From b6afa40735ef0db1ba74015a065e4945e7f63c0b Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Wed, 22 Nov 2023 22:38:08 +0700 Subject: [PATCH 01/15] [#227] Migrate from tfsec to Trivy From b31bf5dd747be03b827a59d19de3f266417f77da Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Wed, 22 Nov 2023 22:48:55 +0700 Subject: [PATCH 02/15] [#227] Add trivy config --- .gitignore | 3 ++ .../github/.github/workflows/lint.yml | 10 ++++--- templates/terraform/.tool-versions | 2 +- trivy.yaml | 28 +++++++++++++++++++ 4 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 trivy.yaml diff --git a/.gitignore b/.gitignore index 68aacfe3..cb54e198 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,6 @@ tsconfig.tsbuildinfo # Emacs .dir-locals.el + +# Trivy +trivy-output.json diff --git a/templates/addons/versionControl/github/.github/workflows/lint.yml b/templates/addons/versionControl/github/.github/workflows/lint.yml index 478e0bb9..80a78496 100644 --- a/templates/addons/versionControl/github/.github/workflows/lint.yml +++ b/templates/addons/versionControl/github/.github/workflows/lint.yml @@ -33,8 +33,10 @@ jobs: - name: Run Terraform format run: terraform fmt -recursive -check - - name: Run tfsec linter - id: tfsec - uses: aquasecurity/tfsec-action@v1.0.3 + - name: Run trivy linter + uses: aquasecurity/trivy-action@0.12.0 with: - version: ${{ env.TFSEC_VERSION }} + image-ref: '.' + scan-type: 'fs' + scan-ref: '.' + trivy-config: trivy.yaml diff --git a/templates/terraform/.tool-versions b/templates/terraform/.tool-versions index 008f6876..97859cc4 100644 --- a/templates/terraform/.tool-versions +++ b/templates/terraform/.tool-versions @@ -1,2 +1,2 @@ terraform 1.5.5 -tfsec 1.28.1 +trivy 0.47.0 diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 00000000..41831c0d --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,28 @@ +timeout: 10m +format: json +dependency-tree: true +list-all-pkgs: true +exit-code: 1 +output: trivy-output.json +# All severity levels +severity: + - UNKNOWN + - LOW + - MEDIUM + - HIGH + - CRITICAL +scan: + skip-dirs: + - .github/ + - core/.terraform/ + - shared/.terraform/ + + scanners: + - vuln + - secret + +vulnerability: + type: + - os + - library + ignore-unfixed: true From a02367ac6b49ef36ffaed2cd059dd437f1a196af Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Fri, 24 Nov 2023 17:46:21 +0700 Subject: [PATCH 03/15] [#227] Replace tfsec ignores by trivy's --- src/generators/addons/aws/modules/alb.ts | 6 +++--- src/generators/addons/aws/modules/ecs.ts | 2 +- templates/addons/aws/modules/alb/main.tf | 4 ++-- templates/addons/aws/modules/bastion/main.tf | 2 +- templates/addons/aws/modules/cloudwatch/main.tf | 2 +- templates/addons/aws/modules/ecr/main.tf | 2 +- templates/addons/aws/modules/ecs/main.tf | 2 +- templates/addons/aws/modules/iam_groups/main.tf | 9 ++++----- templates/addons/aws/modules/s3/main.tf | 2 +- templates/addons/aws/modules/vpc/main.tf | 2 +- 10 files changed, 16 insertions(+), 17 deletions(-) diff --git a/src/generators/addons/aws/modules/alb.ts b/src/generators/addons/aws/modules/alb.ts index 0f541f23..a0bb7286 100644 --- a/src/generators/addons/aws/modules/alb.ts +++ b/src/generators/addons/aws/modules/alb.ts @@ -58,7 +58,7 @@ const albSGMainContent = dedent` } } - # tfsec:ignore:aws-ec2-no-public-ingress-sgr + # trivy:ignore:AVD-AWS-0107 resource "aws_security_group_rule" "alb_ingress_https" { type = "ingress" security_group_id = aws_security_group.alb.id @@ -69,7 +69,7 @@ const albSGMainContent = dedent` description = "From HTTPS to ALB" } - # tfsec:ignore:aws-ec2-no-public-ingress-sgr + # trivy:ignore:AVD-AWS-0107 resource "aws_security_group_rule" "alb_ingress_http" { type = "ingress" security_group_id = aws_security_group.alb.id @@ -80,7 +80,7 @@ const albSGMainContent = dedent` description = "From HTTP to ALB" } - # tfsec:ignore:aws-ec2-no-public-egress-sgr + # trivy:ignore:AVD-AWS-0104 resource "aws_security_group_rule" "alb_egress" { type = "egress" security_group_id = aws_security_group.alb.id diff --git a/src/generators/addons/aws/modules/ecs.ts b/src/generators/addons/aws/modules/ecs.ts index 2da9b3e7..41adf7a6 100644 --- a/src/generators/addons/aws/modules/ecs.ts +++ b/src/generators/addons/aws/modules/ecs.ts @@ -139,7 +139,7 @@ const ecsSGMainContent = dedent` description = "From internal VPC to app" } - # tfsec:ignore:aws-ec2-no-public-egress-sgr + # trivy:ignore:AVD-AWS-0104 resource "aws_security_group_rule" "ecs_fargate_egress_anywhere" { type = "egress" security_group_id = aws_security_group.ecs_fargate.id diff --git a/templates/addons/aws/modules/alb/main.tf b/templates/addons/aws/modules/alb/main.tf index 7e86f94e..2e11f599 100644 --- a/templates/addons/aws/modules/alb/main.tf +++ b/templates/addons/aws/modules/alb/main.tf @@ -2,7 +2,7 @@ locals { enable_stickiness = false } -# tfsec:ignore:aws-elb-alb-not-public +# trivy:ignore:AVD-AWS-0053 resource "aws_lb" "main" { name = "${var.env_namespace}-alb" internal = false @@ -48,7 +48,7 @@ resource "aws_lb_target_group" "target_group" { } } -# tfsec:ignore:aws-elb-http-not-used +# trivy:ignore:AVD-AWS-0054 resource "aws_lb_listener" "app_http" { load_balancer_arn = aws_lb.main.arn port = "80" diff --git a/templates/addons/aws/modules/bastion/main.tf b/templates/addons/aws/modules/bastion/main.tf index 5abf8d59..9950a6f4 100644 --- a/templates/addons/aws/modules/bastion/main.tf +++ b/templates/addons/aws/modules/bastion/main.tf @@ -1,4 +1,4 @@ -# tfsec:ignore:aws-ec2-no-public-ip +# trivy:ignore:AVD-AWS-0009 resource "aws_launch_configuration" "bastion_instance" { name_prefix = "${var.env_namespace}-bastion-" image_id = var.image_id diff --git a/templates/addons/aws/modules/cloudwatch/main.tf b/templates/addons/aws/modules/cloudwatch/main.tf index ef0a551e..6d30258c 100644 --- a/templates/addons/aws/modules/cloudwatch/main.tf +++ b/templates/addons/aws/modules/cloudwatch/main.tf @@ -1,4 +1,4 @@ -# tfsec:ignore:aws-cloudwatch-log-group-customer-key +# trivy:ignore:AVD-AWS-0017 resource "aws_cloudwatch_log_group" "main" { name = "awslogs-${var.env_namespace}-log-group" retention_in_days = var.log_retention_in_days diff --git a/templates/addons/aws/modules/ecr/main.tf b/templates/addons/aws/modules/ecr/main.tf index e242abad..26255712 100644 --- a/templates/addons/aws/modules/ecr/main.tf +++ b/templates/addons/aws/modules/ecr/main.tf @@ -1,4 +1,4 @@ -# tfsec:ignore:aws-ecr-enforce-immutable-repository tfsec:ignore:aws-ecr-repository-customer-key +# trivy:ignore:AVD-AWS-0031 trivy:ignore:AVD-AWS-0033 resource "aws_ecr_repository" "main" { name = var.env_namespace diff --git a/templates/addons/aws/modules/ecs/main.tf b/templates/addons/aws/modules/ecs/main.tf index 44daf54e..7e678932 100644 --- a/templates/addons/aws/modules/ecs/main.tf +++ b/templates/addons/aws/modules/ecs/main.tf @@ -102,7 +102,7 @@ resource "aws_iam_policy" "ecs_task_execution_ssm" { policy = local.ecs_task_execution_ssm_policy } -# tfsec:ignore:aws-iam-no-policy-wildcards +# trivy:ignore:AVD-AWS-0057 resource "aws_iam_policy" "ecs_task_excution_service_scaling" { name = "${var.env_namespace}-ECSAutoScalingPolicy" policy = local.ecs_service_scaling_policy diff --git a/templates/addons/aws/modules/iam_groups/main.tf b/templates/addons/aws/modules/iam_groups/main.tf index ab94b7a0..2915ba74 100644 --- a/templates/addons/aws/modules/iam_groups/main.tf +++ b/templates/addons/aws/modules/iam_groups/main.tf @@ -1,14 +1,14 @@ -#tfsec:ignore:aws-iam-enforce-group-mfa +# trivy:ignore:AVD-AWS-0123 resource "aws_iam_group" "admin" { name = "${var.project_name}-admin-group" } -#tfsec:ignore:aws-iam-enforce-group-mfa +# trivy:ignore:AVD-AWS-0123 resource "aws_iam_group" "infra-service-account" { name = "${var.project_name}-infra-service-account-group" } -#tfsec:ignore:aws-iam-enforce-group-mfa +# trivy:ignore:AVD-AWS-0123 resource "aws_iam_group" "developer" { name = "${var.project_name}-developer-group" } @@ -18,8 +18,7 @@ resource "aws_iam_group_policy_attachment" "admin_access" { policy_arn = data.aws_iam_policy.admin_access.arn } -# Policy from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html -# tfsec:ignore:aws-iam-no-policy-wildcards +# trivy:ignore:AVD-AWS-0057 resource "aws_iam_group_policy" "developer_allow_manage_own_credentials" { group = aws_iam_group.developer.name policy = local.allow_manage_own_credentials diff --git a/templates/addons/aws/modules/s3/main.tf b/templates/addons/aws/modules/s3/main.tf index aed7d0d2..bc7ee532 100644 --- a/templates/addons/aws/modules/s3/main.tf +++ b/templates/addons/aws/modules/s3/main.tf @@ -1,6 +1,6 @@ data "aws_elb_service_account" "elb_service_account" {} -# tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-encryption +# trivy:ignore:AVD-AWS-0089 trivy:ignore:AVD-AWS-0132 trivy:ignore:AVD-AWS-0088 trivy:ignore:AVD-AWS-0090 resource "aws_s3_bucket" "alb_log" { bucket = "${var.env_namespace}-alb-log" force_destroy = true diff --git a/templates/addons/aws/modules/vpc/main.tf b/templates/addons/aws/modules/vpc/main.tf index f3762043..a4a20c02 100644 --- a/templates/addons/aws/modules/vpc/main.tf +++ b/templates/addons/aws/modules/vpc/main.tf @@ -1,6 +1,6 @@ data "aws_availability_zones" "available" {} -# tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs tfsec:ignore:aws-ec2-no-public-ip-subnet +# trivy:ignore:AVD-AWS-0178 trivy:ignore:AVD-AWS-0164 module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "3.0.0" From 38bd0a8f5ebb34443ae59df94926a6c44e27f5e2 Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Mon, 27 Nov 2023 09:47:14 +0700 Subject: [PATCH 04/15] [#227] Remove TFSEC version on lint file --- .../addons/versionControl/github/.github/workflows/lint.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/addons/versionControl/github/.github/workflows/lint.yml b/templates/addons/versionControl/github/.github/workflows/lint.yml index 80a78496..76e9cd17 100644 --- a/templates/addons/versionControl/github/.github/workflows/lint.yml +++ b/templates/addons/versionControl/github/.github/workflows/lint.yml @@ -5,7 +5,6 @@ on: env: TERRAFORM_VERSION: "1.5.5" - TFSEC_VERSION: "v1.28.1" concurrency: group: ${{ github.workflow }}-${{ github.ref }} From 43017f462bb3bbd5997239555dd6cdde630a4e31 Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Tue, 5 Dec 2023 18:11:23 +0700 Subject: [PATCH 05/15] [#227] Add docs and copy the trivy.yaml alongside with generating project --- .github/wiki/Testing.md | 1 - .github/wiki/Trivy-local-running.md | 12 ++++++++ .github/wiki/_Sidebar.md | 1 + src/generators/terraform/index.test.ts | 1 + .../addons/aws/modules/iam_groups/main.tf | 1 + templates/terraform/gitignore | 3 ++ templates/terraform/trivy.yaml | 28 +++++++++++++++++++ 7 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 .github/wiki/Trivy-local-running.md create mode 100644 templates/terraform/trivy.yaml diff --git a/.github/wiki/Testing.md b/.github/wiki/Testing.md index 77843ffa..50ed7a1d 100644 --- a/.github/wiki/Testing.md +++ b/.github/wiki/Testing.md @@ -11,4 +11,3 @@ npm run lint // to check linting npm run lint:fix // to fix linting ``` - diff --git a/.github/wiki/Trivy-local-running.md b/.github/wiki/Trivy-local-running.md new file mode 100644 index 00000000..c4df97d5 --- /dev/null +++ b/.github/wiki/Trivy-local-running.md @@ -0,0 +1,12 @@ +This project is using Trivy as a vulnerability scanner to replace the role of `tfsec` with some extra benefits: +1. Access to more languages and features in the same tool. +2. Access to more integrations with tools and services through the rich ecosystem around Trivy. +3. Commercially supported by Aqua as well as by a the passionate Trivy community. tfsec will continue to remain available for the time being, although our engineering attention will be directed at Trivy going forward. + +## Trivy Local Scan +```bash +# Project root directory +trivy config . +``` + +For more information, please refer to the [Trivy documentation](https://github.com/aquasecurity/trivy) diff --git a/.github/wiki/_Sidebar.md b/.github/wiki/_Sidebar.md index e3639f8a..59692145 100644 --- a/.github/wiki/_Sidebar.md +++ b/.github/wiki/_Sidebar.md @@ -15,3 +15,4 @@ - [[Testing]] - [[Modify the Infrastructure Diagram | Modify infra diagram]] - [[Publishing]] +- [[Trivy Local Running]] diff --git a/src/generators/terraform/index.test.ts b/src/generators/terraform/index.test.ts index f01ea120..1e171435 100644 --- a/src/generators/terraform/index.test.ts +++ b/src/generators/terraform/index.test.ts @@ -26,6 +26,7 @@ describe('Core codebase', () => { const expectedFiles = [ '.gitignore', '.tool-versions', + 'trivy.yaml', 'core/main.tf', 'core/outputs.tf', 'core/variables.tf', diff --git a/templates/addons/aws/modules/iam_groups/main.tf b/templates/addons/aws/modules/iam_groups/main.tf index 2915ba74..ceb4f61c 100644 --- a/templates/addons/aws/modules/iam_groups/main.tf +++ b/templates/addons/aws/modules/iam_groups/main.tf @@ -18,6 +18,7 @@ resource "aws_iam_group_policy_attachment" "admin_access" { policy_arn = data.aws_iam_policy.admin_access.arn } +# Policy from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html # trivy:ignore:AVD-AWS-0057 resource "aws_iam_group_policy" "developer_allow_manage_own_credentials" { group = aws_iam_group.developer.name diff --git a/templates/terraform/gitignore b/templates/terraform/gitignore index 13970b99..fb3a5c97 100644 --- a/templates/terraform/gitignore +++ b/templates/terraform/gitignore @@ -42,3 +42,6 @@ terraform.rc # Emacs .dir-locals.el + +# Trivy +trivy-output.json diff --git a/templates/terraform/trivy.yaml b/templates/terraform/trivy.yaml new file mode 100644 index 00000000..41831c0d --- /dev/null +++ b/templates/terraform/trivy.yaml @@ -0,0 +1,28 @@ +timeout: 10m +format: json +dependency-tree: true +list-all-pkgs: true +exit-code: 1 +output: trivy-output.json +# All severity levels +severity: + - UNKNOWN + - LOW + - MEDIUM + - HIGH + - CRITICAL +scan: + skip-dirs: + - .github/ + - core/.terraform/ + - shared/.terraform/ + + scanners: + - vuln + - secret + +vulnerability: + type: + - os + - library + ignore-unfixed: true From 763e92ab7fd2179cc6a386db380790fcaf14af9b Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Wed, 3 Jan 2024 10:11:20 +0700 Subject: [PATCH 06/15] [#227] Update trivy config yaml to not push error as json to trivy output yaml --- trivy.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/trivy.yaml b/trivy.yaml index 41831c0d..fe35a1d9 100644 --- a/trivy.yaml +++ b/trivy.yaml @@ -1,9 +1,7 @@ timeout: 10m -format: json dependency-tree: true list-all-pkgs: true exit-code: 1 -output: trivy-output.json # All severity levels severity: - UNKNOWN From c8d7443142e05de1aa24c469a15a0e93090b9211 Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Wed, 3 Jan 2024 10:14:08 +0700 Subject: [PATCH 07/15] [#227] Update the trivy config in the template generator --- templates/terraform/trivy.