name: tfsec
on:
  push:
    branches:
      - main
    paths:
      - '**.tf'
  pull_request:
    paths:
      - '**.tf'
  workflow_dispatch: # Manual dispatch
permissions:
  contents: read

jobs:
  tfsec:
    permissions:
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
    name: tfsec sarif report
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b 

      - name: tfsec
        uses: tfsec/tfsec-sarif-action@5d34a982aa8927c5dd8566d25ef248d526aac1f4 
        with:
          sarif_file: tfsec.sarif

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@c7f292ea4f542c473194b33813ccd4c207a6c725 # v1
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: tfsec.sarif