Stay organized with collections
Save and categorize content based on your preferences.
You can use the Analyze Code Security
action to
validate the infrastructure as code (IaC) that is part of your GitHub Actions
workflow. Validating IaC lets you determine whether your Terraform resource
definitions violate the existing organization policies and
Security Health Analytics detectors that are applied to your Google Cloud resources.
Configure Workload Identity Federation with your GitHub identity provider. For
instructions, see
Workload Identity Federation.
Obtain the URL for your Workload Identity Federation ID token. For example,
https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID.
Consider the following:
PROJECT_NUMBER is the project number for the
Google Cloud project that you set up Workload Identity Federation in.
POOL_ID is the pool name.
PROVIDER_ID is the name of your identity provider.
- name: Create Terraform Plan
id: plan
run: terraform plan -out=TF_PLAN_FILE
Replace TF_PLAN_FILE with the name for the Terraform plan
file. For example, myplan.tfplan.
Convert your plan file into JSON format:
- name: Convert Terraform Plan to JSON
id: convert
run: terraform show -no-color -json TF_PLAN_FILE > TF_PLAN_JSON_FILE
Replace TF_PLAN_JSON_FILE with the name for the Terraform
plan file, in JSON format. For example, mytfplan.json.
Add the action to your GitHub Actions workflow
In the GitHub repository, browse to your workflow.
Open the workflow editor.
In the GitHub Marketplace sidebar, search for Analyze Code Security.
In the Installation section, copy the syntax.
Paste the syntax as a new step into your workflow.
Replace the following values:
workload_identity_provider with the link to the URL for your
Workload Identity Federation ID token.
service_account with the email address of the service account that you
created for the action.
organization_id with your Google Cloud organization ID.
scan_file_ref with the path to your Terraform plan file, in JSON format.
failure_criteria with the failure threshold
criteria that determines when the action fails. The threshold criteria is
based on the number of critical, high, medium, and low severity issues that
the IaC validation scan encounters. failure_criteria specifies how many
issues of each severity are permitted and how the issues are aggregated
(either AND or OR). For example, if you want the action to fail if it
encounters one critical issue or one high severity issue, set the
failure_criteria to Critical:1,High:1,Operator:OR. The default is
Critical:1,High:1,Medium:1,Low:1,Operator:OR, which means that if the IaC
validation scan encounters any issue, the action must fail.
You can now run the workflow to validate your Terraform plan file. To run the
workflow manually, see Manually running a
workflow.
View the IaC violation report
In your GitHub repository, click Actions and select your workflow.
Click the most recent run for your workflow.
In the Artifacts section, the violation report (ias-scan-sarif.json) is available in a zip file. The report includes the
following fields:
A rules field that describes which policies were violated by the
Terraform plan. Each rule includes a ruleID that you can match with the
results that are included in the report.
A results field that describes the proposed asset modifications that
violate a specific rule.
Resolve any violations within your Terraform code before applying it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Integrate IaC validation with GitHub Actions\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nYou can use the [Analyze Code Security\naction](https://github.com/marketplace/actions/analyze-code-security) to\nvalidate the infrastructure as code (IaC) that is part of your GitHub Actions\nworkflow. Validating IaC lets you determine whether your Terraform resource\ndefinitions violate the existing organization policies and\nSecurity Health Analytics detectors that are applied to your Google Cloud resources.\n\nFor more information about IaC validation, see\n[Validate your IaC against your Google Cloud organization's policies](/security-command-center/docs/validate-iac).\n\nBefore you begin\n----------------\n\nComplete these tasks to get started with IaC validation with GitHub Actions.\n\n### Activate the Security Command Center Premium tier or Enterprise tier\n\nVerify that the\n[Security Command Center Premium tier or Enterprise tier](/security-command-center/docs/activate-scc-overview)\nis activated at the organization level.\n\nActivating Security Command Center enables the `securityposture.googleapis.com` and\n`securitycentermanagement.googleapis.com` APIs.\n\n### Create a service account\n\nCreate a service account that you can use for the Analyze Code Security\naction.\n\n1.\n In the Google Cloud console, go to the **Create service account** page.\n\n [Go to Create service account](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project)\n2. Select your project.\n3.\n In the **Service account name** field, enter a name. The Google Cloud console fills\n in the **Service account ID** field based on this name.\n\n\n In the **Service account description** field, enter a description. For example,\n `Service account for quickstart`.\n4. Click **Create and continue**.\n5.\n Grant the **Security Posture Shift-Left Validator** role to the service account.\n\n\n To grant the role, find the **Select a role** list, then select\n **Security Posture Shift-Left Validator**.