Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: adding a terraform tutorial to the docs #3708

Merged
merged 4 commits into from
Aug 27, 2023
Merged

docs: adding a terraform tutorial to the docs #3708

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7ef8052
adding a terraform tutorial to the docs
AnaisUrlichs Feb 28, 2023
23900e7
modifying Terraform tutorial
AnaisUrlichs Jun 11, 2023
2d4f792
changes to the terraform tutorial in accoradance with the feedback
AnaisUrlichs Jun 26, 2023
128aa2f
updates to the terraform tutorial based on PR feedback
AnaisUrlichs Aug 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
129 changes: 129 additions & 0 deletions docs/tutorials/misconfiguration/terraform.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
# Scanning Terraform files with Trivy

This tutorial is focused on ways Trivy can scan Terraform IaC configuration files.

A video tutorial on Terraform Misconfiguration scans can be found on the [Aqua Open Source YouTube account.](https://youtu.be/BWp5JLXkbBc)

**A note to tfsec users**
We have been consolidating all of our scanning-related efforts in one place, and that is Trivy. You can read more on the decision in the [tfsec discussions.](https://github.com/aquasecurity/tfsec/discussions/1994)

## Trivy Config Command

Terraform configuration scanning is available as part of the `trivy config` command. This command scans all configuration files for misconfiguration issues. You can find the details within [misconfiguration scans in the Trivy documentation.](https://aquasecurity.github.io/trivy/latest/docs/misconfiguration/scanning/)

Command structure:
```
trivy config <any flags you want to use> <file or directory that you would like to scan>
```

The `trivy config` command can scan Terraform configuration, CloudFormation, Dockerfile, Kubernetes manifests, and Helm Charts for misconfiguration. Trivy will compare the configuration found in the file with a set of best practices.

- If the configuration is following best practices, the check will pass,
- If the configuration does not define the resource of some configuration, Trivy will assume the default configuration for the resource creation is used. In this case, the check might fail.
- If the configuration that has been defined does not follow best practices, the check will fail.

### Prerequisites
Install Trivy on your local machines. The documentation provides several [different installation options.](https://aquasecurity.github.io/trivy/latest/getting-started/installation/)
This tutorial will use this example [Terraform tutorial](https://github.com/Cloud-Native-Security/trivy-demo/tree/main/bad_iac/terraform) for terraform misconfiguration scanning with Trivy.

Git clone the tutorial and cd into the directory:
```
git clone git@github.com:Cloud-Native-Security/trivy-demo.git
cd bad_iac/terraform
```
In this case, the folder only containes Terraform configuration files. However, you could scan a directory that contains several different configurations e.g. Kubernetes YAML manifests, Dockerfile, and Terraform. Trivy will then detect the different configuration files and apply the right rules automatically.

## Different types of `trivy config` scans

Below are several examples of how the trivy config scan can be used.

General Terraform scan with trivy:
```
trivy config <specify the directory>
```

So if we are already in the directory that we want to scan:
```
trivy config ./
```
### Specify the scan format
The `--format` flag changes the way that Trivy displays the scan result:

JSON:
```
trivy config -f json terraform-infra
```

Sarif:
```
trivy config -f sarif terraform-infra
```

### Specifying the output location

The `--output` flag specifies the file location in which the scan result should be saved:

JSON:
```
trivy config -f json -o example.json terraform-infra
```

Sarif:
```
trivy config -f sarif -o example.sarif terraform-infra
```

### Filtering by severity

If you are presented with lots and lots of misconfiguration across different files, you might want to filter or the misconfiguration with the highest severity:

```
trivy config --severity CRITICAL, MEDIUM terraform-infra
```

### Passing tf.tfvars files into `trivy config` scans

You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided [in the documentation.](https://aquasecurity.github.io/trivy/latest/docs/misconfiguration/options/values/)

```
trivy conf --tf-vars terraform.tfvars ./
```
### Custom Checks

We have lots of examples in the [documentation](https://aquasecurity.github.io/trivy/latest/docs/misconfiguration/custom/) on how you can write and pass custom Rego policies into terraform misconfiguration scans.

## Secret and vulnerability scans

The `trivy config` command does not perform secrete and vulnerability checks out of the box. However, you can specify as part of your `trivy fs` scan that you would like to scan you terraform files for exposed secrets and misconfiguraction through the following flags:

```
trivy fs --scanners secret,config ./
```

The `trivy config` command is a sub-command of the `trivy fs` command. You can learn more about this command in the [documentation.](https://aquasecurity.github.io/trivy/latest/docs/target/filesystem/)

## Scanning Terraform Plan files

Instead of scanning your different Terraform resources individually, you could also scan your terraform plan output before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. [Here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/examples/#terraform-plan) is the link to the documentation.

First, create a terraform plan and save it to a file:
```
terraform plan --out tfplan.binary
```

Next, convert the file into json format:
```
terraform show -json tfplan.binary > tfplan.json
```

Lastly, scan the file with the `trivy config` command:
```
trivy config ./tfplan.json
```

Note that you need to be able to create a terraform init and plan without any errors.

## Using Trivy in your CI/CD pipeline
Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: [https://aquasecurity.github.io/trivy/latest/tutorials/integrations/](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/)


2 changes: 2 additions & 0 deletions mkdocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ nav:
- Cluster Scanning: tutorials/kubernetes/cluster-scanning.md
- Kyverno: tutorials/kubernetes/kyverno.md
- GitOps: tutorials/kubernetes/gitops.md
- Misconfiguration:
- Terraform scanning: tutorials/misconfiguration/terraform.md
- Signing:
- Vulnerability Scan Record Attestation: tutorials/signing/vuln-attestation.md
- Shell:
Expand Down