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/templates/terraform/trivy.yaml b/templates/terraform/trivy.yaml index 41831c0d..fe35a1d9 100644 --- a/templates/terraform/trivy.yaml +++ b/templates/terraform/trivy.yaml @@ -1,9 +1,7 @@ timeout: 10m -format: json dependency-tree: true list-all-pkgs: true exit-code: 1 -output: trivy-output.json # All severity levels severity: - UNKNOWN From 7253ad7aad765a8d4478fbeee5e21e909e259ef8 Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Wed, 3 Jan 2024 16:00:10 +0700 Subject: [PATCH 08/15] [#227] Update wiki and remove the root dir trivy config to reduce confusion --- .github/wiki/Trivy-local-running.md | 1 - trivy.yaml | 26 -------------------------- 2 files changed, 27 deletions(-) delete mode 100644 trivy.yaml diff --git a/.github/wiki/Trivy-local-running.md b/.github/wiki/Trivy-local-running.md index c4df97d5..28bdd0ca 100644 --- a/.github/wiki/Trivy-local-running.md +++ b/.github/wiki/Trivy-local-running.md @@ -1,7 +1,6 @@ This project is using Trivy as a vulnerability scanner to replace the role of `tfsec` with some extra benefits: 1. Access to more languages and features in the same tool. 2. Access to more integrations with tools and services through the rich ecosystem around Trivy. -3. Commercially supported by Aqua as well as by a the passionate Trivy community. tfsec will continue to remain available for the time being, although our engineering attention will be directed at Trivy going forward. ## Trivy Local Scan ```bash diff --git a/trivy.yaml b/trivy.yaml deleted file mode 100644 index fe35a1d9..00000000 --- a/trivy.yaml +++ /dev/null @@ -1,26 +0,0 @@ -timeout: 10m -dependency-tree: true -list-all-pkgs: true -exit-code: 1 -# All severity levels -severity: - - UNKNOWN - - LOW - - MEDIUM - - HIGH - - CRITICAL -scan: - skip-dirs: - - .github/ - - core/.terraform/ - - shared/.terraform/ - - scanners: - - vuln - - secret - -vulnerability: - type: - - os - - library - ignore-unfixed: true From 73512ba2465064e87007e73f359f7ddf20f3b80c Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Tue, 9 Jan 2024 21:30:27 +0700 Subject: [PATCH 09/15] [#227] Add script to generate project --- .github/workflows/test-generated-project.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test-generated-project.yml b/.github/workflows/test-generated-project.yml index bd9a09f4..fc44a15f 100644 --- a/.github/workflows/test-generated-project.yml +++ b/.github/workflows/test-generated-project.yml @@ -6,7 +6,6 @@ on: env: TERRAFORM_VERSION: "1.5.5" - TFSEC_VERSION: "v1.28.1" jobs: test: @@ -47,9 +46,10 @@ jobs: - name: Run Terraform format run: terraform fmt -recursive -check - - name: Run tfsec linter - id: tfsec - uses: aquasecurity/tfsec-action@v1.0.3 + - name: Run trivy linter + uses: aquasecurity/trivy-action@0.12.0 with: - version: ${{ env.TFSEC_VERSION }} - + image-ref: '.' + scan-type: 'fs' + scan-ref: '.' + trivy-config: trivy.yaml From a8b35cab464739c9a44436f9c790018ad34cb32a Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Tue, 9 Jan 2024 21:39:52 +0700 Subject: [PATCH 10/15] [#227] Test trivy catches critical failure --- src/generators/addons/aws/modules/alb.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/generators/addons/aws/modules/alb.ts b/src/generators/addons/aws/modules/alb.ts index a0bb7286..19490e5c 100644 --- a/src/generators/addons/aws/modules/alb.ts +++ b/src/generators/addons/aws/modules/alb.ts @@ -58,7 +58,6 @@ const albSGMainContent = dedent` } } - # trivy:ignore:AVD-AWS-0107 resource "aws_security_group_rule" "alb_ingress_https" { type = "ingress" security_group_id = aws_security_group.alb.id @@ -69,7 +68,6 @@ const albSGMainContent = dedent` description = "From HTTPS to ALB" } - # trivy:ignore:AVD-AWS-0107 resource "aws_security_group_rule" "alb_ingress_http" { type = "ingress" security_group_id = aws_security_group.alb.id From 8136fd3de78a35506f59b2c3e43ee83de32d8a08 Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Mon, 15 Jan 2024 17:40:37 +0700 Subject: [PATCH 11/15] [#227] Update trivy scanner --- .github/workflows/test-generated-project.yml | 18 ++++-------------- .../github/.github/workflows/lint.yml | 16 +++------------- 2 files changed, 7 insertions(+), 27 deletions(-) diff --git a/.github/workflows/test-generated-project.yml b/.github/workflows/test-generated-project.yml index fc44a15f..1bf1c201 100644 --- a/.github/workflows/test-generated-project.yml +++ b/.github/workflows/test-generated-project.yml @@ -4,11 +4,8 @@ on: pull_request: types: [opened, synchronize] -env: - TERRAFORM_VERSION: "1.5.5" - jobs: - test: + test-generated-project: name: Run Tests Generated Project runs-on: ubuntu-latest @@ -38,18 +35,11 @@ jobs: - name: Generate project run: . ./scripts/generateAdvancedAWS.sh - - name: Install Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: ${{ env.TERRAFORM_VERSION }} + - name: Install dependencies in .tool-versions + uses: asdf-vm/actions/install@v2 - name: Run Terraform format run: terraform fmt -recursive -check - name: Run trivy linter - uses: aquasecurity/trivy-action@0.12.0 - with: - image-ref: '.' - scan-type: 'fs' - scan-ref: '.' - trivy-config: trivy.yaml + run: cd aws-advanced-test && trivy config . diff --git a/templates/addons/versionControl/github/.github/workflows/lint.yml b/templates/addons/versionControl/github/.github/workflows/lint.yml index 76e9cd17..6a6cf531 100644 --- a/templates/addons/versionControl/github/.github/workflows/lint.yml +++ b/templates/addons/versionControl/github/.github/workflows/lint.yml @@ -3,9 +3,6 @@ name: Lint on: push: -env: - TERRAFORM_VERSION: "1.5.5" - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -24,18 +21,11 @@ jobs: with: ref: ${{ github.head_ref }} - - name: Install Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: ${{ env.TERRAFORM_VERSION }} + - name: Install dependencies in .tool-versions + uses: asdf-vm/actions/install@v2 - name: Run Terraform format run: terraform fmt -recursive -check - name: Run trivy linter - uses: aquasecurity/trivy-action@0.12.0 - with: - image-ref: '.' - scan-type: 'fs' - scan-ref: '.' - trivy-config: trivy.yaml + run: trivy config . From a937ab2dfb415ef6a6967955996a8182e9f4fc7a Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Mon, 15 Jan 2024 17:44:01 +0700 Subject: [PATCH 12/15] [#227] Revert trivy ignores --- src/generators/addons/aws/modules/alb.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/generators/addons/aws/modules/alb.ts b/src/generators/addons/aws/modules/alb.ts index 19490e5c..a0bb7286 100644 --- a/src/generators/addons/aws/modules/alb.ts +++ b/src/generators/addons/aws/modules/alb.ts @@ -58,6 +58,7 @@ const albSGMainContent = dedent` } } + # trivy:ignore:AVD-AWS-0107 resource "aws_security_group_rule" "alb_ingress_https" { type = "ingress" security_group_id = aws_security_group.alb.id @@ -68,6 +69,7 @@ const albSGMainContent = dedent` description = "From HTTPS to ALB" } + # trivy:ignore:AVD-AWS-0107 resource "aws_security_group_rule" "alb_ingress_http" { type = "ingress" security_group_id = aws_security_group.alb.id From f81c0dcc1a49bcced258825218274958ffb79135 Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Mon, 15 Jan 2024 18:02:56 +0700 Subject: [PATCH 13/15] [#227] Update trivy to scan HIGHT and CRITICAL severities --- templates/terraform/trivy.