opensecdevops/osdo-iac-scan

# osdo-iac-scan Infrastructure as Code security scanning with Checkov, KICS, tfsec, Terrascan and Kubernetes validation ## Quick Start - uses: opensecdevops/osdo-iac-scan@v2 ## Inputs | Input | Description | Required | Default | |-------|-------------|----------|---------| | `iac-directory` | Directory containing IaC files | No | `.` | | `iac-type` | Type of IaC (terraform, cloudformation, kubernetes, helm, ansible, all) | No | `all` | | `scanners` | Scanners to use (checkov, kics, tfsec, terrascan, all) | No | `all` | | `compliance-frameworks` | Compliance frameworks to check (cis, nist, pci-dss, hipaa) | No | `cis` | | `enable-kubernetes-validation` | Enable Kubernetes manifest validation | No | `true` | | `fail-on-high` | Fail on high severity findings | No | `true` | | `results-dir` | Directory to store results | No | `.osdo/results` | ## Outputs | Output | Description | |--------|-------------| | `violations-found` | Total violations found | | `critical-count` | Critical violations count | | `high-count` | High violations count | | `frameworks-passed` | Compliance frameworks that passed | ## Example name: Security Scan on: [push, pull_request] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: opensecdevops/osdo-iac-scan@v2 with: iac-directory: "infra" iac-type: "terraform" scanners: "checkov,kics,tfsec" compliance-frameworks: "cis,nist" enable-kubernetes-validation: "true" fail-on-high: "true" ## Part of OSDO This action is part of the [OSDO Framework](https://github.com/opensecdevops/osdo). Use it standalone or combine with other OSDO actions: - [osdo-sast](https://github.com/opensecdevops/osdo-sast) — Static Analysis - [osdo-sca](https://github.com/opensecdevops/osdo-sca) — Dependency Scanning - [osdo-secrets-scan](https://github.com/opensecdevops/osdo-secrets-scan) — Secret Detection - [osdo-container-scan](https://github.com/opensecdevops/osdo-container-scan) — Container Security - [osdo-iac-scan](https://github.com/opensecdevops/osdo-iac-scan) — IaC Scanning - [osdo-sbom](https://github.com/opensecdevops/osdo-sbom) — SBOM Generation - [osdo-sign](https://github.com/opensecdevops/osdo-sign) — Artifact Signing ## License Apache-2.0