Skip to content

ci: add missing tfsec gate to ci.yml#46

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/blissful-pascal-jwturz
Open

ci: add missing tfsec gate to ci.yml#46
dmchaledev wants to merge 1 commit into
mainfrom
claude/blissful-pascal-jwturz

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

What

Adds the tfsec security-scan job that CONTRIBUTING.md has documented as CI gate #4 since the repo was created — but that was never actually wired in.

Why this matters

Three signals make this a real gap, not just a docs mismatch:

  1. CONTRIBUTING.md explicitly lists tfsec as a required PR gate that "HIGH/CRITICAL findings fail the build."
  2. The codebase already carries #tfsec:ignore annotations in five main.tf files (unlimited-scale/aws, unlimited-scale/azure, ha-hot-hot/aws, ha-hot-hot/azure, single-vm/aws) — proving tfsec was always expected to run, but the annotations have been silently vacuous.
  3. No tfsec workflow exists anywhere — not in ci.yml, not as a standalone workflow. checkov.yml and trivy-iac.yml cover overlapping ground but are different tools with different rule sets.

Without this gate, a PR could introduce a HIGH-severity Terraform security finding (overly permissive IAM, unencrypted storage, disabled logging) and sail through CI with a green check.

Changes

.github/workflows/ci.yml

  • Adds a tfsec job after tflint, scoped to ubuntu-24.04
  • Installs tfsec 1.28.11 binary with SHA-256 checksum verification (same hardened pattern as trivy-iac.yml)
  • Gates on --minimum-severity HIGH — exits 1 if any HIGH/CRITICAL finding is not suppressed with #tfsec:ignore
  • Generates SARIF and uploads to GitHub code scanning so findings appear as inline PR annotations
  • Scoped security-events: write permission on the job only (workflow-level stays contents: read)

CONTRIBUTING.md

  • Updates step 4 to accurately describe the tfsec/trivy split: tfsec gates in ci.yml on HIGH/CRITICAL; the existing trivy-iac workflow surfaces MEDIUM findings separately and also reads #tfsec:ignore annotations.

Testing

The existing #tfsec:ignore annotations in the codebase are targeted suppressions (e.g. aws-elb-alb-not-public for the intentionally public ALB, aws-iam-no-policy-wildcards for the scoped SSM document policy). These should pass the HIGH gate cleanly. No Terraform resources were changed.


Generated by Claude Code

CONTRIBUTING.md has listed tfsec as CI gate #4 since the repo was set
up, and the codebase carries #tfsec:ignore annotations throughout —
but the gate was never wired in. This commit adds the tfsec job to
ci.yml so the documented contract is actually enforced on every PR.

The job installs tfsec 1.28.11 (checksum-verified, same pattern as
trivy-iac.yml), gates on HIGH/CRITICAL findings, and uploads a SARIF
report so blocking findings surface as inline PR annotations in the
GitHub code-scanning UI. MEDIUM-severity findings continue to be
surfaced (without gating the build) via the existing trivy-iac
workflow, which also reads #tfsec:ignore annotations.

CONTRIBUTING.md is updated to accurately describe this split: tfsec
gates in ci.yml on HIGH/CRITICAL; trivy-iac surfaces MEDIUM findings
separately.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Pkxxha5Lkh7sxo21PMJL4k
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants