[#227] Add docs and copy the trivy.yaml alongside with generating pro…

…ject
nimblehq · Dec 5, 2023 · 60e3b42 · 60e3b42
1 parent a702de5
commit 60e3b42
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 1 deletion.
diff --git a/.github/wiki/Testing.md b/.github/wiki/Testing.md
@@ -11,4 +11,3 @@ npm run lint // to check linting
 
 npm run lint:fix // to fix linting
 ```
-
diff --git a/.github/wiki/Trivy-local-running.md b/.github/wiki/Trivy-local-running.md
@@ -0,0 +1,12 @@
+This project is using Trivy as a vulnerability scanner to replace the role of `tfsec` with some extra benefits:
+1. Access to more languages and features in the same tool.
+2. Access to more integrations with tools and services through the rich ecosystem around Trivy.
+3. Commercially supported by Aqua as well as by a the passionate Trivy community. tfsec will continue to remain available for the time being, although our engineering attention will be directed at Trivy going forward.
+
+## Trivy Local Scan
+```bash
+# Project root directory
+trivy config .
+```
+
+For more information, please refer to the [Trivy documentation](https://github.com/aquasecurity/trivy)
diff --git a/.github/wiki/_Sidebar.md b/.github/wiki/_Sidebar.md
@@ -15,3 +15,4 @@
 - [[Testing]]
 - [[Modify the Infrastructure Diagram | Modify infra diagram]]
 - [[Publishing]]
+- [[Trivy Local Running]]
diff --git a/src/generators/terraform/index.test.ts b/src/generators/terraform/index.test.ts
@@ -26,6 +26,7 @@ describe('Core codebase', () => {
       const expectedFiles = [
         '.gitignore',
         '.tool-versions',
+        'trivy.yaml',
         'core/main.tf',
         'core/outputs.tf',
         'core/variables.tf',

diff --git a/templates/addons/aws/modules/iam_groups/main.tf b/templates/addons/aws/modules/iam_groups/main.tf
@@ -18,6 +18,7 @@ resource "aws_iam_group_policy_attachment" "admin_access" {
   policy_arn = data.aws_iam_policy.admin_access.arn
 }
 
+# Policy from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html
 # trivy:ignore:AVD-AWS-0057
 resource "aws_iam_group_policy" "developer_allow_manage_own_credentials" {
   group  = aws_iam_group.developer.name

diff --git a/templates/terraform/gitignore b/templates/terraform/gitignore
@@ -42,3 +42,6 @@ terraform.rc
 
 # Emacs
 .dir-locals.el
+
+# Trivy
+trivy-output.json
diff --git a/templates/terraform/trivy.yaml b/templates/terraform/trivy.yaml
@@ -0,0 +1,28 @@
+timeout: 10m
+format: json
+dependency-tree: true
+list-all-pkgs: true
+exit-code: 1
+output: trivy-output.json
+# All severity levels
+severity:
+  - UNKNOWN
+  - LOW
+  - MEDIUM
+  - HIGH
+  - CRITICAL
+scan:
+  skip-dirs:
+    - .github/
+    - core/.terraform/
+    - shared/.terraform/
+
+  scanners:
+    - vuln
+    - secret
+
+vulnerability:
+  type:
+    - os
+    - library
+  ignore-unfixed: true
Original file line number	Diff line number	Diff line change
Expand Up		@@ -11,4 +11,3 @@ npm run lint // to check linting

		npm run lint:fix // to fix linting
		```
-Original file line number
+Diff line change
@@ Expand Up / @@ -42,3 +42,6 @@ terraform.rc @@
     # Emacs
     .dir-locals.el
+    # Trivy
+    trivy-output.json