Integrate with GitHub Action
The Accurics GitHub Action integration scans the IaC files in your repository and can fail a pipeline build when it finds violations or errors. You can view the scan results in the pipeline results or in Tenable Cloud Security.
Before you begin:
-
Download the configuration file for your repository from Tenable Cloud Security.
-
Create GitHub secrets to store the Environment ID and Application Token.
-
Navigate to your repository and click Settings under your repository name.
-
In the left navigation bar, click Secrets > New Repository Secret.
-
Create the following two secrets:
-
ACCURICS_APP_ID: Provide the value of the app parameter in the configuration file you downloaded from Tenable Cloud Security.
-
ACCURICS_ENV_ID: Provide the value of the env parameter in the configuration file.
-
-
To set up Accurics GitHub Action:
-
On the GitHub Marketplace, In the search box, type Accurics.
-
In the search results, click Accurics GitHub Action.
The Accurics GitHub Actions page appears.
-
Copy and paste the following code to the action.yml file to set up the latest version of Accurics GitHub Action:
Copysteps:
- name: Accurics
uses: accurics/[email protected]
id: accurics
with:
app-id: ${{ secrets.ACCURICS_APP_ID }}
env-id: ${{ secrets.ACCURICS_ENV_ID }}
repo: "<URL of the repository>"Note: (Optional) You can specify input parameters to customize your scan. For more information about parameters that you can specify, see Input Parameters for GitHub Action.
Input Parameters for GitHub Action
Specify the following required and optional parameters to customize the scan and view results from GitHub Action:
| Name | Description | Required/Optional | Default Value |
|---|---|---|---|
| app-id | The application token ID. | Required | |
| env-id | The environment ID. | Required | |
| repo | The repository location URL. | Required | |
| terraform-version | The Terraform version used to process the files in this repository. | Optional | latest |
| plan-args | The Terraform variables along with other required command-line parameters when running terraform plan. | Optional | |
| directories | A directory to scan within this repository. | Optional | ./ |
| fail-on-violations | When true, Tenable Cloud Security fails the build if violations are found. | Optional | true |
| fail-on-all-errors | When true, Tenable Cloud Security fails the build if it encounters any errors. | Optional | true |
| scan-mode | Specify the scan mode to either Terraform (plan) or Terrascan (scan) for scanning. | Optional | plan |
| url | The URL of the target endpoint. For example, https://cloud.tenable.com/cns | Optional | https://app.accurics.com |
| pipeline | Set this parameter to true if the mode is pipeline. | Optional |
AWS Parameters for Terraform Plan-Based Scan
Specify the following environment parameters under the env section for your AWS Terraform files.
| Name | Description | Required/Optional |
|---|---|---|
| AWS_ACCESS_KEY_ID | An AWS access key associated with the IAM user or role. | Required |
| AWS_SECRET_ACCESS_KEY | The secret key associated with the access key. This is essentially the "password" for the access key. | Required |
| REPO_URL | The GitHub repository location URL. | Required |
| GIT_BRANCH | The name of the current GitHub branch. | Required |
| GIT_COMMIT | The GitHub commit ID (SHA). | Required |
| TF_CLI_CONFIG_FILE |
Name of the file that contains the API token of the Terraform Cloud in the following format: Copy
Note: This file must be in the GitHub repository.
|
Required if repository uses modules from Terraform Cloud. |
Output Parameters for GitHub Action
Specify the following output parameters to customize your scan results.
| Parameter | Description |
|---|---|
| $env_name | Environment name |
| $num_violations | Violation count |
| $num_resources | Resource count |
| $high | High-severity violations |
| $medium | Medium-severity violations |
| $low | Low-severity violations |
| $native | Native resources |
| $has_errors | Scan has errors |
Example
The following example shows an IaC scan configuration using the latest Terraform version, custom variables, and output scan status:
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Accurics
uses: accurics/[email protected]
id: accurics
env:
# Required by Terraform
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
REPO_URL: ${{ github.repositoryUrl }}
GIT_BRANCH: ${{ github.ref_name }}
GIT_COMMIT: ${{ github.sha }}
TF_CLI_CONFIG_FILE: fileNamewithHostAndToken
with:
# Required by Accurics
app-id: ${{ secrets.ACCURICS_APP_ID }}
env-id: ${{ secrets.ACCURICS_ENV_ID }}
repo: "https://bitbucket.org/myrepo/reponame.git"
# Optional args
plan-args: '-var myvar1=val1 -var myvar2=val2'
fail-on-violations: true
url: "https://cloud.tenable.com/cns"
scan-mode: "scan"
pipeline: true
- name: Display statistics
run: '
echo ""
echo "Environment Name : ${{ steps.accurics.outputs.env-name }}";
echo "Repository : ${{ steps.accurics.outputs.repo }}";
echo "Violation Count : ${{ steps.accurics.outputs.num-violations }}";
echo "Resource Count : ${{ steps.accurics.outputs.num-resources }}";
echo ""
echo "Native Resources : ${{ steps.accurics.outputs.native }}";
echo "Inherited Resources : ${{ steps.accurics.outputs.inherited }}";
echo ""
echo "High-Severity Violations : ${{ steps.accurics.outputs.high }}";
echo "Medium-Severity Violations : ${{ steps.accurics.outputs.medium }}";
echo "Low-Severity Violations : ${{ steps.accurics.outputs.low }}";
echo ""
echo "Drift : ${{ steps.accurics.outputs.drift }}";
echo "IaC Drift : ${{ steps.accurics.outputs.iacdrift }}";
echo "Cloud Drift : ${{ steps.accurics.outputs.clouddrift }}";
echo ""
'For more examples, see Accurics GitHub Action in the GitHub marketplace.