The AccuKnox IaC Scan GitHub Action enables developers and DevSecOps teams to perform automated security scans on Infrastructure-as-Code (IaC) files such as Terraform and Kubernetes manifests. It seamlessly uploads the scan results to the AccuKnox Console, helping teams identify misconfigurations, enforce compliance, and shift security left in the development lifecycle.
Ensure your infrastructure code is secure, compliant, and free from risky misconfigurations — before it reaches production.
- ✅ IaC Misconfiguration Detection – Scan Terraform and Kubernetes files for security risks and compliance violations.
- 🔒 Shift Left Security – Integrate security checks directly into your CI/CD pipeline for early issue detection.
- 📥 Seamless AccuKnox Console Integration – Automatically send findings to the AccuKnox dashboard for centralized visibility and triage.
- ⚙️ Flexible Configuration – Support for selective scan directories, frameworks (Terraform / Kubernetes), and baseline comparisons.
- 🚦 Fail Builds on Violations – Choose between hard-fail or soft-fail modes to align with your DevOps policies.
Before using this GitHub Action, ensure the following are in place:
- 🔐 AccuKnox Console Access – Sign in to your AccuKnox tenant.
- 🗝️ API Token – Retrieve this from the AccuKnox Console (see Token Generation).
- 🏷️ Label Created in Console – For tagging the uploaded scan reports.
- 🔑 GitHub Secrets Configured – Store the required credentials securely in your repository’s GitHub Secrets.
- Log in to your AccuKnox Console.
- Navigate to Settings → Tokens.
- Click Create Token and save the following value:
Accuknox_token
- Create a label under Dashboard → Labels to tag scan results.
- Go to your GitHub repository: Settings → Secrets and variables → Actions → New repository secret.
- Add the following secrets:
| Secret Name | Description |
|---|---|
ACCUKNOX_TOKEN |
Your AccuKnox API token for authentication |
ACCUKNOX_ENDPOINT |
The AccuKnox API URL (e.g., cspm.demo.accuknox.com) |
ACCUKNOX_LABEL |
Label used to tag and group scan results |
These secrets are required to authenticate the scan and send results to your AccuKnox SaaS dashboard.
Create a workflow file (e.g., .github/workflows/iac-scan.yml) and add the following configuration:
name: AccuKnox IaC Scan Workflow
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
tests:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@main
- name: Run IaC scan
uses: accuknox/[email protected]
with:
directory: "." # Optional: Directory to scan
compact: true # Optional: Minimise output
quiet: true # Optional: Show only failed checks
output_format: json # Optional: Format of output
output_file_path: "./results.json" # Optional: Output file path
soft_fail: true # Optional: Will continue after found vulnerability
accuknox_token: ${{ secrets.TOKEN }}
accuknox_endpoint: ${{ secrets.ENDPOINT }}
accuknox_label: ${{ secrets.LABEL }}| Input | Description | Optional/Required | Default |
|---|---|---|---|
file |
Specify a single file to scan (e.g., .tf). Cannot be used with a directory. |
Optional | — |
directory |
Directory with IaC files to scan. | Optional | . (current directory) |
compact |
Minimise output (e.g., hides code blocks). | Optional | — |
quiet |
Show only failed checks in output. | Optional | false |
soft_fail |
Prevent CI from failing on failed checks. | Optional | false |
framework |
Limit scan to a specific framework: terraform, kubernetes, etc. (lowercase) | Optional | all |
skip_framework |
Skip scanning of a specific framework. | Optional | — |
accuknox_token |
API token for authenticating with AccuKnox SaaS. | Required | — |
accuknox_endpoint |
URL of the AccuKnox Console to push results. | Optional | cspm.demo.accuknox.com |
accuknox_label |
Label used in AccuKnox SaaS to organise and identify scan results. | Required | — |
output_format |
Format of the output. Supported: json, cli, etc. | Optional | cli |
output_file_path |
File path to write output results to. | Optional | — |
baseline |
Path to a baseline file to suppress known findings | Optional | baseline |
- Developer pushes code – Push or pull request triggers the GitHub Action.
- IaC Scanner runs – Scans Terraform or Kubernetes files for:
- Misconfigurations
- Policy violations
- Compliance issues (e.g., NIST, CIS)
- Scan results uploaded to AccuKnox Console – Using the provided
tokenandlabel. - Review findings – Available in AccuKnox Console: Dashboard → Issues → Findings → Filter by IaC Findings.
- Optional: Fail the pipeline – If
soft_fail: false, the pipeline will break on violations, enforcing CI/CD security.
| Issue | Cause | Solution |
|---|---|---|
| "Missing required input: token" | GitHub secret not set | Ensure ACCUKNOX_TOKEN is added in Settings → Secrets |
| "Failed to connect to endpoint" | Incorrect API URL or network issue | Check if the endpoint is correct and accessible |
| No scan results in AccuKnox Console | Missing label or invalid credentials | Verify label and token values |
| Workflow fails even with minor findings | soft_fail not set |
Set soft_fail: true if you want the build to continue despite findings |
| Empty scan report | Wrong directory or framework used | Check if the directory and framework inputs are correctly set and point to valid IaC files |
- 📚 Read More: AccuKnox Docs
- 📧 Contact Support: [email protected]
The AccuKnox IaC Scan GitHub Action empowers your CI/CD pipelines with automated security scanning for Terraform and Kubernetes configurations. Identify misconfigurations early, enforce policy controls, and maintain continuous compliance for your infrastructure code.
🔐 Shift Left with AccuKnox – Secure Your Infrastructure from Code to Cloud! ☁️🛡️