diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml index aa520ac..7dafa72 100644 --- a/.github/workflows/static-analysis.yaml +++ b/.github/workflows/static-analysis.yaml @@ -14,11 +14,11 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - terraform: [ ~1.3.0 ] + terraform: [ ~1.7 ] steps: - uses: actions/checkout@v4 - - uses: actions/cache@v3 + - uses: actions/cache@v4 with: path: ~/.tflint.d/plugins key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }} @@ -37,9 +37,27 @@ jobs: - run: make tflint - - name: Terraform security scan - uses: aquasecurity/tfsec-pr-commenter-action@v1.3.1 + - name: trivy config + run: | + cat >> ./trivy.yaml << EOF + # see https://aquasecurity.github.io/trivy/latest/docs/references/configuration/config-file/ for reference + exit-code: 1 + exit-on-eol: 1 + misconfiguration: + terraform: + exclude-downloaded-modules: true + severity: + - HIGH + - CRITICAL + scan: + skip-dirs: + - "**/.terraform/**/*" + EOF + + cat ./trivy.yaml + + - uses: aquasecurity/trivy-action@0.16.1 with: - github_token: ${{ secrets.GITHUB_TOKEN }} - tfsec_args: '--force-all-dirs --exclude-downloaded-modules --minimum-severity HIGH' - working_dir: '' + scan-type: 'config' + hide-progress: false + trivy-config: trivy.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8314a81..7609e25 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,9 +7,11 @@ repos: args: - --init-args=-backend=false - id: terraform_tflint - - id: terraform_tfsec + - id: terraform_trivy args: - - --args=--minimum-severity HIGH --exclude-downloaded-modules + - --args=--tf-exclude-downloaded-modules + - --args=--skip-dirs "**/.terraform/**/*" + - --args=--severity=HIGH,CRITICAL - id: terraform_docs args: - '--args=--lockfile=false'