[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-05 (世界標準時間)。"],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nYou can use the [Analyze Code Security\naction](https://github.com/marketplace/actions/analyze-code-security) to\nvalidate the infrastructure as code (IaC) that is part of your GitHub Actions\nworkflow. Validating IaC lets you determine whether your Terraform resource\ndefinitions violate the existing organization policies and\nSecurity Health Analytics detectors that are applied to your Google Cloud resources.\n\nFor more information about IaC validation, see\n[Validate your IaC against your Google Cloud organization's policies](/security-command-center/docs/validate-iac).\n\nBefore you begin\n\nComplete these tasks to get started with IaC validation with GitHub Actions.\n\nActivate the Security Command Center Premium tier or Enterprise tier\n\nVerify that the\n[Security Command Center Premium tier or Enterprise tier](/security-command-center/docs/activate-scc-overview)\nis activated at the organization level.\n\nActivating Security Command Center enables the `securityposture.googleapis.com` and\n`securitycentermanagement.googleapis.com` APIs.\n\nCreate a service account\n\nCreate a service account that you can use for the Analyze Code Security\naction.\n\n1.\n In the Google Cloud console, go to the **Create service account** page.\n\n [Go to Create service account](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project)\n2. Select your project.\n3.\n In the **Service account name** field, enter a name. The Google Cloud console fills\n in the **Service account ID** field based on this name.\n\n\n In the **Service account description** field, enter a description. For example,\n `Service account for quickstart`.\n4. Click **Create and continue**.\n5.\n Grant the **Security Posture Shift-Left Validator** role to the service account.\n\n\n To grant the role, find the **Select a role** list, then select\n **Security Posture Shift-Left Validator**.\n | **Note** : The **Role** field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.\n6. Click **Continue**.\n7.\n Click **Done** to finish creating the service account.\n\n\u003cbr /\u003e\n\nFor more information about IaC validation permissions, see\n[IAM for organization-level activations](/security-command-center/docs/access-control-org).\n\nSet up authentication\n\n1. Configure Workload Identity Federation with your GitHub identity provider. For\n instructions, see\n [Workload Identity Federation](/iam/docs/workload-identity-federation).\n\n2. Obtain the URL for your Workload Identity Federation ID token. For example,\n `https://iam.googleapis.com/projects/`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`/locations/global/workloadIdentityPools/`\u003cvar translate=\"no\"\u003ePOOL_ID\u003c/var\u003e`/providers/`\u003cvar translate=\"no\"\u003ePROVIDER_ID\u003c/var\u003e.\n\n Consider the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e is the project number for the Google Cloud project that you set up Workload Identity Federation in.\n - \u003cvar translate=\"no\"\u003ePOOL_ID\u003c/var\u003e is the pool name.\n - \u003cvar translate=\"no\"\u003ePROVIDER_ID\u003c/var\u003e is the name of your identity provider.\n3. Add the [Authenticate to Google Cloud\n action](https://github.com/marketplace/actions/authenticate-to-google-cloud)\n to your workflow to authenticate the IaC validation action.\n\nDefine your policies\n\nDefine your\n[organization policies](/resource-manager/docs/organization-policy/creating-managing-policies)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics).\nTo define these policies using a security posture, complete the tasks in\n[Create and deploy a posture](/security-command-center/docs/how-to-use-security-posture#create_and_deploy_a_posture).\n\nCreate your Terraform plan JSON file\n\n1. Create your Terraform code. For instructions, see [Create your Terraform\n code](/security-command-center/docs/validate-iac#create_your_terraform_code).\n\n2. In your GitHub Actions, initialize Terraform. For example, if you're using\n the [HashiCorp - Setup Terraform action](https://github.com/marketplace/actions/hashicorp-setup-terraform), run the following command:\n\n - name: Terraform Init\n id: init\n run: terraform init\n\n3. Create a Terraform plan file:\n\n - name: Create Terraform Plan\n id: plan\n run: terraform plan -out=\u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e with the name for the Terraform plan\n file. For example, `myplan.tfplan`.\n4. Convert your plan file into JSON format:\n\n - name: Convert Terraform Plan to JSON\n id: convert\n run: terraform show -no-color -json \u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e \u003e \u003cvar translate=\"no\"\u003eTF_PLAN_JSON_FILE\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eTF_PLAN_JSON_FILE\u003c/var\u003e with the name for the Terraform\n plan file, in JSON format. For example, `mytfplan.json`.\n\nAdd the action to your GitHub Actions workflow\n\n1. In the GitHub repository, browse to your workflow.\n2. Open the workflow editor.\n3. In the GitHub Marketplace sidebar, search for **Analyze Code Security**.\n4. In the **Installation** section, copy the syntax.\n5. Paste the syntax as a new step into your workflow.\n6. Replace the following values:\n\n - `workload_identity_provider` with the link to the URL for your Workload Identity Federation ID token.\n - `service_account` with the email address of the service account that you created for the action.\n - `organization_id` with your Google Cloud organization ID.\n - `scan_file_ref` with the path to your Terraform plan file, in JSON format.\n - `failure_criteria` with the failure threshold criteria that determines when the action fails. The threshold criteria is based on the number of critical, high, medium, and low severity issues that the IaC validation scan encounters. `failure_criteria` specifies how many issues of each severity are permitted and how the issues are aggregated (either `AND` or `OR`). For example, if you want the action to fail if it encounters one critical issue *or* one high severity issue, set the `failure_criteria` to `Critical:1,High:1,Operator:OR`. The default is `Critical:1,High:1,Medium:1,Low:1,Operator:OR`, which means that if the IaC validation scan encounters any issue, the action must fail.\n\nYou can now run the workflow to validate your Terraform plan file. To run the\nworkflow manually, see [Manually running a\nworkflow](https://docs.github.com/en/actions/using-workflows/manually-running-a-workflow).\n\nView the IaC violation report\n\n1. In your GitHub repository, click **Actions** and select your workflow.\n\n2. Click the most recent run for your workflow.\n\n In the **Artifacts** section, the violation report (`ias-scan-sarif.json`) is available in a zip file. The report includes the\n following fields:\n - A `rules` field that describes which policies were violated by the Terraform plan. Each rule includes a `ruleID` that you can match with the results that are included in the report.\n - A `results` field that describes the proposed asset modifications that violate a specific rule.\n3. Resolve any violations within your Terraform code before applying it.\n\nWhat's next\n\n- View the [analyze-code-security-scc action\n source code](https://github.com/google-github-actions/analyze-code-security-scc/) in GitHub."]]
