--- title: IaC Security and GitHub Actions description: Use Datadog and GitHub Actions to run IaC Security scans in a CI pipeline. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security and GitHub Actions --- # IaC Security and GitHub Actions {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} IaC Security with GitHub Actions is not supported for the site. {% /alert %} {% /callout %} The [`datadog-iac-scanner-github-action`](https://github.com/DataDog/datadog-iac-scanner-github-action) runs the [Datadog IaC Scanner](https://github.com/DataDog/datadog-iac-scanner) in your GitHub Action workflows on every push. It detects misconfigurations in Terraform and Kubernetes files, then uploads the results to [IaC Security](https://docs.datadoghq.com/security/code_security/iac_security/). ## Supported platforms{% #supported-platforms %} | OS | Architecture | | ------- | ------------- | | Linux | x86_64, arm64 | | macOS | x86_64, arm64 | | Windows | x86_64 | ## Prerequisites{% #prerequisites %} Before you begin, make sure you have: - A [Datadog API key and application key](https://docs.datadoghq.com/account_management/api-app-keys/), stored as [secrets in your GitHub repository](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository) (`DD_API_KEY` and `DD_APP_KEY`). - Your [Datadog site](https://docs.datadoghq.com/getting_started/site/) (for example, `datadoghq.com` or `datadoghq.eu`). ## Setup{% #setup %} To add IaC scanning to your GitHub Actions workflow, create a `.github/workflows/datadog-iac-scanning.yml` file in your repository with the following content: ```yaml on: [push] name: Datadog IaC Scan jobs: iac-scan: runs-on: ubuntu-latest name: Datadog IaC Scanner steps: - name: Checkout uses: actions/checkout@v4 - name: Check the Infrastructure as Code configuration id: datadog-iac-scan uses: DataDog/datadog-iac-scanner-github-action@v1 with: dd_api_key: ${{ secrets.DD_API_KEY }} dd_app_key: ${{ secrets.DD_APP_KEY }} dd_site: datadoghq.com ``` ### Optional inputs{% #optional-inputs %} In addition to the required `dd_api_key`, `dd_app_key`, and `dd_site` inputs, you can set the following optional parameters in your workflow file: | Name | Description | Default | | ----------------------- | --------------------------------------------------------------- | ------- | | `paths` | Comma-separated list of directories and files to scan. | `.` | | `extra_args` | Additional arguments passed to the IaC scanner. | | `datadog_ci_extra_args` | Additional arguments passed to the `datadog-ci` upload command. | ## Examples{% #examples %} ### Scan specific directories and files{% #scan-specific-directories-and-files %} ```yaml - uses: DataDog/datadog-iac-scanner-github-action@v1 with: paths: prepare,deploy,configs/config1.yaml dd_api_key: ${{ secrets.DD_API_KEY }} dd_app_key: ${{ secrets.DD_APP_KEY }} ``` ### Upload results to a different Datadog site{% #upload-results-to-a-different-datadog-site %} ```yaml - uses: DataDog/datadog-iac-scanner-github-action@v1 with: dd_site: datadoghq.eu dd_api_key: ${{ secrets.DD_API_KEY }} dd_app_key: ${{ secrets.DD_APP_KEY }} ``` ## Further reading{% #further-reading %} - [IaC Security](https://docs.datadoghq.com/security/code_security/iac_security/) - [Set up IaC Security](https://docs.datadoghq.com/security/code_security/iac_security/setup) - [IaC Security Rules](https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/)