Stay organized with collectionsSave and categorize content based on your preferences.
You can use theAnalyze Code Security
actionto
validate the infrastructure as code (IaC) that is part of your GitHub Actions
workflow. Validating IaC lets you determine whether your Terraform resource
definitions violate the existing organization policies and
Security Health Analytics detectors that are applied to your Google Cloud resources.
Configure Workload Identity Federation with your GitHub identity provider. For
instructions, seeWorkload Identity Federation.
Obtain the URL for your Workload Identity Federation ID token. For example,https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID.
Consider the following:
PROJECT_NUMBERis the project number for the
Google Cloud project that you set up Workload Identity Federation in.
- name: Create Terraform Plan
id: plan
run: terraform plan -out=TF_PLAN_FILE
ReplaceTF_PLAN_FILEwith the name for the Terraform plan
file. For example,myplan.tfplan.
Convert your plan file into JSON format:
- name: Convert Terraform Plan to JSON
id: convert
run: terraform show -no-color -jsonTF_PLAN_FILE>TF_PLAN_JSON_FILE
ReplaceTF_PLAN_JSON_FILEwith the name for the Terraform
plan file, in JSON format. For example,mytfplan.json.
Add the action to your GitHub Actions workflow
In the GitHub repository, browse to your workflow.
Open the workflow editor.
In the GitHub Marketplace sidebar, search forAnalyze Code Security.
In theInstallationsection, copy the syntax.
Paste the syntax as a new step into your workflow.
Replace the following values:
workload_identity_providerwith the link to the URL for your
Workload Identity Federation ID token.
service_accountwith the email address of the service account that you
created for the action.
organization_idwith your Google Cloud organization ID.
scan_file_refwith the path to your Terraform plan file, in JSON format.
failure_criteriawith the failure threshold
criteria that determines when the action fails. The threshold criteria is
based on the number of critical, high, medium, and low severity issues that
the IaC validation scan encounters.failure_criteriaspecifies how many
issues of each severity are permitted and how the issues are aggregated
(eitherANDorOR). For example, if you want the action to fail if it
encounters one critical issueorone high severity issue, set thefailure_criteriatoCritical:1,High:1,Operator:OR. The default isCritical:1,High:1,Medium:1,Low:1,Operator:OR, which means that if the IaC
validation scan encounters any issue, the action must fail.
You can now run the workflow to validate your Terraform plan file. To run the
workflow manually, seeManually running a
workflow.
View the IaC violation report
In your GitHub repository, clickActionsand select your workflow.
Click the most recent run for your workflow.
In theArtifactssection, the violation report (ias-scan-sarif.json) is available in a zip file. The report includes the
following fields:
Arulesfield that describes which policies were violated by the
Terraform plan. Each rule includes aruleIDthat you can match with the
results that are included in the report.
Aresultsfield that describes the proposed asset modifications that
violate a specific rule.
Resolve any violations within your Terraform code before applying it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nYou can use the [Analyze Code Security\naction](https://github.com/marketplace/actions/analyze-code-security) to\nvalidate the infrastructure as code (IaC) that is part of your GitHub Actions\nworkflow. Validating IaC lets you determine whether your Terraform resource\ndefinitions violate the existing organization policies and\nSecurity Health Analytics detectors that are applied to your Google Cloud resources.\n\nFor more information about IaC validation, see\n[Validate your IaC against your Google Cloud organization's policies](/security-command-center/docs/validate-iac).\n\nBefore you begin\n\nComplete these tasks to get started with IaC validation with GitHub Actions.\n\nActivate the Security Command Center Premium tier or Enterprise tier\n\nVerify that the\n[Security Command Center Premium tier or Enterprise tier](/security-command-center/docs/activate-scc-overview)\nis activated at the organization level.\n\nActivating Security Command Center enables the `securityposture.googleapis.com` and\n`securitycentermanagement.googleapis.com` APIs.\n\nCreate a service account\n\nCreate a service account that you can use for the Analyze Code Security\naction.\n\n1.\n In the Google Cloud console, go to the **Create service account** page.\n\n [Go to Create service account](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project)\n2. Select your project.\n3.\n In the **Service account name** field, enter a name. The Google Cloud console fills\n in the **Service account ID** field based on this name.\n\n\n In the **Service account description** field, enter a description. For example,\n `Service account for quickstart`.\n4. Click **Create and continue**.\n5.\n Grant the **Security Posture Shift-Left Validator** role to the service account.\n\n\n To grant the role, find the **Select a role** list, then select\n **Security Posture Shift-Left Validator**.\n | **Note** : The **Role** field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.\n6. Click **Continue**.\n7.\n Click **Done** to finish creating the service account.\n\n\u003cbr /\u003e\n\nFor more information about IaC validation permissions, see\n[IAM for organization-level activations](/security-command-center/docs/access-control-org).\n\nSet up authentication\n\n1. Configure Workload Identity Federation with your GitHub identity provider. For\n instructions, see\n [Workload Identity Federation](/iam/docs/workload-identity-federation).\n\n2. Obtain the URL for your Workload Identity Federation ID token. For example,\n `https://iam.googleapis.com/projects/`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`/locations/global/workloadIdentityPools/`\u003cvar translate=\"no\"\u003ePOOL_ID\u003c/var\u003e`/providers/`\u003cvar translate=\"no\"\u003ePROVIDER_ID\u003c/var\u003e.\n\n Consider the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e is the project number for the Google Cloud project that you set up Workload Identity Federation in.\n - \u003cvar translate=\"no\"\u003ePOOL_ID\u003c/var\u003e is the pool name.\n - \u003cvar translate=\"no\"\u003ePROVIDER_ID\u003c/var\u003e is the name of your identity provider.\n3. Add the [Authenticate to Google Cloud\n action](https://github.com/marketplace/actions/authenticate-to-google-cloud)\n to your workflow to authenticate the IaC validation action.\n\nDefine your policies\n\nDefine your\n[organization policies](/resource-manager/docs/organization-policy/creating-managing-policies)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics).\nTo define these policies using a security posture, complete the tasks in\n[Create and deploy a posture](/security-command-center/docs/how-to-use-security-posture#create_and_deploy_a_posture).\n\nCreate your Terraform plan JSON file\n\n1. Create your Terraform code. For instructions, see [Create your Terraform\n code](/security-command-center/docs/validate-iac#create_your_terraform_code).\n\n2. In your GitHub Actions, initialize Terraform. For example, if you're using\n the [HashiCorp - Setup Terraform action](https://github.com/marketplace/actions/hashicorp-setup-terraform), run the following command:\n\n - name: Terraform Init\n id: init\n run: terraform init\n\n3. Create a Terraform plan file:\n\n - name: Create Terraform Plan\n id: plan\n run: terraform plan -out=\u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e with the name for the Terraform plan\n file. For example, `myplan.tfplan`.\n4. Convert your plan file into JSON format:\n\n - name: Convert Terraform Plan to JSON\n id: convert\n run: terraform show -no-color -json \u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e \u003e \u003cvar translate=\"no\"\u003eTF_PLAN_JSON_FILE\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eTF_PLAN_JSON_FILE\u003c/var\u003e with the name for the Terraform\n plan file, in JSON format. For example, `mytfplan.json`.\n\nAdd the action to your GitHub Actions workflow\n\n1. In the GitHub repository, browse to your workflow.\n2. Open the workflow editor.\n3. In the GitHub Marketplace sidebar, search for **Analyze Code Security**.\n4. In the **Installation** section, copy the syntax.\n5. Paste the syntax as a new step into your workflow.\n6. Replace the following values:\n\n - `workload_identity_provider` with the link to the URL for your Workload Identity Federation ID token.\n - `service_account` with the email address of the service account that you created for the action.\n - `organization_id` with your Google Cloud organization ID.\n - `scan_file_ref` with the path to your Terraform plan file, in JSON format.\n - `failure_criteria` with the failure threshold criteria that determines when the action fails. The threshold criteria is based on the number of critical, high, medium, and low severity issues that the IaC validation scan encounters. `failure_criteria` specifies how many issues of each severity are permitted and how the issues are aggregated (either `AND` or `OR`). For example, if you want the action to fail if it encounters one critical issue *or* one high severity issue, set the `failure_criteria` to `Critical:1,High:1,Operator:OR`. The default is `Critical:1,High:1,Medium:1,Low:1,Operator:OR`, which means that if the IaC validation scan encounters any issue, the action must fail.\n\nYou can now run the workflow to validate your Terraform plan file. To run the\nworkflow manually, see [Manually running a\nworkflow](https://docs.github.com/en/actions/using-workflows/manually-running-a-workflow).\n\nView the IaC violation report\n\n1. In your GitHub repository, click **Actions** and select your workflow.\n\n2. Click the most recent run for your workflow.\n\n In the **Artifacts** section, the violation report (`ias-scan-sarif.json`) is available in a zip file. The report includes the\n following fields:\n - A `rules` field that describes which policies were violated by the Terraform plan. Each rule includes a `ruleID` that you can match with the results that are included in the report.\n - A `results` field that describes the proposed asset modifications that violate a specific rule.\n3. Resolve any violations within your Terraform code before applying it.\n\nWhat's next\n\n- View the [analyze-code-security-scc action\n source code](https://github.com/google-github-actions/analyze-code-security-scc/) in GitHub."]]
