ci: add missing tfsec gate to ci.yml#46
Open
dmchaledev wants to merge 1 commit into
Open
Conversation
CONTRIBUTING.md has listed tfsec as CI gate #4 since the repo was set up, and the codebase carries #tfsec:ignore annotations throughout — but the gate was never wired in. This commit adds the tfsec job to ci.yml so the documented contract is actually enforced on every PR. The job installs tfsec 1.28.11 (checksum-verified, same pattern as trivy-iac.yml), gates on HIGH/CRITICAL findings, and uploads a SARIF report so blocking findings surface as inline PR annotations in the GitHub code-scanning UI. MEDIUM-severity findings continue to be surfaced (without gating the build) via the existing trivy-iac workflow, which also reads #tfsec:ignore annotations. CONTRIBUTING.md is updated to accurately describe this split: tfsec gates in ci.yml on HIGH/CRITICAL; trivy-iac surfaces MEDIUM findings separately. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Pkxxha5Lkh7sxo21PMJL4k
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds the
tfsecsecurity-scan job thatCONTRIBUTING.mdhas documented as CI gate #4 since the repo was created — but that was never actually wired in.Why this matters
Three signals make this a real gap, not just a docs mismatch:
tfsecas a required PR gate that "HIGH/CRITICAL findings fail the build."#tfsec:ignoreannotations in fivemain.tffiles (unlimited-scale/aws,unlimited-scale/azure,ha-hot-hot/aws,ha-hot-hot/azure,single-vm/aws) — proving tfsec was always expected to run, but the annotations have been silently vacuous.ci.yml, not as a standalone workflow.checkov.ymlandtrivy-iac.ymlcover overlapping ground but are different tools with different rule sets.Without this gate, a PR could introduce a HIGH-severity Terraform security finding (overly permissive IAM, unencrypted storage, disabled logging) and sail through CI with a green check.
Changes
.github/workflows/ci.ymltfsecjob aftertflint, scoped toubuntu-24.04trivy-iac.yml)--minimum-severity HIGH— exits 1 if any HIGH/CRITICAL finding is not suppressed with#tfsec:ignoresecurity-events: writepermission on the job only (workflow-level stayscontents: read)CONTRIBUTING.mdci.ymlon HIGH/CRITICAL; the existingtrivy-iacworkflow surfaces MEDIUM findings separately and also reads#tfsec:ignoreannotations.Testing
The existing
#tfsec:ignoreannotations in the codebase are targeted suppressions (e.g.aws-elb-alb-not-publicfor the intentionally public ALB,aws-iam-no-policy-wildcardsfor the scoped SSM document policy). These should pass the HIGH gate cleanly. No Terraform resources were changed.Generated by Claude Code