diff --git a/.github/actions/tfsec/action.yaml b/.github/actions/tfsec/action.yaml deleted file mode 100644 index f4e62b3..0000000 --- a/.github/actions/tfsec/action.yaml +++ /dev/null @@ -1,16 +0,0 @@ -name: "TFSec Scan" -description: "Scan HCL using TFSec" -runs: - using: "composite" - steps: - - name: "TFSec Scan - Components" - shell: bash - run: | - modules_exit_code=0 - - ./scripts/terraform/tfsec.sh ./infrastructure/modules || modules_exit_code=$? - - if [ $modules_exit_code -ne 0 ]; then - echo "One or more TFSec scans failed." - exit 1 - fi diff --git a/.github/actions/trivy/action.yaml b/.github/actions/trivy/action.yaml new file mode 100644 index 0000000..4f5bbbe --- /dev/null +++ b/.github/actions/trivy/action.yaml @@ -0,0 +1,15 @@ +name: "Trivy Scan" +runs: + using: "composite" + steps: + - name: "Trivy Terraform IAC Scan" + shell: bash + run: | + modules_exit_code=0 + + ./scripts/terraform/trivy.sh ./infrastructure/modules || modules_exit_code=$? + + if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then + echo "Trivy misconfigurations detected." + exit 1 + fi diff --git a/.github/workflows/cicd-1-pull-request.yaml b/.github/workflows/cicd-1-pull-request.yaml index 6bf58d9..3cfc32e 100644 --- a/.github/workflows/cicd-1-pull-request.yaml +++ b/.github/workflows/cicd-1-pull-request.yaml @@ -40,9 +40,9 @@ jobs: echo "build_datetime=$datetime" >> $GITHUB_OUTPUT echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT - echo "nodejs_version=$(grep "^nodejs " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "python_version=$(grep "^python " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "terraform_version=$(grep "^terraform " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT echo "version=$(echo $version)" >> $GITHUB_OUTPUT echo "is_version_prerelease=$(if [[ $version == *-* ]]; then echo "true"; else echo "false"; fi)" >> $GITHUB_OUTPUT diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index c5ae172..ff2ad64 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -45,9 +45,9 @@ jobs: echo "build_datetime=$datetime" >> $GITHUB_OUTPUT echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT - echo "nodejs_version=$(grep "^nodejs " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "python_version=$(grep "^python " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - echo "terraform_version=$(grep "^terraform " .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT # echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml index b83d89a..f352eb7 100644 --- a/.github/workflows/stage-1-commit.yaml +++ b/.github/workflows/stage-1-commit.yaml @@ -135,8 +135,8 @@ jobs: uses: actions/checkout@v4 - name: "Lint Terraform" uses: ./.github/actions/lint-terraform - tfsec: - name: "TFSec Scan" + trivy: + name: "Trivy Scan" runs-on: ubuntu-latest timeout-minutes: 5 needs: detect-terraform-changes @@ -148,8 +148,8 @@ jobs: uses: asdf-vm/actions/setup@v3 - name: "Perform Setup" uses: ./.github/actions/setup - - name: "TFSec Scan" - uses: ./.github/actions/tfsec + - name: "Trivy Scan" + uses: ./.github/actions/trivy count-lines-of-code: name: "Count lines of code" runs-on: ubuntu-latest diff --git a/.tool-versions b/.tool-versions index 0044d71..940bb92 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,12 +1,12 @@ # This file is for you! Please, updated to the versions agreed by your team. +gitleaks 8.18.4 +nodejs 18.18.2 +pre-commit 3.6.0 terraform 1.9.2 terraform-docs 0.19.0 -pre-commit 3.6.0 -nodejs 18.18.2 -gitleaks 8.18.4 -tfsec 1.28.10 terraform-docs 0.19.0 +trivy 0.61.0 vale 3.6.0 diff --git a/infrastructure/modules/kms/data_iam_kms_admin_policy.tf b/infrastructure/modules/kms/data_iam_kms_admin_policy.tf index 9a62b87..c363415 100644 --- a/infrastructure/modules/kms/data_iam_kms_admin_policy.tf +++ b/infrastructure/modules/kms/data_iam_kms_admin_policy.tf @@ -1,4 +1,4 @@ -#tfsec:ignore:aws-iam-no-policy-wildcards +#trivy:ignore:aws-iam-no-policy-wildcards data "aws_iam_policy_document" "admin" { policy_id = "${local.csi}-admin" diff --git a/infrastructure/modules/kms/data_iam_kms_user_policy.tf b/infrastructure/modules/kms/data_iam_kms_user_policy.tf index 5cb6f3b..64f51d9 100644 --- a/infrastructure/modules/kms/data_iam_kms_user_policy.tf +++ b/infrastructure/modules/kms/data_iam_kms_user_policy.tf @@ -1,4 +1,4 @@ -#tfsec:ignore:aws-iam-no-policy-wildcards +#trivy:ignore:aws-iam-no-policy-wildcards data "aws_iam_policy_document" "user" { policy_id = "${local.csi}-user" diff --git a/infrastructure/modules/lambda/data_iam_policy_document_put_logs.tf