GitHub actions

Integrating IaC scanning into a GitHub Actions CI/CD pipeline

To integrate a GitHub Actions CI/CD pipeline, you must first collect your FortiCNAPP account name, LW_ API_KEY and LW_API_SECRET.

To collect the environment secrets:

1. Log in to the console.

2. Click Settings > API keys.

3. Select or create an API key.

4. Click the download icon.

5. Open the downloaded .json file to view your API Key and Secret.

To configure the API Key, API Secret, and account name:

1. In your GitHub repository, go to Settings > Security > Secrets & Variables > Actions.

2. Click the Secrets tab.

3. For each secret (LW_ACCOUNT, LW_API_KEY, and LW_API_SECRET):

   1. Click New repository secret.

   2. In the Name field, enter the name of your variable. For example, LW_ACCOUNT.

   3. In the Secret field, enter the value you retrieved from the .json file for each secret. For example, <account.lacework.net>.

   4. Click Add secret.

   5. Then configure a GitHub Action similar to the following example:

      name: lacework-iac-example
      # Controls when the workflow will run
      on:
          # Triggers the workflow on push or pull request events but only for the "main" branch
          push:
              branches: [ "main" ]
          pull_request:
              branches: [ "main" ]
          # Allows you to run this workflow manually from the Actions tab
          workflow_dispatch:
      
      # A workflow run is made up of one or more jobs that can run sequentially or in parallel
      jobs:
      # This workflow contains a single job called "build"
          build:
              # The type of runner that the job will run on
              runs-on: ubuntu-24.04
              # Steps represent a sequence of tasks that will be executed as part of the job
              steps:
                  # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
                  - name: Checkout Code
                    uses: actions/checkout@v3
      
                  - name: Scan the repo for vulnerabilities in IaC
                    run: |
                        set +e
                        env | grep "GITHUB_\|LW_\|CI_" >> env.list
                        echo "LW_ACCOUNT=${{ secrets.LW_ACCOUNT }}" >> env.list
                        echo "LW_API_KEY=${{ secrets.LW_API_KEY }}" >> env.list
                        echo "LW_API_SECRET=${{ secrets.LW_API_SECRET }}" >> env.list
                        echo "WORKSPACE=src" >> env.list
                        cat env.list
                        docker run --env-file env.list -v "$(pwd):/app/src" lacework/codesec:stable lacework iac scan -d /app/src
                        SCAN_EXIT_STATUS=$?
                        echo "SCAN_EXIT_STATUS=$SCAN_EXIT_STATUS" >> "$GITHUB_ENV"
                        set -e
                  - name: Scan Status
                    run: |
                      exit $(($SCAN_EXIT_STATUS))

For available environment arguments, see General requirements.

Debugging

If you run into issues with getting the scan to complete, use the following steps to debug:

1. Use a test file:

   1. To verify that the scanner is picking up files correctly, you can try adding a test terraform file.

   2. Use the tf-scan command. You can add a terraform snippet with violations, for example a basic s3 bucket, to verify that the scan performs as expected.

2. Confirm that files are in the correct directory level of the repository:

   1. We do not support scanning files that reside in the root of the repository. For example, to scan terraform code, verify that it is in a directory called terraform in the repository. This will allow scans to take place.

3. Terraform plan file is valid JSON:

   1. To generate a valid terraform plan file, you must first generate a terraform plan file by running

      terraform plan -out=plan.tfplan

   2. Then run the following to generate the JSON version of the file:

      terraform show --json plan.tfplan >> tfplan.json