feat(trivy): Add `terraform_trivy` hook and deprecate `terraform_tfsec` #606

ArnauLlamas · 2023-12-13T12:44:01Z

First of all, thank you so much for your amazing work! ❤️
This is the first time I contribute to this repository so if there is any doubt or anything required to be fixed feel free to let me know it!

Put an x into the box if that apply:

This PR introduces breaking change.
This PR fixes a bug.
This PR adds new functionality.
This PR enhances existing functionality.

Description of your changes

Adds a new Trivy hook.

Fixes #550

How can we test changes

Create a project with a Terraform file that looks like this:

resource "aws_security_group_rule" "my-rule" {
    type        = "ingress"
    cidr_blocks = ["0.0.0.0/0"]
}

When running the hook it shall show two errors with this configuration and how to fix them.
In order to ignore these errors, add a comment per rule on top of the resource specifying it to ignore it:

#trivy:ignore:AVD-AWS-0107
#trivy:ignore:AVD-AWS-0124
resource "aws_security_group_rule" "my-rule" {
    type        = "ingress"
    cidr_blocks = ["0.0.0.0/0"]
}

This shall make the hook to output no errors and, therefore, pass.

The same can be done with trivy binary executing:

trivy conf $(pwd)/path/to/your/file.tf --exit-code=1

Note: The exit-code flag forces the binary to exit with exit code 1 when any missconfiguration is found.

This has been already tested with pre-commit run and pre-commit run --all commands using this configuration in the .pre-commit-config.yaml file:

repos:
  - repo: https://github.com/arnaullamas/pre-commit-terraform
    rev: 4df7df5c2c9ff3840a4afd458e3dca42f23cd38d
    hooks:
      - id: terraform_trivy
        args:
          - --args=--skip-dirs="**/.terragrunt-cache"

Note: The args key is optional but useful if you currently are on a terragrunt project!

yermulnik

I'm not familiar with Trivy, though the code looks good to me.
@MaxymVlasov Would be able to provide more thorough and opinionated review though.

Oops, take my approval back to let Max approve this PR.

MaxymVlasov

Hook works like a charm. A few tiny fixes and ready to go

Dockerfile

README.md

MaxymVlasov · 2023-12-15T14:13:36Z

Also, let me add a deprecation notice to tfsec hook and I'll merge it

README.md

# [1.85.0](v1.84.0...v1.85.0) (2023-12-15) ### Features * **trivy:** Add `terraform_trivy` hook and deprecate `terraform_tfsec` ([#606](#606)) ([f3c819a](f3c819a))

antonbabenko · 2023-12-15T14:54:49Z

This PR is included in version 1.85.0 🎉

ArnauLlamas added 6 commits December 13, 2023 11:48

add trivy hook

8636160

fix(trivy): Dockerfile issues downloading trivy binary

fff6cc2

fix(trivy): Fix trivy execution

8b7fb11

feat(trivy): Add terraform_trivy docker tests

c214931

feat(trivy): Add documentation

4df7df5

fix(trivy): Set correct codes in ignore example

7403b88

ArnauLlamas requested review from MaxymVlasov and yermulnik as code owners December 13, 2023 12:44

yermulnik previously approved these changes Dec 13, 2023

View reviewed changes

fix(trivy): Fix issues found on CICD

2b1d3e6