chore: migrated to trivy (#121)

moritzzimmer · web-flow · commit 028f9a1bcb17 · 2024-01-19T09:42:46.000+01:00
diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml
@@ -64,20 +64,32 @@ jobs:
 
       - run: make tflint
 
-  tfsec:
+  trivy:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        terraform: [ ~1.3 ]
     steps:
       - uses: actions/checkout@v4
 
-      - uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: ${{ matrix.terraform }}
-
-      # TODO: check https://github.com/aquasecurity/tfsec-pr-commenter-action/issues/90, this action currently swallows all findings
-      - uses: aquasecurity/tfsec-pr-commenter-action@v1.3.1
+      - name: config
+        run: |
+          cat >> ./trivy.yaml << EOF
+          # see https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ for reference
+          exit-code: 1
+          exit-on-eol: 1
+          misconfiguration:
+            terraform:
+              exclude-downloaded-modules: true
+          severity:
+            - HIGH
+            - CRITICAL
+          scan:
+            skip-dirs:
+              - "**/.terraform/**/*"
+          EOF
+
+          cat ./trivy.yaml
+
+      - uses: aquasecurity/trivy-action@0.16.1
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          tfsec_args: --exclude aws-s3-encryption-customer-key,aws-sns-topic-encryption-use-cmk,aws-sqs-queue-encryption-use-cmk
+          scan-type: 'config'
+          hide-progress: false
+          trivy-config: trivy.yaml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,15 +1,16 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.5
+    rev: v1.86.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
         args: ['--envs=AWS_REGION="eu-west-1"']
       - id: terraform_tflint
-      - id: terraform_tfsec
+      - id: terraform_trivy
         args:
-          - --args=--minimum-severity HIGH
-          - --args=--exclude aws-s3-encryption-customer-key,aws-sns-topic-encryption-use-cmk,aws-sqs-queue-encryption-use-cmk
+          - --args=--tf-exclude-downloaded-modules
+          - --args=--skip-dirs "**/.terraform/**/*"
+          - --args=--severity=HIGH,CRITICAL
       - id: terraform_docs
         args:
           - '--args=--lockfile=false'
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -18,7 +18,7 @@ module "lambda" {
   function_name          = random_pet.this.id
   handler                = "index.handler"
   memory_size            = 128
-  runtime                = "nodejs18.x"
+  runtime                = "nodejs20.x"
   publish                = false
   snap_start             = false
   source_code_hash       = module.source.output_base64sha256
diff --git a/examples/container-image/main.tf b/examples/container-image/main.tf
@@ -3,9 +3,10 @@ locals {
   function_name = "example-with-container-images"
 }
 
-#tfsec:ignore:aws-ecr-enforce-immutable-repository
+#trivy:ignore:AVD-AWS-0031
 resource "aws_ecr_repository" "this" {
-  name = local.function_name
+  force_delete = true
+  name         = local.function_name
 
   image_scanning_configuration {
     scan_on_push = true
diff --git a/examples/deployment/complete/codepipeline_step.tf b/examples/deployment/complete/codepipeline_step.tf
@@ -61,7 +61,7 @@ data "aws_iam_policy_document" "custom_codepipeline_step" {
       "s3:GetObjectVersion"
     ]
 
-    #tfsec:ignore:aws-iam-no-policy-wildcards
+    #trivy:ignore:AVD-AWS-0057
     resources = ["${module.deployment.codepipeline_artifact_storage_arn}/deploy/*"]
   }
 }
diff --git a/examples/deployment/complete/main.tf b/examples/deployment/complete/main.tf
@@ -20,7 +20,7 @@ module "lambda" {
   handler                          = "index.handler"
   ignore_external_function_updates = true
   publish                          = true
-  runtime                          = "nodejs18.x"
+  runtime                          = "nodejs20.x"
   s3_bucket                        = aws_s3_bucket.source.bucket
   s3_key                           = local.s3_key
   s3_object_version                = aws_s3_object.initial.version_id
@@ -193,7 +193,8 @@ resource "aws_iam_role_policy_attachment" "traffic_hook" {
 # S3 source and pipeline bucket resources
 # ---------------------------------------------------------------------------------------------------------------------
 
-#tfsec:ignore:aws-s3-enable-bucket-encryption - configure bucket encryption in production!
+#trivy:ignore:AVD-AWS-0088
+#trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket" "source" {
   bucket        = "ci-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
   force_destroy = true
diff --git a/examples/deployment/container-image/main.tf b/examples/deployment/container-image/main.tf
@@ -38,7 +38,7 @@ module "deployment" {
   function_name       = local.function_name
 }
 
