Merge pull request #262 from nimblehq/feature/gh-227-migrate-from-tfs…

…ec-to-trivy [#227] Migrate from tfsec to Trivy
nimblehq · Mar 7, 2024 · 2dcdafa · 2dcdafa
2 parents 578b971 + a518570
commit 2dcdafa
Show file tree

Hide file tree

Showing 20 changed files with 69 additions and 41 deletions.
diff --git a/.github/wiki/Running-trivy-locally.md b/.github/wiki/Running-trivy-locally.md
@@ -0,0 +1,12 @@
+This project is using Trivy as a vulnerability scanner to replace the role of `tfsec` with some extra benefits:
+1. Access to more languages and features in the same tool.
+2. Access to more integrations with tools and services through the rich ecosystem around Trivy.
+
+## Trivy Local Scan
+
+```bash
+# Project root directory
+trivy config .
+```
+
+For more information, please refer to the [Trivy documentation](https://github.com/aquasecurity/trivy)
diff --git a/.github/wiki/Testing.md b/.github/wiki/Testing.md
@@ -11,4 +11,3 @@ npm run lint // to check linting
 
 npm run lint:fix // to fix linting
 ```
-
diff --git a/.github/wiki/_Sidebar.md b/.github/wiki/_Sidebar.md
@@ -15,3 +15,4 @@
 - [[Testing]]
 - [[Modify the Infrastructure Diagram | Modify infra diagram]]
 - [[Publishing]]
+- [[Running Trivy Locally]]
diff --git a/.github/workflows/test-generated-project.yml b/.github/workflows/test-generated-project.yml
@@ -39,17 +39,12 @@ jobs:
       - name: Generate project
         run: . ./scripts/generateAdvancedAWS.sh
 
-      - name: Install Terraform
-        uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: ${{ env.TERRAFORM_VERSION }}
+      - name: Install dependencies from .tool-versions
+        uses: asdf-vm/actions/install@v2
 
       - name: Run Terraform format
         run: terraform fmt -recursive -check
 
-      - name: Run tfsec linter
-        id: tfsec
-        uses: aquasecurity/[email protected]
-        with:
-          version: ${{ env.TFSEC_VERSION }}
-
+      - name: Run trivy scanner
+        working-directory: aws-advanced-test
+        run: trivy config .
diff --git a/.gitignore b/.gitignore
@@ -20,3 +20,6 @@ tsconfig.tsbuildinfo
 
 # Emacs
 .dir-locals.el
+
+# Trivy
+trivy-output.json
diff --git a/src/generators/addons/aws/modules/alb.ts b/src/generators/addons/aws/modules/alb.ts
@@ -58,7 +58,7 @@ const albSGMainContent = dedent`
     }
   }
 
-  # tfsec:ignore:aws-ec2-no-public-ingress-sgr
+  # trivy:ignore:AVD-AWS-0107
   resource "aws_security_group_rule" "alb_ingress_https" {
     type              = "ingress"
     security_group_id = aws_security_group.alb.id
@@ -69,7 +69,7 @@ const albSGMainContent = dedent`
     description       = "From HTTPS to ALB"
   }
 
-  # tfsec:ignore:aws-ec2-no-public-ingress-sgr
+  # trivy:ignore:AVD-AWS-0107
   resource "aws_security_group_rule" "alb_ingress_http" {
     type              = "ingress"
     security_group_id = aws_security_group.alb.id
@@ -80,7 +80,7 @@ const albSGMainContent = dedent`
     description       = "From HTTP to ALB"
   }
 
-  # tfsec:ignore:aws-ec2-no-public-egress-sgr
+  # trivy:ignore:AVD-AWS-0104
   resource "aws_security_group_rule" "alb_egress" {
     type              = "egress"
     security_group_id = aws_security_group.alb.id

diff --git a/src/generators/addons/aws/modules/ecs.ts b/src/generators/addons/aws/modules/ecs.ts