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/templates/terraform/trivy.yaml b/templates/terraform/trivy.yaml index fe35a1d9..a5c7d60d 100644 --- a/templates/terraform/trivy.yaml +++ b/templates/terraform/trivy.yaml @@ -4,9 +4,6 @@ list-all-pkgs: true exit-code: 1 # All severity levels severity: - - UNKNOWN - - LOW - - MEDIUM - HIGH - CRITICAL scan: From 01f80b7df9eceab1077387d2f3a0beb949152408 Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Thu, 25 Jan 2024 22:06:49 +0700 Subject: [PATCH 14/15] [#227] Update the workflow --- .github/workflows/test-generated-project.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-generated-project.yml b/.github/workflows/test-generated-project.yml index 1bf1c201..433eca58 100644 --- a/.github/workflows/test-generated-project.yml +++ b/.github/workflows/test-generated-project.yml @@ -4,8 +4,12 @@ on: pull_request: types: [opened, synchronize] +env: + TERRAFORM_VERSION: "1.5.5" + TFSEC_VERSION: "v1.28.1" + jobs: - test-generated-project: + test: name: Run Tests Generated Project runs-on: ubuntu-latest @@ -42,4 +46,5 @@ jobs: run: terraform fmt -recursive -check - name: Run trivy linter - run: cd aws-advanced-test && trivy config . + working-directory: aws-advanced-test + run: trivy config . From a51857096f78c1142f953c3f54351c668daf93a0 Mon Sep 17 00:00:00 2001 From: nvminhtue Date: Tue, 5 Mar 2024 10:20:49 +0700 Subject: [PATCH 15/15] [#227] Update docs --- .../wiki/{Trivy-local-running.md => Running-trivy-locally.md} | 1 + .github/wiki/_Sidebar.md | 2 +- .github/workflows/test-generated-project.yml | 4 ++-- .../addons/versionControl/github/.github/workflows/lint.yml | 4 ++-- 4 files changed, 6 insertions(+), 5 deletions(-) rename .github/wiki/{Trivy-local-running.md => Running-trivy-locally.md} (99%) diff --git a/.github/wiki/Trivy-local-running.md b/.github/wiki/Running-trivy-locally.md similarity index 99% rename from .github/wiki/Trivy-local-running.md rename to .github/wiki/Running-trivy-locally.md index 28bdd0ca..6168a30f 100644 --- a/.github/wiki/Trivy-local-running.md +++ b/.github/wiki/Running-trivy-locally.md @@ -3,6 +3,7 @@ This project is using Trivy as a vulnerability scanner to replace the role of `t 2. Access to more integrations with tools and services through the rich ecosystem around Trivy. ## Trivy Local Scan + ```bash # Project root directory trivy config . diff --git a/.github/wiki/_Sidebar.md b/.github/wiki/_Sidebar.md index 59692145..a7754aa0 100644 --- a/.github/wiki/_Sidebar.md +++ b/.github/wiki/_Sidebar.md @@ -15,4 +15,4 @@ - [[Testing]] - [[Modify the Infrastructure Diagram | Modify infra diagram]] - [[Publishing]] -- [[Trivy Local Running]] +- [[Running Trivy Locally]] diff --git a/.github/workflows/test-generated-project.yml b/.github/workflows/test-generated-project.yml index 433eca58..5ef83017 100644 --- a/.github/workflows/test-generated-project.yml +++ b/.github/workflows/test-generated-project.yml @@ -39,12 +39,12 @@ jobs: - name: Generate project run: . ./scripts/generateAdvancedAWS.sh - - name: Install dependencies in .tool-versions + - name: Install dependencies from .tool-versions uses: asdf-vm/actions/install@v2 - name: Run Terraform format run: terraform fmt -recursive -check - - name: Run trivy linter + - name: Run trivy scanner working-directory: aws-advanced-test run: trivy config . diff --git a/templates/addons/versionControl/github/.github/workflows/lint.yml b/templates/addons/versionControl/github/.github/workflows/lint.yml index 6a6cf531..80b67ebe 100644 --- a/templates/addons/versionControl/github/.github/workflows/lint.yml +++ b/templates/addons/versionControl/github/.github/workflows/lint.yml @@ -21,11 +21,11 @@ jobs: with: ref: ${{ github.head_ref }} - - name: Install dependencies in .tool-versions + - name: Install dependencies from .tool-versions uses: asdf-vm/actions/install@v2 - name: Run Terraform format run: terraform fmt -recursive -check - - name: Run trivy linter + - name: Run trivy scanner run: trivy config .