\n | **Note** : The **Role** field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.\n6. Click **Continue**.\n7.\n Click **Done** to finish creating the service account.\n\n\u003cbr /\u003e\n\nFor more information about IaC validation permissions, see\n[IAM for organization-level activations](/security-command-center/docs/access-control-org).\n\n### Set up authentication\n\n1. Configure Workload Identity Federation with your GitHub identity provider. For\n instructions, see\n [Workload Identity Federation](/iam/docs/workload-identity-federation).\n\n2. Obtain the URL for your Workload Identity Federation ID token. For example,\n `https://iam.googleapis.com/projects/`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`/locations/global/workloadIdentityPools/`\u003cvar translate=\"no\"\u003ePOOL_ID\u003c/var\u003e`/providers/`\u003cvar translate=\"no\"\u003ePROVIDER_ID\u003c/var\u003e.\n\n Consider the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e is the project number for the Google Cloud project that you set up Workload Identity Federation in.\n - \u003cvar translate=\"no\"\u003ePOOL_ID\u003c/var\u003e is the pool name.\n - \u003cvar translate=\"no\"\u003ePROVIDER_ID\u003c/var\u003e is the name of your identity provider.\n3. Add the [Authenticate to Google Cloud\n action](https://github.com/marketplace/actions/authenticate-to-google-cloud)\n to your workflow to authenticate the IaC validation action.\n\n### Define your policies\n\nDefine your\n[organization policies](/resource-manager/docs/organization-policy/creating-managing-policies)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics).\nTo define these policies using a security posture, complete the tasks in\n[Create and deploy a posture](/security-command-center/docs/how-to-use-security-posture#create_and_deploy_a_posture).\n\nCreate your Terraform plan JSON file\n------------------------------------\n\n1. Create your Terraform code. For instructions, see [Create your Terraform\n code](/security-command-center/docs/validate-iac#create_your_terraform_code).\n\n2. In your GitHub Actions, initialize Terraform. For example, if you're using\n the [HashiCorp - Setup Terraform action](https://github.com/marketplace/actions/hashicorp-setup-terraform), run the following command:\n\n - name: Terraform Init\n id: init\n run: terraform init\n\n3. Create a Terraform plan file:\n\n - name: Create Terraform Plan\n id: plan\n run: terraform plan -out=\u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e with the name for the Terraform plan\n file. For example, `myplan.tfplan`.\n4. Convert your plan file into JSON format:\n\n - name: Convert Terraform Plan to JSON\n id: convert\n run: terraform show -no-color -json \u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e \u003e \u003cvar translate=\"no\"\u003eTF_PLAN_JSON_FILE\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eTF_PLAN_JSON_FILE\u003c/var\u003e with the name for the Terraform\n plan file, in JSON format. For example, `mytfplan.json`.\n\nAdd the action to your GitHub Actions workflow\n----------------------------------------------\n\n1. In the GitHub repository, browse to your workflow.\n2. Open the workflow editor.\n3. In the GitHub Marketplace sidebar, search for **Analyze Code Security**.\n4. In the **Installation** section, copy the syntax.\n5. Paste the syntax as a new step into your workflow.\n6. Replace the following values:\n\n - `workload_identity_provider` with the link to the URL for your Workload Identity Federation ID token.\n - `service_account` with the email address of the service account that you created for the action.\n - `organization_id` with your Google Cloud organization ID.\n - `scan_file_ref` with the path to your Terraform plan file, in JSON format.\n - `failure_criteria` with the failure threshold criteria that determines when the action fails. The threshold criteria is based on the number of critical, high, medium, and low severity issues that the IaC validation scan encounters. `failure_criteria` specifies how many issues of each severity are permitted and how the issues are aggregated (either `AND` or `OR`). For example, if you want the action to fail if it encounters one critical issue *or* one high severity issue, set the `failure_criteria` to `Critical:1,High:1,Operator:OR`. The default is `Critical:1,High:1,Medium:1,Low:1,Operator:OR`, which means that if the IaC validation scan encounters any issue, the action must fail.\n\nYou can now run the workflow to validate your Terraform plan file. To run the\nworkflow manually, see [Manually running a\nworkflow](https://docs.github.com/en/actions/using-workflows/manually-running-a-workflow).\n\nView the IaC violation report\n-----------------------------\n\n1. In your GitHub repository, click **Actions** and select your workflow.\n\n2. Click the most recent run for your workflow.\n\n In the **Artifacts** section, the violation report (`ias-scan-sarif.json`) is available in a zip file. The report includes the\n following fields:\n - A `rules` field that describes which policies were violated by the Terraform plan. Each rule includes a `ruleID` that you can match with the results that are included in the report.\n - A `results` field that describes the proposed asset modifications that violate a specific rule.\n3. Resolve any violations within your Terraform code before applying it.\n\nWhat's next\n-----------\n\n- View the [analyze-code-security-scc action\n source code](https://github.com/google-github-actions/analyze-code-security-scc/) in GitHub."]]
