name: tfsec
on:
  push:
    branches:
      - main
    paths:
      - '**.tf'
  pull_request:
    paths:
      - '**.tf'
  workflow_dispatch: # Manual dispatch
permissions:
  contents: read

jobs:
  tfsec:
    permissions:
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
    name: tfsec sarif report
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 

      - name: tfsec
        uses: tfsec/tfsec-sarif-action@56bc584a8377626a31e511056772298ccfa69501 
        with:
          sarif_file: tfsec.sarif

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@75b4f1c4669133dc294b06c2794e969efa2e5316 # v1
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: tfsec.sarif