Skip to content

Commit

Permalink
Merge pull request #136 from ministryofjustice/feature/trivy
Browse files Browse the repository at this point in the history
Feature/trivy
  • Loading branch information
dms1981 authored Apr 30, 2024
2 parents 5006b11 + aa11cb8 commit 6c140bd
Show file tree
Hide file tree
Showing 3 changed files with 104 additions and 44 deletions.
36 changes: 20 additions & 16 deletions .github/workflows/code-scanning.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,28 +41,32 @@ jobs:
uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
with:
sarif_file: tflint.sarif
tfsec:
name: tfsec
runs-on: ubuntu-latest
trivy:
permissions:
actions: read
contents: read
security-events: write
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status.
name: trivy
runs-on: ubuntu-latest
steps:
- name: Clone repo
- name: Checkout
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55
with:
token: '${{ secrets.GITHUB_TOKEN }}'
fetch-depth: 0
- name: Run tfsec
uses: aquasecurity/tfsec-action@b466648d6e39e7c75324f25d83891162a721f2d6 # v1.0.3
with:
additional_args: '--format sarif --out tfsec.sarif --exclude aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits'
- name: Upload SARIF file
scan-type: 'fs'
scanners: misconfig,vuln,secret
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
trivyignores: ./.trivyignore.yaml

- name: Upload Trivy scan results to GitHub Security tab
if: success() || failure()
uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
with:
sarif_file: tfsec.sarif
sarif_file: 'trivy-results.sarif'
checkov:
name: checkov
runs-on: ubuntu-latest
Expand Down
67 changes: 39 additions & 28 deletions .github/workflows/terraform-static-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ on:
branches:
- main
paths:
- "**.tf"
- ".github/workflows/terraform-static-analysis.yml"
- '**.tf'
- '.github/workflows/terraform-static-analysis.yml'

permissions:
contents: read
Expand All @@ -20,37 +20,48 @@ jobs:
runs-on: ubuntu-latest
if: github.event_name != 'workflow_dispatch'
steps:
- name: Checkout
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@7855159a5c3a9bcd658207c894cc4ed22bd35a22 #15.3.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: single
tfsec_exclude: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group
checkov_exclude: CKV_GIT_1
tflint_call_module_type: none
- name: Checkout
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@bdab1cff6d23336b6d5adc662fb57af72f0ae160 # v17.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: changed
trivy_severity: HIGH,CRITICAL
trivy_ignore: ./.trivyignore.yaml
checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
tflint_exclude: terraform_unused_declarations
tflint_call_module_type: none
tfsec_trivy: trivy

terraform-static-analysis-full-scan:
permissions:
contents: read
actions: read
security-events: write
pull-requests: write
name: Terraform Static Analysis - scan all directories
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
steps:
- name: Checkout
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@7855159a5c3a9bcd658207c894cc4ed22bd35a22 # v15.3.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: full
tfsec_exclude: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group
checkov_exclude: CKV_GIT_1
tflint_call_module_type: none
- name: Checkout
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@bdab1cff6d23336b6d5adc662fb57af72f0ae160 # v17.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: full
tfsec_trivy: trivy
trivy_skip_dir: ""
trivy_severity: HIGH,CRITICAL
trivy_ignore: ./.trivyignore.yaml
tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits
checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
tflint_exclude: terraform_unused_declarations
tflint_call_module_type: none
45 changes: 45 additions & 0 deletions .trivyignore.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
vulnerabilities:
- id: GHSA-m425-mq94-257g
- id: CVE-2017-20146
- id: CVE-2019-11253
- id: CVE-2020-8558
- id: CVE-2020-10675
- id: CVE-2020-15114
expired_at: 2024-08-20
statement: "Review in 6 months"
- id: CVE-2020-26160
- id: CVE-2020-35381
- id: CVE-2021-25741
- id: CVE-2021-30465
- id: CVE-2021-38561
- id: CVE-2021-43565
- id: CVE-2021-43816
- id: CVE-2022-1996
- id: CVE-2022-21698
- id: CVE-2022-23648
- id: CVE-2022-24778
- id: CVE-2022-27191
- id: CVE-2022-27664
- id: CVE-2022-32149
- id: CVE-2022-41723
- id: CVE-2023-3676
- id: CVE-2023-3955
- id: CVE-2023-5528
- id: CVE-2023-37788
- id: CVE-2023-39325
- id: CVE-2024-15114
expired_at: 2024-08-19
statement: "Review in 6 months"
- id: CVE-2024-21626
expired_at: 2024-08-19
statement: "Review in 6 months"

misconfigurations:
- id: AVD-GIT-0001
- id: AVD-AWS-0031
- id: AVD-AWS-0039
- id: AVD-AWS-0057

secrets:

licenses:

0 comments on commit 6c140bd

Please sign in to comment.