-#tfsec:ignore:aws-ecr-enforce-immutable-repository
+#trivy:ignore:AVD-AWS-0031
 resource "aws_ecr_repository" "this" {
   force_delete = true
   name         = local.function_name
diff --git a/examples/deployment/s3/main.tf b/examples/deployment/s3/main.tf
@@ -18,7 +18,7 @@ module "lambda" {
   handler                          = "index.handler"
   ignore_external_function_updates = true
   publish                          = true
-  runtime                          = "nodejs18.x"
+  runtime                          = "nodejs20.x"
   s3_bucket                        = aws_s3_bucket.source.bucket
   s3_key                           = local.s3_key
   s3_object_version                = aws_s3_object.initial.version_id
@@ -52,7 +52,8 @@ module "deployment" {
 # S3 source bucket resources
 # ---------------------------------------------------------------------------------------------------------------------
 
-#tfsec:ignore:aws-s3-enable-bucket-encryption - configure bucket encryption in production!
+#trivy:ignore:AVD-AWS-0088
+#trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket" "source" {
   bucket        = "ci-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
   force_destroy = true
diff --git a/examples/fixtures/context/Dockerfile b/examples/fixtures/context/Dockerfile
@@ -1,4 +1,5 @@
-FROM public.ecr.aws/lambda/nodejs:18
+FROM public.ecr.aws/lambda/nodejs:20
+USER func
 COPY index.js /var/task/
 
 CMD [ "index.handler" ]
diff --git a/examples/with-cloudwatch-event-rules/main.tf b/examples/with-cloudwatch-event-rules/main.tf
@@ -14,7 +14,7 @@ module "lambda" {
   filename         = module.source.output_path
   function_name    = "example-with-cloudwatch-events"
   handler          = "index.handler"
-  runtime          = "nodejs18.x"
+  runtime          = "nodejs20.x"
   source_code_hash = module.source.output_base64sha256
 
   cloudwatch_event_rules = {
diff --git a/examples/with-cloudwatch-logs-subscription/main.tf b/examples/with-cloudwatch-logs-subscription/main.tf
@@ -10,7 +10,7 @@ module "lambda" {
   filename                          = module.source.output_path
   function_name                     = "example-without-cloudwatch-logs-subscription"
   handler                           = "index.handler"
-  runtime                           = "nodejs18.x"
+  runtime                           = "nodejs20.x"
   source_code_hash                  = module.source.output_base64sha256
 
   cloudwatch_log_subscription_filters = {
@@ -32,7 +32,7 @@ module "destination_1" {
   filename                          = module.source.output_path
   function_name                     = "cloudwatch-logs-subscription-destination-1"
   handler                           = "index.handler"
-  runtime                           = "nodejs18.x"
+  runtime                           = "nodejs20.x"
   source_code_hash                  = module.source.output_base64sha256
 }
 
@@ -43,6 +43,6 @@ module "destination_2" {
   filename                          = module.source.output_path
   function_name                     = "cloudwatch-logs-subscription-destination-2"
   handler                           = "index.handler"
-  runtime                           = "nodejs18.x"
+  runtime                           = "nodejs20.x"
   source_code_hash                  = module.source.output_base64sha256
 }
diff --git a/examples/with-event-source-mappings/dynamodb-with-alias/main.tf b/examples/with-event-source-mappings/dynamodb-with-alias/main.tf
@@ -57,7 +57,7 @@ module "lambda" {
   filename         = data.archive_file.dynamodb_handler.output_path
   function_name    = "example-with-dynamodb-event-source-mapping"
   handler          = "index.handler"
-  runtime          = "nodejs18.x"
+  runtime          = "nodejs20.x"
   source_code_hash = data.archive_file.dynamodb_handler.output_base64sha256
 
   event_source_mappings = {
@@ -104,6 +104,7 @@ module "lambda" {
   }
 }
 
+#trivy:ignore:AVD-AWS-0135
 resource "aws_sqs_queue" "errors" {
   kms_master_key_id = "alias/aws/sqs"
   name              = "${module.lambda.function_name}-processing-errors"
diff --git a/examples/with-event-source-mappings/kinesis/main.tf b/examples/with-event-source-mappings/kinesis/main.tf
@@ -29,7 +29,7 @@ module "lambda" {
   filename         = data.archive_file.kinesis_handler.output_path
   function_name    = "example-with-kinesis-event-source-mapping"
   handler          = "index.handler"
-  runtime          = "nodejs18.x"
+  runtime          = "nodejs20.x"
   source_code_hash = data.archive_file.kinesis_handler.output_base64sha256
 
   event_source_mappings = {
diff --git a/examples/with-event-source-mappings/sqs/main.tf b/examples/with-event-source-mappings/sqs/main.tf
@@ -1,8 +1,10 @@
+#trivy:ignore:AVD-AWS-0135
 resource "aws_sqs_queue" "queue_1" {
   kms_master_key_id = "alias/aws/sqs"
   name              = "example-sqs-queue-1"
 }
 
