nimblehq · Nihisil · Mar 7, 2024 · Nov 22, 2023 · Nov 22, 2023 · Nov 24, 2023
@@ -11,4 +11,3 @@ npm run lint // to check linting
 
 npm run lint:fix // to fix linting
 ```
-
diff --git a/.github/wiki/Trivy-local-running.md b/.github/wiki/Trivy-local-running.md
@@ -0,0 +1,11 @@
+This project is using Trivy as a vulnerability scanner to replace the role of `tfsec` with some extra benefits:
+1. Access to more languages and features in the same tool.
+2. Access to more integrations with tools and services through the rich ecosystem around Trivy.
+
+## Trivy Local Scan
+```bash
-```bash
+
+```bash
-```bash
+
+```bash
+# Project root directory
+trivy config .
+```
+
+For more information, please refer to the [Trivy documentation](https://github.com/aquasecurity/trivy)
@@ -15,3 +15,4 @@
 - [[Testing]]
 - [[Modify the Infrastructure Diagram | Modify infra diagram]]
 - [[Publishing]]
+- [[Trivy Local Running]]
- [[Trivy Local Running]]
+- [[Trivy Local Run]]
- [[Trivy Local Running]]
+- [[Trivy Local Run]]
@@ -39,17 +39,12 @@ jobs:
       - name: Generate project
         run: . ./scripts/generateAdvancedAWS.sh
 
-      - name: Install Terraform
-        uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: ${{ env.TERRAFORM_VERSION }}
+      - name: Install dependencies in .tool-versions
-      - name: Install dependencies in .tool-versions
+      - name: Install dependencies from .tool-versions
-      - name: Install dependencies in .tool-versions
+      - name: Install dependencies from .tool-versions
+        uses: asdf-vm/actions/install@v2
 
       - name: Run Terraform format
         run: terraform fmt -recursive -check
 
-      - name: Run tfsec linter
-        id: tfsec
-        uses: aquasecurity/[email protected]
-        with:
-          version: ${{ env.TFSEC_VERSION }}
-
+      - name: Run trivy linter
-      - name: Run trivy linter
+      - name: Run trivy scanner
-      - name: Run trivy linter
+      - name: Run trivy scanner
+        working-directory: aws-advanced-test
+        run: trivy config .
@@ -20,3 +20,6 @@ tsconfig.tsbuildinfo
 
 # Emacs
 .dir-locals.el
+
+# Trivy
+trivy-output.json
@@ -58,7 +58,7 @@ const albSGMainContent = dedent`
     }
   }
 
-  # tfsec:ignore:aws-ec2-no-public-ingress-sgr
+  # trivy:ignore:AVD-AWS-0107
   resource "aws_security_group_rule" "alb_ingress_https" {
     type              = "ingress"
     security_group_id = aws_security_group.alb.id
@@ -69,7 +69,7 @@ const albSGMainContent = dedent`
     description       = "From HTTPS to ALB"
   }
 
-  # tfsec:ignore:aws-ec2-no-public-ingress-sgr
+  # trivy:ignore:AVD-AWS-0107
   resource "aws_security_group_rule" "alb_ingress_http" {
     type              = "ingress"
     security_group_id = aws_security_group.alb.id
@@ -80,7 +80,7 @@ const albSGMainContent = dedent`
     description       = "From HTTP to ALB"
   }
 
-  # tfsec:ignore:aws-ec2-no-public-egress-sgr
+  # trivy:ignore:AVD-AWS-0104
   resource "aws_security_group_rule" "alb_egress" {
     type              = "egress"
     security_group_id = aws_security_group.alb.id

@@ -139,7 +139,7 @@ const ecsSGMainContent = dedent`
     description       = "From internal VPC to app"
   }
 
-  # tfsec:ignore:aws-ec2-no-public-egress-sgr
+  # trivy:ignore:AVD-AWS-0104
   resource "aws_security_group_rule" "ecs_fargate_egress_anywhere" {
     type              = "egress"
     security_group_id = aws_security_group.ecs_fargate.id

@@ -26,6 +26,7 @@ describe('Core codebase', () => {
       const expectedFiles = [
         '.gitignore',
         '.tool-versions',
+        'trivy.yaml',
         'core/main.tf',
         'core/outputs.tf',
         'core/variables.tf',

@@ -2,7 +2,7 @@ locals {
   enable_stickiness = false
 }
 
-# tfsec:ignore:aws-elb-alb-not-public
+# trivy:ignore:AVD-AWS-0053
 resource "aws_lb" "main" {
   name               = "${var.env_namespace}-alb"
   internal           = false
@@ -48,7 +48,7 @@ resource "aws_lb_target_group" "target_group" {
   }
 }
 
-# tfsec:ignore:aws-elb-http-not-used
+# trivy:ignore:AVD-AWS-0054
 resource "aws_lb_listener" "app_http" {
   load_balancer_arn = aws_lb.main.arn
   port              = "80"

@@ -1,4 +1,4 @@
-# tfsec:ignore:aws-ec2-no-public-ip
+# trivy:ignore:AVD-AWS-0009
 resource "aws_launch_configuration" "bastion_instance" {
   name_prefix                 = "${var.env_namespace}-bastion-"
   image_id                    = var.image_id