@@ -139,7 +139,7 @@ const ecsSGMainContent = dedent`
     description       = "From internal VPC to app"
   }
 
-  # tfsec:ignore:aws-ec2-no-public-egress-sgr
+  # trivy:ignore:AVD-AWS-0104
   resource "aws_security_group_rule" "ecs_fargate_egress_anywhere" {
     type              = "egress"
     security_group_id = aws_security_group.ecs_fargate.id

diff --git a/src/generators/terraform/index.test.ts b/src/generators/terraform/index.test.ts
@@ -26,6 +26,7 @@ describe('Core codebase', () => {
       const expectedFiles = [
         '.gitignore',
         '.tool-versions',
+        'trivy.yaml',
         'core/main.tf',
         'core/outputs.tf',
         'core/variables.tf',

diff --git a/templates/addons/aws/modules/alb/main.tf b/templates/addons/aws/modules/alb/main.tf
@@ -2,7 +2,7 @@ locals {
   enable_stickiness = false
 }
 
-# tfsec:ignore:aws-elb-alb-not-public
+# trivy:ignore:AVD-AWS-0053
 resource "aws_lb" "main" {
   name               = "${var.env_namespace}-alb"
   internal           = false
@@ -48,7 +48,7 @@ resource "aws_lb_target_group" "target_group" {
   }
 }
 
-# tfsec:ignore:aws-elb-http-not-used
+# trivy:ignore:AVD-AWS-0054
 resource "aws_lb_listener" "app_http" {
   load_balancer_arn = aws_lb.main.arn
   port              = "80"

diff --git a/templates/addons/aws/modules/bastion/main.tf b/templates/addons/aws/modules/bastion/main.tf
@@ -1,4 +1,4 @@
-# tfsec:ignore:aws-ec2-no-public-ip
+# trivy:ignore:AVD-AWS-0009
 resource "aws_launch_configuration" "bastion_instance" {
   name_prefix                 = "${var.env_namespace}-bastion-"
   image_id                    = var.image_id

diff --git a/templates/addons/aws/modules/cloudwatch/main.tf b/templates/addons/aws/modules/cloudwatch/main.tf
@@ -1,4 +1,4 @@
-# tfsec:ignore:aws-cloudwatch-log-group-customer-key
+# trivy:ignore:AVD-AWS-0017
 resource "aws_cloudwatch_log_group" "main" {
   name              = "awslogs-${var.env_namespace}-log-group"
   retention_in_days = var.log_retention_in_days

diff --git a/templates/addons/aws/modules/ecr/main.tf b/templates/addons/aws/modules/ecr/main.tf
@@ -1,4 +1,4 @@
-# tfsec:ignore:aws-ecr-enforce-immutable-repository tfsec:ignore:aws-ecr-repository-customer-key
+# trivy:ignore:AVD-AWS-0031 trivy:ignore:AVD-AWS-0033
 resource "aws_ecr_repository" "main" {
   name = var.env_namespace
 

diff --git a/templates/addons/aws/modules/ecs/main.tf b/templates/addons/aws/modules/ecs/main.tf
@@ -102,7 +102,7 @@ resource "aws_iam_policy" "ecs_task_execution_ssm" {
   policy = local.ecs_task_execution_ssm_policy
 }
 
-# tfsec:ignore:aws-iam-no-policy-wildcards
+# trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "ecs_task_excution_service_scaling" {
   name   = "${var.env_namespace}-ECSAutoScalingPolicy"
   policy = local.ecs_service_scaling_policy

diff --git a/templates/addons/aws/modules/iam_groups/main.tf b/templates/addons/aws/modules/iam_groups/main.tf
@@ -1,14 +1,14 @@
-#tfsec:ignore:aws-iam-enforce-group-mfa
+# trivy:ignore:AVD-AWS-0123
 resource "aws_iam_group" "admin" {
   name = "${var.project_name}-admin-group"
 }
 
-#tfsec:ignore:aws-iam-enforce-group-mfa
+# trivy:ignore:AVD-AWS-0123
 resource "aws_iam_group" "infra-service-account" {
   name = "${var.project_name}-infra-service-account-group"
 }
 
-#tfsec:ignore:aws-iam-enforce-group-mfa
+# trivy:ignore:AVD-AWS-0123