b/infrastructure/modules/lambda/data_iam_policy_document_put_logs.tf index ada1196..a794885 100644 --- a/infrastructure/modules/lambda/data_iam_policy_document_put_logs.tf +++ b/infrastructure/modules/lambda/data_iam_policy_document_put_logs.tf @@ -8,7 +8,7 @@ data "aws_iam_policy_document" "put_logs" { "logs:PutLogEvents", ] - #tfsec:ignore:aws-iam-no-policy-wildcards + #trivy:ignore:aws-iam-no-policy-wildcards resources = [ "${aws_cloudwatch_log_group.main.arn}:*", ] diff --git a/infrastructure/modules/s3bucket/s3_bucket.tf b/infrastructure/modules/s3bucket/s3_bucket.tf index d39b8eb..f640081 100644 --- a/infrastructure/modules/s3bucket/s3_bucket.tf +++ b/infrastructure/modules/s3bucket/s3_bucket.tf @@ -1,4 +1,4 @@ -#tfsec:ignore:aws-s3-enable-bucket-logging Logging is a depricated attribute, use aws_s3_bucket_logging resource +#trivy:ignore:aws-s3-enable-bucket-logging Logging is a depricated attribute, use aws_s3_bucket_logging resource resource "aws_s3_bucket" "main" { bucket = local.csi_global force_destroy = var.force_destroy diff --git a/scripts/config/tfsec.yaml b/scripts/config/tfsec.yaml deleted file mode 100644 index 550203b..0000000 --- a/scripts/config/tfsec.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -minimum_severity: MEDIUM diff --git a/scripts/config/trivy.yaml b/scripts/config/trivy.yaml new file mode 100644 index 0000000..a4eff46 --- /dev/null +++ b/scripts/config/trivy.yaml @@ -0,0 +1,6 @@ +--- +severity: MEDIUM # Minimum reported findings +exit-code: 1 # When issues are found +scan: + skip-files: + - "**/.terraform/**/*" diff --git a/scripts/terraform/tfsec.sh b/scripts/terraform/trivy.sh similarity index 57% rename from scripts/terraform/tfsec.sh rename to scripts/terraform/trivy.sh index 5d13e60..93caabd 100755 --- a/scripts/terraform/tfsec.sh +++ b/scripts/terraform/trivy.sh @@ -9,7 +9,7 @@ set -euo pipefail # Run tfsec for security checks on Terraform code. # # Usage: -# $ ./tfsec.sh [directory] +# $ ./trivy.sh [directory] # ============================================================================== function main() { @@ -18,68 +18,63 @@ function main() { local dir_to_scan=${1:-.} - if command -v tfsec > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then + if command -v trivy > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then # shellcheck disable=SC2154 - run-tfsec-natively "$dir_to_scan" + run-trivy-natively "$dir_to_scan" else - run-tfsec-in-docker "$dir_to_scan" + run-trivy-in-docker "$dir_to_scan" fi } -# Run tfsec on the specified directory. +# Run trivy on the specified directory. # Arguments: # $1 - Directory to scan -function run-tfsec-natively() { +function run-trivy-natively() { local dir_to_scan="$1" - echo "TFSec found locally, running natively" + echo "Trivy found locally, running natively" - echo "Running TFSec on directory: $dir_to_scan" - tfsec \ - --force-all-dirs \ - --exclude-downloaded-modules \ - --config-file scripts/config/tfsec.yaml \ - --format text \ - "$dir_to_scan" + echo "Running Trivy on directory: $dir_to_scan" + trivy config \ + --config scripts/config/trivy.yaml \ + --tf-exclude-downloaded-modules \ + "${dir_to_scan}" - check-tfsec-status + check-trivy-status } # Check the exit status of tfsec. -function check-tfsec-status() { +function check-trivy-status() { if [ $? -eq 0 ]; then - echo "TFSec completed successfully." + echo "Trivy completed successfully." else - echo "TFSec found issues." + echo "Trivy found issues." exit 1 fi } -function run-tfsec-in-docker() { +function run-trivy-in-docker() { # shellcheck disable=SC1091 source ./scripts/docker/docker.lib.sh local dir_to_scan="$1" # shellcheck disable=SC2155 - local image=$(name=aquasec/tfsec docker-get-image-version-and-pull) + local image=$(name=aquasec/trivy docker-get-image-version-and-pull) # shellcheck disable=SC2086 - echo "TFSec not found locally, running in Docker Container" - echo "Running TFSec on directory: $dir_to_scan" + echo "Trivy not found locally, running in Docker Container" + echo "Running Trivy on directory: $dir_to_scan" docker run --rm --platform linux/amd64 \ --volume "$PWD":/workdir \ --workdir /workdir \ "$image" \ - --concise-output \ - --force-all-dirs \ - --exclude-downloaded-modules \ - --config-file scripts/config/tfsec.yaml \ - --format text \ - --soft-fail \ - "$dir_to_scan" - check-tfsec-status + config \ + --config scripts/config/trivy.yaml \ + --tf-exclude-downloaded-modules \ + "${dir_to_scan}" + check-trivy-status } # ==============================================================================