chore: use trivy instead of tfsec

also:
* bumped tf version in pipeline to 1.7
* bumped cache action

.github/workflows/static-analysis.yaml

@@ -14,11 +14,11 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        terraform: [ ~1.3.0 ]
+        terraform: [ ~1.7 ]
     steps:
       - uses: actions/checkout@v4
 
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         with:
           path: ~/.tflint.d/plugins
           key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
@@ -37,9 +37,27 @@ jobs:
 
       - run: make tflint
 
-      - name: Terraform security scan
-        uses: aquasecurity/[email protected]
+      - name: trivy config
+        run: |
+          cat >> ./trivy.yaml << EOF
+          # see https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ for reference
+          exit-code: 1
+          exit-on-eol: 1
+          misconfiguration:
+            terraform:
+              exclude-downloaded-modules: true
+          severity:
+            - HIGH
+            - CRITICAL
+          scan:
+            skip-dirs:
+              - "**/.terraform/**/*"
+          EOF
+
+          cat ./trivy.yaml
+
+      - uses: aquasecurity/[email protected]
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          tfsec_args: '--force-all-dirs --exclude-downloaded-modules --minimum-severity HIGH'
-          working_dir: ''
+          scan-type: 'config'
+          hide-progress: false
+          trivy-config: trivy.yaml

.pre-commit-config.yaml

@@ -7,9 +7,11 @@ repos:
         args:
           - --init-args=-backend=false
       - id: terraform_tflint
-      - id: terraform_tfsec
+      - id: terraform_trivy
         args:
-          - --args=--minimum-severity HIGH --exclude-downloaded-modules
+          - --args=--tf-exclude-downloaded-modules
+          - --args=--skip-dirs "**/.terraform/**/*"
+          - --args=--severity=HIGH,CRITICAL
       - id: terraform_docs
         args:
           - '--args=--lockfile=false'