tfsec-pr-commenter-action: Commenter returning "Ignoring - change not part of the current PR" for all comments
I have a workflow (below) that correctly parses my .tf files in a PR, but never actually comments on it. Already looked into permissions issues - no problem here. I have also cycle through various arguments to see if they would yield the result I wanted, but again I’ve had no luck.
name: tfsecPOC
on:
pull_request:
jobs:
tfsec-compliance:
name: tfsec compliance check
runs-on: [self-hosted, vault]
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: tfsec
uses: aquasecurity/tfsec-pr-commenter-action@main
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
tfsec_args: --debug
I just get this output at the end of my run
1 file(s) written: results.json
+ commenter
Starting the github commenter
Working in repository terraform
Working in PR 1333
TFSec found 5 issues
Working in GITHUB_WORKSPACE /github/workspace/
Preparing comment for violation of rule aws-ec2-add-description-to-security-group in ./terratest-poc/main.tf
Ignoring - change not part of the current PR
Preparing comment for violation of rule aws-ec2-add-description-to-security-group-rule in ./terratest-poc/main.tf
Ignoring - change not part of the current PR
Preparing comment for violation of rule aws-ec2-enable-at-rest-encryption in ./terratest-poc/main.tf
Ignoring - change not part of the current PR
Preparing comment for violation of rule aws-ec2-enforce-http-token-imds in ./terratest-poc/main.tf
Ignoring - change not part of the current PR
Preparing comment for violation of rule aws-ec2-no-public-ingress-sgr in ./terratest-poc/main.tf
Ignoring - change not part of the current PR
I can see where this error is coming from, but I am not able to see what the exact issue with the results.json file is.
for _, result := range results {
result.Range.Filename = workingDir + strings.ReplaceAll(result.Range.Filename, workspacePath, "")
comment := generateErrorMessage(result)
fmt.Printf("Preparing comment for violation of rule %v in %v\n", result.RuleID, result.Range.Filename)
err := c.WriteMultiLineComment(result.Range.Filename, comment, result.Range.StartLine, result.Range.EndLine)
if err != nil {
// don't error if its simply that the comments aren't valid for the PR
switch err.(type) {
case commenter.CommentAlreadyWrittenError:
fmt.Println("Ignoring - comment already written")
validCommentWritten = true
case commenter.CommentNotValidError:
fmt.Println("Ignoring - change not part of the current PR")
continue
default:
errMessages = append(errMessages, err.Error())
}
} else {
validCommentWritten = true
fmt.Printf("Commenting for %s to %s:%d:%d\n", result.Description, result.Range.Filename, result.Range.StartLine, result.Range.EndLine)
Action command output
/usr/bin/docker run --name cbb2812a0638619a79478ab2aa7296e3716695_8d2681 --label cbb281 --workdir /github/workspace --rm -e "INPUT_GITHUB_TOKEN" -e "INPUT_TFSEC_ARGS" -e "INPUT_WORKING_DIRECTORY" -e "INPUT_TFSEC_VERSION" -e "INPUT_TFSEC_FORMATS" -e "INPUT_COMMENTER_VERSION" -e "INPUT_SOFT_FAIL_COMMENTER" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_EVENT_PATH" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "GITHUB_ACTION" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/github/_work/_temp/_github_home":"/github/home" -v "/home/github/_work/_temp/_github_workflow":"/github/workflow" -v "/home/github/_work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/github/_work/terraform/terraform":"/github/workspace" cbb281:2a0638619a79478ab2aa7296e3716695
tfsec --out=results.json --format=json --soft-fail --debug .
Based on this, it looks like there is an issue with my PR and the results.json file syncing up
// CommentNotValidError returned when the comment is for a file or line not in the pr
type CommentNotValidError struct {
filepath string
lineNo int
}
About this issue
- Original URL
- State: open
- Created 2 years ago
- Reactions: 28
- Comments: 25
Commits related to this issue
- fix: Hopefully fix https://github.com/aquasecurity/tfsec-pr-commenter-action/issues/90 — committed to brightnetwork/workflows by djw a year ago
- Add tfsec working directory * There is a bug in tfsec, where it finds vulnerabilities, but just outputs 'Ignoring - change not part of the current PR' - Even though it is. This is causing the che... — committed to dxw/terraform-dxw-dalmatian-account-bootstrap by Stretch96 8 months ago
- Add tfsec working directory * There is a bug in tfsec, where it finds vulnerabilities, but just outputs 'Ignoring - change not part of the current PR' - Even though it is. This is causing the che... — committed to dxw/terraform-template by Stretch96 8 months ago
- Add tfsec working directory (#42) * There is a bug in tfsec, where it finds vulnerabilities, but just outputs 'Ignoring - change not part of the current PR' - Even though it is. This is causing... — committed to dxw/terraform-dxw-dalmatian-account-bootstrap by Stretch96 8 months ago
just add working_directory empty:
This works for me!
I’m seeing the same error, and to my horror realised recently it’s been happening silently for a while and I’ve just been assuming all is good with the sec scan!
I did not test with that version but checked out the repo and debugged it myself, the problem is with the library you are using for commenting on the pr, as I wrote in the comment if you have multiple changed parts in the file library only checks for first hunk and ignores the other changes because of that return
change is not part of the current PRI created an issue for that repository IssueI am seeing the same issue, I checked the code and the problem is related with commenter. Commenter checks if the comment line fits the changed lines. If the changed file contains multiple changed locations (ie changes -> from line 3 to line 10 and line 20 to line 30) commenter only checks the first hunk. And the tfsec problem is in between line 20 and line 30 it throws the exception
Ignoring - change not part of the current PRIf you fix this that would be awesome.
I was also facing the same issue.
Thanks @mario-fernandez-mm , it seems that adding an empty working_directory does works.
I noticed this recently as well. The worst part about it is that anyone could be having this issue and they will just assume everything is fine because the tfsec check passes and we trust it.
Thanks for the suggestion @saerosV, I had tried pinning to an older version but was getting the same behaviour. I think my issue comes from the fact I’m creating a resource from a module where the templated module is not being changed in the PR, just the place where it’s instantiated.
In this case my tf is in a totally separate dir to the module, but as the resource is referencing the template in
modulesI assume it’s being treated as a resource that is actually created in themodulesdir rather than the dir where I’m creating an instance of the module.