chore: migrated to trivy and bumped tflint rules (#137)

moritzzimmer · web-flow · commit bd76bcc567a8 · 2024-05-31T13:21:14.000+02:00
diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        terraform: [ ~1.3 ]
+        terraform: [ 1.5.6, ~ 1.8 ]
     steps:
       - uses: actions/checkout@v4
 
@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        terraform: [ ~1.3 ]
+        terraform: [ 1.5.6, ~ 1.8 ]
     steps:
       - uses: actions/checkout@v4
 
@@ -45,7 +45,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        terraform: [ ~1.3 ]
+        terraform: [ 1.5.6, ~ 1.8 ]
     steps:
       - uses: actions/checkout@v4
 
@@ -68,7 +68,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        terraform: [ ~1.3 ]
+        terraform: [ 1.5.6, ~ 1.8 ]
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.4
+    rev: v1.90.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
@@ -15,7 +15,7 @@ repos:
         args:
           - '--args=--lockfile=false'
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-merge-conflict
       - id: trailing-whitespace
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -1,10 +1,10 @@
 config {
-  module = true
+  call_module_type = "all"
 }
 
 plugin "aws" {
   enabled = true
-  version = "0.27.0"
+  version = "0.31.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 
diff --git a/Makefile b/Makefile
@@ -24,7 +24,7 @@ NEXT_TAG 			:= v$(NEXT_VERSION)
 STACKS = $(shell find . -not -path "*/\.*" -iname "*.tf" | sed -E "s|/[^/]+$$||" | sort --unique)
 ROOT_DIR := $(shell pwd)
 
-all: fmt validate tflint tfsec
+all: fmt validate tflint trivy
 
 .PHONY: fmt
 fmt: ## Rewrites Terraform files to canonical format
@@ -50,14 +50,9 @@ tflint: ## Runs tflint on all Terraform files
 		tflint -chdir=$$s -f compact --config $(ROOT_DIR)/.tflint.hcl || exit 1; \
 	done;
 
-.PHONY: tfsec
-tfsec: ## Runs tfsec on all Terraform files
+trivy: ## Runs trivy on all Terraform files
 	@echo "+ $@"
-	@for s in $(STACKS); do \
-		echo "tfsec $$s"; \
-		terraform -chdir=$$s init -backend=false > /dev/null; \
-		tfsec --custom-check-dir $$s --concise-output --minimum-severity HIGH --exclude aws-s3-encryption-customer-key,aws-sns-topic-encryption-use-cmk,aws-sqs-queue-encryption-use-cmk || exit 1; \
-	done;
+	@trivy config  --exit-code 1 --severity HIGH --tf-exclude-downloaded-modules .
 
 .PHONY: providers
 providers: ## Upgrades all providers and platform independent dependency locks (slow)

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,10 @@`
`1`	`1`	`config {`
`2`		`- module = true`
	`2`	`+ call_module_type = "all"`
`3`	`3`	`}`
`4`	`4`
`5`	`5`	`plugin "aws" {`
`6`	`6`	`enabled = true`
`7`		`- version = "0.27.0"`
	`7`	`+ version = "0.31.0"`
`8`	`8`	`source = "github.com/terraform-linters/tflint-ruleset-aws"`
`9`	`9`	`}`
`10`	`10`