+#trivy:ignore:AVD-AWS-0135
 resource "aws_sqs_queue" "queue_2" {
   kms_master_key_id = "alias/aws/sqs"
   name              = "example-sqs-queue-2"
@@ -25,7 +27,7 @@ module "lambda" {
   filename         = data.archive_file.sqs_handler.output_path
   function_name    = "example-with-sqs-event-source-mapping"
   handler          = "index.handler"
-  runtime          = "nodejs18.x"
+  runtime          = "nodejs20.x"
   source_code_hash = data.archive_file.sqs_handler.output_base64sha256
 
   event_source_mappings = {
diff --git a/examples/with-sns-subscriptions/main.tf b/examples/with-sns-subscriptions/main.tf
@@ -1,8 +1,12 @@
+#trivy:ignore:AVD-AWS-0135
+#trivy:ignore:AVD-AWS-0136
 resource "aws_sns_topic" "topic_1" {
   kms_master_key_id = "alias/aws/sns"
   name              = "example-sns-topic-1"
 }
 
+#trivy:ignore:AVD-AWS-0135
+#trivy:ignore:AVD-AWS-0136
 resource "aws_sns_topic" "topic_2" {
   kms_master_key_id = "alias/aws/sns"
   name              = "example-sns-topic-2"
@@ -30,7 +34,7 @@ module "lambda" {
   filename         = data.archive_file.sns_handler.output_path
   function_name    = "example-with-sns-event"
   handler          = "index.handler"
-  runtime          = "nodejs18.x"
+  runtime          = "nodejs20.x"
   source_code_hash = data.archive_file.sns_handler.output_base64sha256
 
   sns_subscriptions = {
diff --git a/iam.tf b/iam.tf
@@ -84,6 +84,7 @@ data "aws_iam_policy_document" "logs" {
       "logs:PutLogEvents",
     ]
 
+    #trivy:ignore:AVD-AWS-0057
     resources = [
       "${aws_cloudwatch_log_group.lambda.arn}:*"
     ]
diff --git a/modules/deployment/README.md b/modules/deployment/README.md
@@ -127,7 +127,7 @@ module "lambda" {
   handler                          = "index.handler"
   ignore_external_function_updates = true
   publish                          = true
-  runtime                          = "nodejs18.x"
+  runtime                          = "nodejs20.x"
   s3_bucket                        = aws_s3_object.source.bucket
   s3_key                           = local.s3_key
   s3_object_version                = aws_s3_object.source.version_id
diff --git a/modules/deployment/main.tf b/modules/deployment/main.tf
@@ -167,6 +167,8 @@ resource "aws_s3_bucket" "pipeline" {
   tags          = var.tags
 }
 
+#trivy:ignore:AVD-AWS-0135
+#trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket_server_side_encryption_configuration" "pipeline" {
   count = var.codepipeline_artifact_store_bucket == "" ? 1 : 0
 
diff --git a/modules/deployment/notification.tf b/modules/deployment/notification.tf
@@ -27,7 +27,7 @@ resource "aws_codestarnotifications_notification_rule" "notification" {
   }
 }
 
-#tfsec:ignore:aws-sns-enable-topic-encryption
+#trivy:ignore:AVD-AWS-0095
 resource "aws_sns_topic" "notifications" {
   count = var.codestar_notifications_enabled && var.codestar_notifications_target_arn == "" ? 1 : 0
 

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ data "aws_iam_policy_document" "custom_codepipeline_step" {`
`61`	`61`	`"s3:GetObjectVersion"`
`62`	`62`	`]`
`63`	`63`
`64`		`- #tfsec:ignore:aws-iam-no-policy-wildcards`
	`64`	`+ #trivy:ignore:AVD-AWS-0057`
`65`	`65`	`resources = ["${module.deployment.codepipeline_artifact_storage_arn}/deploy/*"]`
`66`	`66`	`}`
`67`	`67`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ module "deployment" {`
`38`	`38`	`function_name = local.function_name`
`39`	`39`	`}`
`40`	`40`
`41`		`-#tfsec:ignore:aws-ecr-enforce-immutable-repository`
	`41`	`+#trivy:ignore:AVD-AWS-0031`
`42`	`42`	`resource "aws_ecr_repository" "this" {`
`43`	`43`	`force_delete = true`
`44`	`44`	`name = local.function_name`