                : ${{ steps.accurics.outputs.clouddrift }}";
            echo ""

For more examples, see Accurics GitHub Action in the GitHub marketplace.