@@ -1,4 +1,4 @@
-# tfsec:ignore:aws-cloudwatch-log-group-customer-key
+# trivy:ignore:AVD-AWS-0017
 resource "aws_cloudwatch_log_group" "main" {
   name              = "awslogs-${var.env_namespace}-log-group"
   retention_in_days = var.log_retention_in_days

@@ -1,4 +1,4 @@
-# tfsec:ignore:aws-ecr-enforce-immutable-repository tfsec:ignore:aws-ecr-repository-customer-key
+# trivy:ignore:AVD-AWS-0031 trivy:ignore:AVD-AWS-0033
 resource "aws_ecr_repository" "main" {
   name = var.env_namespace
 

@@ -102,7 +102,7 @@ resource "aws_iam_policy" "ecs_task_execution_ssm" {
   policy = local.ecs_task_execution_ssm_policy
 }
 
-# tfsec:ignore:aws-iam-no-policy-wildcards
+# trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "ecs_task_excution_service_scaling" {
   name   = "${var.env_namespace}-ECSAutoScalingPolicy"
   policy = local.ecs_service_scaling_policy

@@ -1,14 +1,14 @@
-#tfsec:ignore:aws-iam-enforce-group-mfa
+# trivy:ignore:AVD-AWS-0123
 resource "aws_iam_group" "admin" {
   name = "${var.project_name}-admin-group"
 }
 
-#tfsec:ignore:aws-iam-enforce-group-mfa
+# trivy:ignore:AVD-AWS-0123
 resource "aws_iam_group" "infra-service-account" {
   name = "${var.project_name}-infra-service-account-group"
 }
 
-#tfsec:ignore:aws-iam-enforce-group-mfa
+# trivy:ignore:AVD-AWS-0123
 resource "aws_iam_group" "developer" {
   name = "${var.project_name}-developer-group"
 }
@@ -19,7 +19,7 @@ resource "aws_iam_group_policy_attachment" "admin_access" {
 }
 
 # Policy from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html
-# tfsec:ignore:aws-iam-no-policy-wildcards
+# trivy:ignore:AVD-AWS-0057
 resource "aws_iam_group_policy" "developer_allow_manage_own_credentials" {
   group  = aws_iam_group.developer.name
   policy = local.allow_manage_own_credentials

@@ -1,6 +1,6 @@
 data "aws_elb_service_account" "elb_service_account" {}
 
-# tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-encryption
+# trivy:ignore:AVD-AWS-0089 trivy:ignore:AVD-AWS-0132 trivy:ignore:AVD-AWS-0088 trivy:ignore:AVD-AWS-0090
 resource "aws_s3_bucket" "alb_log" {
   bucket        = "${var.env_namespace}-alb-log"
   force_destroy = true

@@ -1,6 +1,6 @@
 data "aws_availability_zones" "available" {}
 
-# tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs tfsec:ignore:aws-ec2-no-public-ip-subnet
+# trivy:ignore:AVD-AWS-0178 trivy:ignore:AVD-AWS-0164
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "3.0.0"

@@ -3,10 +3,6 @@ name: Lint
 on:
   push:
 
-env:
-  TERRAFORM_VERSION: "1.5.5"
-  TFSEC_VERSION: "v1.28.1"
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -25,16 +21,11 @@ jobs:
         with:
           ref: ${{ github.head_ref }}
 
-      - name: Install Terraform
-        uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: ${{ env.TERRAFORM_VERSION }}
+      - name: Install dependencies in .tool-versions
-      - name: Install dependencies in .tool-versions
+      - name: Install dependencies from .tool-versions
-      - name: Install dependencies in .tool-versions
+      - name: Install dependencies from .tool-versions
+        uses: asdf-vm/actions/install@v2
 
       - name: Run Terraform format
         run: terraform fmt -recursive -check
 
-      - name: Run tfsec linter
-        id: tfsec
-        uses: aquasecurity/[email protected]
-        with:
-          version: ${{ env.TFSEC_VERSION }}
+      - name: Run trivy linter
-      - name: Run trivy linter
+      - name: Run trivy scanner
-      - name: Run trivy linter
+      - name: Run trivy scanner
+        run: trivy config .
@@ -1,2 +1,2 @@
 terraform 1.5.5
-tfsec 1.28.1
+trivy 0.47.0
@@ -42,3 +42,6 @@ terraform.rc
 
 # Emacs
 .dir-locals.el
+
+# Trivy
+trivy-output.json
@@ -0,0 +1,23 @@
+timeout: 10m
+dependency-tree: true
+list-all-pkgs: true
+exit-code: 1
+# All severity levels
+severity:
+  - HIGH
+  - CRITICAL
+scan:
+  skip-dirs:
+    - .github/
+    - core/.terraform/
+    - shared/.terraform/
+
+  scanners:
+    - vuln
+    - secret
+
+vulnerability:
+  type:
+    - os
+    - library
+  ignore-unfixed: true
Original file line number	Diff line number	Diff line change
Expand Up		@@ -11,4 +11,3 @@ npm run lint // to check linting

		npm run lint:fix // to fix linting
		```
-Original file line number
+Diff line change
@@ Expand Up / @@ -20,3 +20,6 @@ tsconfig.tsbuildinfo @@
     # Emacs
     .dir-locals.el
+    # Trivy
+    trivy-output.json