tfsec is joining the Trivy family #1994
Replies: 7 comments 16 replies
-
What are the steps to transition from tfsec to trivy? I did: |
Beta Was this translation helpful? Give feedback.
-
We are using tfsec marketplace task : https://marketplace.visualstudio.com/items?itemName=tfsec.tfsec |
Beta Was this translation helpful? Give feedback.
-
Is there a migration path for aquasecurity/tfsec-pr-commenter-action? |
Beta Was this translation helpful? Give feedback.
-
Is there any documentation on how I found this page but I didn't see anything about comments https://github.com/aquasecurity/tfsec/blob/master/tfsec-to-trivy-migration-guide.md |
Beta Was this translation helpful? Give feedback.
-
Is there more advanced documentation regarding the migration tfsec custom checks to trivy policies (repo policies)? I tried converting a simple custom check without any success: ---
checks:
- code: missing-default-tags
description: Custom check to ensure default tags are set on AWS Providers
requiredTypes:
- provider
requiredLabels:
- aws
severity: MEDIUM
matchSpec:
name: default_tags
action: isPresent
subMatch:
action: and
predicateMatchSpec:
- action: contains
name: tags
value: TAG_1
- action: contains
name: tags
value: TAG_2
errorMessage: |
The missing tags helps structure ..... From what I see in the code when initialising the repo scanner, the terraform always sets the source to cloud (rego is initialized with source rego): regoScanner := rego.NewScanner(types.SourceCloud, s.options...)
regoScanner.SetParentDebugLogger(s.debug) Also before applying the rego rules, an adapt is applied: adaptationTime := time.Now()
infra := adapter.Adapt(modules)
metrics.Timings.Adaptation = time.Since(adaptationTime)
e.debug.Log("Adapted %d module(s) into defsec state data.", len(modules)) And at this point seems that we're bounded to what we can get, and it doesn't seem possible to actually validate default tags. |
Beta Was this translation helpful? Give feedback.
-
Hello, what about trivy with pre-commit as replacement of tfsec? |
Beta Was this translation helpful? Give feedback.
-
Here is an open issue and open PR for approval if Aqua want tfsec people start moving to Trivy. thank you! |
Beta Was this translation helpful? Give feedback.
-
As part of our goal to provide a comprehensive open source security solution for all, we have been consolidating all of our scanning-related efforts in one place, and that is Trivy. Over the past year, tfsec has laid the foundations to Trivy's IaC & misconfigurations scanning capabilities, including Terraform scanning, which has been natively supported in Trivy for a long time now.
Going forward we want to encourage the tfsec community to transition over to Trivy. Moving to Trivy gives you the same excellent Terraform scanning engine, with some extra benefits:
tfsec will continue to remain available for the time being, although our engineering attention will be directed at Trivy going forward.
Beta Was this translation helpful? Give feedback.
All reactions