 resource "aws_iam_group" "developer" {
   name = "${var.project_name}-developer-group"
 }
@@ -19,7 +19,7 @@ resource "aws_iam_group_policy_attachment" "admin_access" {
 }
 
 # Policy from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html
-# tfsec:ignore:aws-iam-no-policy-wildcards
+# trivy:ignore:AVD-AWS-0057
 resource "aws_iam_group_policy" "developer_allow_manage_own_credentials" {
   group  = aws_iam_group.developer.name
   policy = local.allow_manage_own_credentials

diff --git a/templates/addons/aws/modules/s3/main.tf b/templates/addons/aws/modules/s3/main.tf
@@ -1,6 +1,6 @@
 data "aws_elb_service_account" "elb_service_account" {}
 
-# tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-encryption
+# trivy:ignore:AVD-AWS-0089 trivy:ignore:AVD-AWS-0132 trivy:ignore:AVD-AWS-0088 trivy:ignore:AVD-AWS-0090
 resource "aws_s3_bucket" "alb_log" {
   bucket        = "${var.env_namespace}-alb-log"
   force_destroy = true

diff --git a/templates/addons/aws/modules/vpc/main.tf b/templates/addons/aws/modules/vpc/main.tf
@@ -1,6 +1,6 @@
 data "aws_availability_zones" "available" {}
 
-# tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs tfsec:ignore:aws-ec2-no-public-ip-subnet
+# trivy:ignore:AVD-AWS-0178 trivy:ignore:AVD-AWS-0164
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "3.0.0"

diff --git a/templates/addons/versionControl/github/.github/workflows/lint.yml b/templates/addons/versionControl/github/.github/workflows/lint.yml
@@ -3,10 +3,6 @@ name: Lint
 on:
   push:
 
-env:
-  TERRAFORM_VERSION: "1.5.5"
-  TFSEC_VERSION: "v1.28.1"
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -25,16 +21,11 @@ jobs:
         with:
           ref: ${{ github.head_ref }}
 
-      - name: Install Terraform
-        uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: ${{ env.TERRAFORM_VERSION }}
+      - name: Install dependencies from .tool-versions
+        uses: asdf-vm/actions/install@v2
 
       - name: Run Terraform format
         run: terraform fmt -recursive -check
 
-      - name: Run tfsec linter
-        id: tfsec
-        uses: aquasecurity/[email protected]
-        with:
-          version: ${{ env.TFSEC_VERSION }}
+      - name: Run trivy scanner
+        run: trivy config .
diff --git a/templates/terraform/.tool-versions b/templates/terraform/.tool-versions
@@ -1,2 +1,2 @@
 terraform 1.5.5
-tfsec 1.28.1
+trivy 0.47.0
diff --git a/templates/terraform/gitignore b/templates/terraform/gitignore
@@ -42,3 +42,6 @@ terraform.rc
 
 # Emacs
 .dir-locals.el
+
+# Trivy
+trivy-output.json
diff --git a/templates/terraform/trivy.yaml b/templates/terraform/trivy.yaml
@@ -0,0 +1,23 @@
+timeout: 10m
+dependency-tree: true
+list-all-pkgs: true
+exit-code: 1
+# All severity levels
+severity:
+  - HIGH
+  - CRITICAL
+scan:
+  skip-dirs:
+    - .github/
+    - core/.terraform/
+    - shared/.terraform/
+
+  scanners:
+    - vuln
+    - secret
+
+vulnerability:
+  type:
+    - os
+    - library
+  ignore-unfixed: true
Original file line number	Diff line number	Diff line change
Expand Up		@@ -11,4 +11,3 @@ npm run lint // to check linting

		npm run lint:fix // to fix linting
		```
-Original file line number
+Diff line change
@@ Expand Up / @@ -20,3 +20,6 @@ tsconfig.tsbuildinfo @@
     # Emacs
     .dir-locals.el
+    # Trivy
+    trivy-output.json