ci: Add Trivy and gitleaks (#18)

sebastianczech · Nov 6, 2024 · 0e8d0fe · 0e8d0fe
1 parent 69dfb24
commit 0e8d0fe
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -50,6 +50,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Install Trivy
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg lsb-release
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy
+
       - name: Terraform min/max versions
         id: minMax
         uses: clowdhaus/terraform-min-max@v1.3.1
@@ -81,6 +89,14 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{github.event.pull_request.head.repo.full_name}}
 
+      - name: Install Trivy
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg lsb-release
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy
+
       - name: Terraform min/max versions
         id: minMax
         uses: clowdhaus/terraform-min-max@v1.3.1

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,6 +7,10 @@ repos:
       - id: trailing-whitespace
       - id: check-yaml
       - id: check-added-large-files
+-   repo: https://github.com/gitleaks/gitleaks
+    rev: v8.21.0
+    hooks:
+      - id: gitleaks
 -   repo: https://github.com/antonbabenko/pre-commit-terraform
     rev: v1.92.1
     hooks:
@@ -34,6 +38,9 @@ repos:
         args:
           - --hook-config=--retry-once-with-cleanup=true
           - --tf-init-args=-upgrade
+      - id: terraform_trivy
+        args:
+          - '--args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore'
       ### below action lock the terraform providers versions
       ### it can done also by command:
       ### terraform providers lock -platform=linux_arm64 -platform=linux_amd64 -platform=darwin_amd64

diff --git a/.trivyignore b/.trivyignore