-
-
Notifications
You must be signed in to change notification settings - Fork 546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(trivy): Add terraform_trivy
hook and deprecate terraform_tfsec
#606
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with Trivy, though the code looks good to me.
@MaxymVlasov Would be able to provide more thorough and opinionated review though.
Oops, take my approval back to let Max approve this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hook works like a charm. A few tiny fixes and ready to go
Also, let me add a deprecation notice to tfsec hook and I'll merge it |
terraform_trivy
hook and deprecate terraform_tfsec
# [1.85.0](v1.84.0...v1.85.0) (2023-12-15) ### Features * **trivy:** Add `terraform_trivy` hook and deprecate `terraform_tfsec` ([#606](#606)) ([f3c819a](f3c819a))
This PR is included in version 1.85.0 🎉 |
First of all, thank you so much for your amazing work! ❤️
This is the first time I contribute to this repository so if there is any doubt or anything required to be fixed feel free to let me know it!
Put an
x
into the box if that apply:Description of your changes
Adds a new Trivy hook.
Fixes #550
How can we test changes
Create a project with a Terraform file that looks like this:
When running the hook it shall show two errors with this configuration and how to fix them.
In order to ignore these errors, add a comment per rule on top of the resource specifying it to ignore it:
This shall make the hook to output no errors and, therefore, pass.
The same can be done with trivy binary executing:
trivy conf $(pwd)/path/to/your/file.tf --exit-code=1
Note: The exit-code flag forces the binary to exit with exit code 1 when any missconfiguration is found.
This has been already tested with
pre-commit run
andpre-commit run --all
commands using this configuration in the.pre-commit-config.yaml
file:Note: The
args
key is optional but useful if you currently are on a terragrunt project!