Infrastructure as Code (IaC) has revolutionized how we deploy cloud resources. But with great speed comes the risk of rapid, automated insecurity. In this guide, we'll show you how to stop "Bad HCL" before it ever hits production using TFGaurd and GitHub Actions.

The Cost of Insecure Infrastructure

According to recent industry reports, over 93% of cloud breaches are caused by misconfigurations in services like S3, RDS, and Security Groups. Manually auditing every Pull Request is impossible at scale. DevSecOps requires an automated, privacy-first scanner that integrates directly into your existing CI/CD pipelines.

Why TFGaurd for CI/CD?
  • 100% Local: Your HCL code never leaves your runner. No SaaS leak risk.
  • Fast: Built-in engine audits 1,000+ resources in under 2 seconds.
  • Zero Config: No complex YAML setup. One command is all it takes.

Step 1: Setup your Workflow

Add a new workflow file at .github/workflows/tfgaurd-audit.yml. We'll use the official Ubuntu runners which already come with Python pre-installed.

name: TFGaurd Security Audit
on:
  pull_request:
    branches: [ main, master ]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install TFGaurd
        run: pip install tfgaurd-engine
        
      - name: Security Scan
        run: tfgaurd scan .

Step 2: Handling Failures

By default, the tfgaurd scan command will exit with a non-zero code if any high or critical violations are found. This automatically blocks the Pull Request merge until the security issues are resolved, ensuring a "Secure by Default" codebase.

Unlocking Premium Rules in CI

If you have a TFGaurd Premium subscription, you can unlock 1,200+ advanced rules for GCP, Azure, and Oracle by adding your API key as a GitHub Secret.

      - name: Premium Scan
        run: tfgaurd scan . --api-key ${{ secrets.TFGAURD_API_KEY }}

Pro-Tip: Go to Settings -> Secrets and Variables -> Actions in your GitHub repository to add your key securely.

The Result: Shift-Left Security

With this simple 4-line setup, your DevOps team now has a full-scale security gate. Every commit is audited against industry benchmarks (CIS, NIST, AWS Best Practices) without the code ever being uploaded to a third-party cloud provider.

Start Scanning for Free