Feature/trivy

.github/workflows/code-scanning.yml

@@ -41,28 +41,32 @@ jobs:
         uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
         with:
           sarif_file: tflint.sarif
-  tfsec:
-    name: tfsec
-    runs-on: ubuntu-latest
+  trivy:
     permissions:
-      actions: read
-      contents: read
-      security-events: write
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status.
+    name: trivy
+    runs-on: ubuntu-latest
     steps:
-      - name: Clone repo
+      - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55
         with:
-          token: '${{ secrets.GITHUB_TOKEN }}'
-          fetch-depth: 0
-      - name: Run tfsec
-        uses: aquasecurity/tfsec-action@b466648d6e39e7c75324f25d83891162a721f2d6 # v1.0.3
-        with:
-          additional_args: '--format sarif --out tfsec.sarif --exclude aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits'
-      - name: Upload SARIF file
+          scan-type: 'fs'
+          scanners: misconfig,vuln,secret
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          trivyignores: ./.trivyignore.yaml
+
+      - name: Upload Trivy scan results to GitHub Security tab
         if: success() || failure()
         uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
         with:
-          sarif_file: tfsec.sarif
+          sarif_file: 'trivy-results.sarif'
   checkov:
     name: checkov
     runs-on: ubuntu-latest

.github/workflows/terraform-static-analysis.yml

@@ -20,35 +20,48 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name != 'workflow_dispatch'
     steps:
-    - name: Checkout
-      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      with:
-        fetch-depth: 0
-    - name: Run Analysis
-      uses: ministryofjustice/github-actions/terraform-static-analysis@7c689fe2de15e1692f5cceceb132919ab854081c # v14
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        scan_type: single
-        tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018
-        checkov_exclude: CKV_GIT_1
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          fetch-depth: 0
+      - name: Run Analysis
+        uses: ministryofjustice/github-actions/terraform-static-analysis@bdab1cff6d23336b6d5adc662fb57af72f0ae160 # v17.1.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          scan_type: changed
+          trivy_severity: HIGH,CRITICAL
+          trivy_ignore: ./.trivyignore.yaml
+          checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
+          tflint_exclude: terraform_unused_declarations
+          tflint_call_module_type: none
+          tfsec_trivy: trivy
 
   terraform-static-analysis-full-scan:
     permissions:
+      contents: read
+      actions: read
+      security-events: write
       pull-requests: write
     name: Terraform Static Analysis - scan all directories
     runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch'
     steps:
-    - name: Checkout
-      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      with:
-        fetch-depth: 0
-    - name: Run Analysis
-      uses: ministryofjustice/github-actions/terraform-static-analysis@7c689fe2de15e1692f5cceceb132919ab854081c # v14
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        scan_type: full
-        tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018
-        checkov_exclude: CKV_GIT_1
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          fetch-depth: 0
+      - name: Run Analysis
+        uses: ministryofjustice/github-actions/terraform-static-analysis@bdab1cff6d23336b6d5adc662fb57af72f0ae160 # v17.1.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          scan_type: full
+          tfsec_trivy: trivy
+          trivy_skip_dir: ""
+          trivy_severity: HIGH,CRITICAL
+          trivy_ignore: ./.trivyignore.yaml
+          tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits
+          checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
+          tflint_exclude: terraform_unused_declarations
+          tflint_call_module_type: none

.trivyignore.yaml

@@ -0,0 +1,45 @@
+vulnerabilities:
+  - id: GHSA-m425-mq94-257g
+  - id: CVE-2017-20146
+  - id: CVE-2019-11253
+  - id: CVE-2020-8558
+  - id: CVE-2020-10675
+  - id: CVE-2020-15114
+    expired_at: 2024-08-20
+    statement: "Review in 6 months"
+  - id: CVE-2020-26160
+  - id: CVE-2020-35381
+  - id: CVE-2021-25741
+  - id: CVE-2021-30465
+  - id: CVE-2021-38561
+  - id: CVE-2021-43565
+  - id: CVE-2021-43816
+  - id: CVE-2022-1996
+  - id: CVE-2022-21698
+  - id: CVE-2022-23648
+  - id: CVE-2022-24778
+  - id: CVE-2022-27191
+  - id: CVE-2022-27664
+  - id: CVE-2022-32149
+  - id: CVE-2022-41723
+  - id: CVE-2023-3676
+  - id: CVE-2023-3955
+  - id: CVE-2023-5528
+  - id: CVE-2023-37788
+  - id: CVE-2023-39325
+  - id: CVE-2024-15114
+    expired_at: 2024-08-19
+    statement: "Review in 6 months"
+  - id: CVE-2024-21626
+    expired_at: 2024-08-19
+    statement: "Review in 6 months"
+
+misconfigurations:
+  - id: AVD-GIT-0001
+  - id: AVD-AWS-0031
+  - id: AVD-AWS-0039
+  - id: AVD-AWS-0057
+
+secrets:
+
+licenses: