[#227] Replace tfsec ignores by trivy's

nimblehq · Nov 24, 2023 · f8cee4c · f8cee4c
1 parent f99f95a
commit f8cee4c
Show file tree

Hide file tree

Showing 11 changed files with 18 additions and 19 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/generators/addons/aws/modules/alb.ts b/src/generators/addons/aws/modules/alb.ts
@@ -58,7 +58,7 @@ const albSGMainContent = dedent`
     }
   }
 
-  # tfsec:ignore:aws-ec2-no-public-ingress-sgr
+  # trivy:ignore:AVD-AWS-0107
   resource "aws_security_group_rule" "alb_ingress_https" {
     type              = "ingress"
     security_group_id = aws_security_group.alb.id
@@ -69,7 +69,7 @@ const albSGMainContent = dedent`
     description       = "From HTTPS to ALB"
   }
 
-  # tfsec:ignore:aws-ec2-no-public-ingress-sgr
+  # trivy:ignore:AVD-AWS-0107
   resource "aws_security_group_rule" "alb_ingress_http" {
     type              = "ingress"
     security_group_id = aws_security_group.alb.id
@@ -80,7 +80,7 @@ const albSGMainContent = dedent`
     description       = "From HTTP to ALB"
   }
 
-  # tfsec:ignore:aws-ec2-no-public-egress-sgr
+  # trivy:ignore:AVD-AWS-0104
   resource "aws_security_group_rule" "alb_egress" {
     type              = "egress"
     security_group_id = aws_security_group.alb.id

diff --git a/src/generators/addons/aws/modules/ecs.ts b/src/generators/addons/aws/modules/ecs.ts
@@ -139,7 +139,7 @@ const ecsSGMainContent = dedent`
     description       = "From internal VPC to app"
   }
 
-  # tfsec:ignore:aws-ec2-no-public-egress-sgr
+  # trivy:ignore:AVD-AWS-0104
   resource "aws_security_group_rule" "ecs_fargate_egress_anywhere" {
     type              = "egress"
     security_group_id = aws_security_group.ecs_fargate.id

diff --git a/templates/addons/aws/modules/alb/main.tf b/templates/addons/aws/modules/alb/main.tf
@@ -2,7 +2,7 @@ locals {
   enable_stickiness = false
 }
 
-# tfsec:ignore:aws-elb-alb-not-public
+# trivy:ignore:AVD-AWS-0053
 resource "aws_lb" "main" {
   name               = "${var.env_namespace}-alb"
   internal           = false
@@ -48,7 +48,7 @@ resource "aws_lb_target_group" "target_group" {
   }
 }
 
-# tfsec:ignore:aws-elb-http-not-used
+# trivy:ignore:AVD-AWS-0054
 resource "aws_lb_listener" "app_http" {
   load_balancer_arn = aws_lb.main.arn
   port              = "80"

diff --git a/templates/addons/aws/modules/bastion/main.tf b/templates/addons/aws/modules/bastion/main.tf
@@ -1,4 +1,4 @@
-# tfsec:ignore:aws-ec2-no-public-ip
+# trivy:ignore:AVD-AWS-0009
 resource "aws_launch_configuration" "bastion_instance" {
   name_prefix                 = "${var.env_namespace}-bastion-"
   image_id                    = var.image_id

diff --git a/templates/addons/aws/modules/cloudwatch/main.tf b/templates/addons/aws/modules/cloudwatch/main.tf
@@ -1,4 +1,4 @@
-# tfsec:ignore:aws-cloudwatch-log-group-customer-key
+# trivy:ignore:AVD-AWS-0017
 resource "aws_cloudwatch_log_group" "main" {
   name              = "awslogs-${var.env_namespace}-log-group"
   retention_in_days = var.log_retention_in_days

diff --git a/templates/addons/aws/modules/ecr/main.tf b/templates/addons/aws/modules/ecr/main.tf
@@ -1,4 +1,4 @@
-# tfsec:ignore:aws-ecr-enforce-immutable-repository tfsec:ignore:aws-ecr-repository-customer-key
+# trivy:ignore:AVD-AWS-0031 trivy:ignore:AVD-AWS-0033
 resource "aws_ecr_repository" "main" {
   name = var.env_namespace
 

diff --git a/templates/addons/aws/modules/ecs/main.tf b/templates/addons/aws/modules/ecs/main.tf
@@ -102,7 +102,7 @@ resource "aws_iam_policy" "ecs_task_execution_ssm" {
   policy = local.ecs_task_execution_ssm_policy
 }
 
-# tfsec:ignore:aws-iam-no-policy-wildcards
+# trivy:ignore:AVD-AWS-0057
 resource "aws_iam_policy" "ecs_task_excution_service_scaling" {
   name   = "${var.env_namespace}-ECSAutoScalingPolicy"
   policy = local.ecs_service_scaling_policy

diff --git a/templates/addons/aws/modules/iam_groups/main.tf b/templates/addons/aws/modules/iam_groups/main.tf
@@ -1,14 +1,14 @@
-#tfsec:ignore:aws-iam-enforce-group-mfa
+# trivy:ignore:AVD-AWS-0123
 resource "aws_iam_group" "admin" {
   name = "Admin-group"
 }
 
-#tfsec:ignore:aws-iam-enforce-group-mfa
+# trivy:ignore:AVD-AWS-0123
 resource "aws_iam_group" "bot" {
   name = "Bot-group"
 }
 
-#tfsec:ignore:aws-iam-enforce-group-mfa
+# trivy:ignore:AVD-AWS-0123
 resource "aws_iam_group" "developer" {
   name = "Developer-group"
 }
@@ -18,8 +18,7 @@ resource "aws_iam_group_policy_attachment" "admin_access" {
   policy_arn = data.aws_iam_policy.admin_access.arn
 }
 
-# Policy from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html
-# tfsec:ignore:aws-iam-no-policy-wildcards
+# trivy:ignore:AVD-AWS-0057
 resource "aws_iam_group_policy" "developer_allow_manage_own_credentials" {
   group  = aws_iam_group.developer.name
   policy = local.allow_manage_own_credentials

diff --git a/templates/addons/aws/modules/s3/main.tf b/templates/addons/aws/modules/s3/main.tf
@@ -1,6 +1,6 @@
 data "aws_elb_service_account" "elb_service_account" {}
 
-# tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-encryption
+# trivy:ignore:AVD-AWS-0089 trivy:ignore:AVD-AWS-0132 trivy:ignore:AVD-AWS-0088 trivy:ignore:AVD-AWS-0090
 resource "aws_s3_bucket" "alb_log" {
   bucket        = "${var.env_namespace}-alb-log"
   force_destroy = true

diff --git a/templates/addons/aws/modules/vpc/main.tf b/templates/addons/aws/modules/vpc/main.tf
@@ -1,6 +1,6 @@
 data "aws_availability_zones" "available" {}
 
-# tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs tfsec:ignore:aws-ec2-no-public-ip-subnet
+# trivy:ignore:AVD-AWS-0178 trivy:ignore:AVD-AWS-0164
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "3.0.0"