IaC Security and GitHub Actions

Documentos > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security and GitHub Actions

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

The datadog-iac-scanner-github-action runs the Datadog IaC Scanner in your GitHub Action workflows on every push. It detects misconfigurations in Terraform and Kubernetes files, then uploads the results to IaC Security.

Supported platforms

OS	Architecture
Linux	x86_64, arm64
macOS	x86_64, arm64
Windows	x86_64

Prerequisites

Before you begin, make sure you have:

A Datadog API key and application key, stored as secrets in your GitHub repository (DD_API_KEY and DD_APP_KEY).
Your Datadog site (for example, datadoghq.com or datadoghq.eu).

Setup

To add IaC scanning to your GitHub Actions workflow, create a .github/workflows/datadog-iac-scanning.yml file in your repository with the following content:

on: [push]

name: Datadog IaC Scan

jobs:
  iac-scan:
    runs-on: ubuntu-latest
    name: Datadog IaC Scanner
    steps:
    - name: Checkout
      uses: actions/checkout@v4
    - name: Check the Infrastructure as Code configuration
      id: datadog-iac-scan
      uses: DataDog/datadog-iac-scanner-github-action@v1
      with:
        dd_api_key: ${{ secrets.DD_API_KEY }}
        dd_app_key: ${{ secrets.DD_APP_KEY }}
        dd_site: datadoghq.com

Optional inputs

In addition to the required dd_api_key, dd_app_key, and dd_site inputs, you can set the following optional parameters in your workflow file:

Name	Description	Default
`paths`	Comma-separated list of directories and files to scan.	`.`
`extra_args`	Additional arguments passed to the IaC scanner.
`datadog_ci_extra_args`	Additional arguments passed to the `datadog-ci` upload command.

Examples

Scan specific directories and files

- uses: DataDog/datadog-iac-scanner-github-action@v1
  with:
    paths: prepare,deploy,configs/config1.yaml
    dd_api_key: ${{ secrets.DD_API_KEY }}
    dd_app_key: ${{ secrets.DD_APP_KEY }}

Upload results to a different Datadog site

- uses: DataDog/datadog-iac-scanner-github-action@v1
  with:
    dd_site: datadoghq.eu
    dd_api_key: ${{ secrets.DD_API_KEY }}
    dd_app_key: ${{ secrets.DD_APP_KEY }}