-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[#227] Migrate from tfsec to Trivy #262
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add some guidelines to run trivy on local?
a50bbc2
to
60e3b42
Compare
@nvminhtue it looks like something is not working properly.
When I'm running trivy locally I'm receiving exit error without any details:
When trivy run on CI there are no errors at all, CI run is green:
I expected to see errors locally and in CI for the blocks where I removed the ignore statements. Could you please help me figure out what's wrong with my tests? |
@Nihisil, |
@nvminhtue thank you. After your fix I can receive error on localhost, but CI is still the green. Also I have deleted all trivy ignore lines, and it shows me only one error. Do we need to keep ignore lines in that case, or it is misconfiguration and it should show more errors? And another issue is that it doesn't show where the error is, based on error message it is impossible to find out where the fix is required. Is it possible to adjust it to show file and line number? local output:
CI output:
|
Not sure how did you try on your local, everything works fine on my end To make sure we are on the same page, have you generated a local template and removed the The CI won't run since I couldn't find the way to unbundle the template by script, hence no tf files to run through, I believe we can do that on a separated story. |
Yep, this is what I did. Can you please check it on this branch: https://github.com/Nihisil/test-infra/tree/test-trivy It shows an error that I provided above, and I'm not sure where the issue is. |
We need to ensure it runs on CI, or we should remove it from the linting step of GH workflow job and create a ticket to add it later. Otherwise, there might be confusion where developers might think that Trivy validation is already working in CI |
I created the story here, will work on that first and apply the change to this one, which can ensure that |
I'm sorry that I wasn't clear earlier. Trivy isn't working with the generated project, neither on localhost nor on CI for me. This is most important part. As for the ticket that you created, we have it already: #181 |
Thanks for pointing me to that story 👍 |
maybe for local trivy installation we need to do some setup? I just did |
Yes, that's pretty much enough, it should work after then 🤔 |
@nvminhtue please rebase this PR with develop branch to solve merge conflicts 🙏 |
77c6dc5
to
01f80b7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved ahead with minor suggestions ✅
.github/wiki/Trivy-local-running.md
Outdated
2. Access to more integrations with tools and services through the rich ecosystem around Trivy. | ||
|
||
## Trivy Local Scan | ||
```bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
```bash | |
```bash |
Minor markdown lint suggestion
.github/wiki/_Sidebar.md
Outdated
@@ -15,3 +15,4 @@ | |||
- [[Testing]] | |||
- [[Modify the Infrastructure Diagram | Modify infra diagram]] | |||
- [[Publishing]] | |||
- [[Trivy Local Running]] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- [[Trivy Local Running]] | |
- [[Trivy Local Run]] |
or Running Trivy Locally
? :)
uses: hashicorp/setup-terraform@v2 | ||
with: | ||
terraform_version: ${{ env.TERRAFORM_VERSION }} | ||
- name: Install dependencies in .tool-versions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- name: Install dependencies in .tool-versions | |
- name: Install dependencies from .tool-versions |
(we don't install the dependencies in the .tool-versions
file, but we use the file to install the dependencies).
with: | ||
version: ${{ env.TFSEC_VERSION }} | ||
|
||
- name: Run trivy linter |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- name: Run trivy linter | |
- name: Run trivy scanner |
According to the doc, Trivy is more referred to as a scanner, rather than a linter 💭
uses: hashicorp/setup-terraform@v2 | ||
with: | ||
terraform_version: ${{ env.TERRAFORM_VERSION }} | ||
- name: Install dependencies in .tool-versions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- name: Install dependencies in .tool-versions | |
- name: Install dependencies from .tool-versions |
uses: aquasecurity/[email protected] | ||
with: | ||
version: ${{ env.TFSEC_VERSION }} | ||
- name: Run trivy linter |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- name: Run trivy linter | |
- name: Run trivy scanner |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update them all in a518570
What happened 👀
Integrate Trivy that will replace the current
tfsec
Insight 📝
trivy
config and replace alltfsec
's ignorance.trivy
scanner on.Proof Of Work 📹
Generate the completed AWS services locally and detect no HIGH or CRITICAL issues.
The example of a failure check without putting the trivy ignores
CI will be failed if the Trivy scan found any HIGH or CRITICAL severity