Skip to content

Commit

Permalink
bump pre-commit checks and move to trivy (#95)
Browse files Browse the repository at this point in the history
* bump pre-commit checks and move to trivy

* fix trivy

* update check

* update check

* update check

* update check
  • Loading branch information
cdaniluk authored Sep 18, 2024
1 parent 9b3ba04 commit d3dc675
Show file tree
Hide file tree
Showing 13 changed files with 64 additions and 87 deletions.
1 change: 1 addition & 0 deletions .github/workflows/pre-commit.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name: pre-commit-check
on:
push:
branches:
- main
- master
- prod
- develop
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/pullRequest.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
terraform_tflint_deep,
no-commit-to-branch,
terraform_tflint_nocreds,
terraform_tfsec
terraform_trivy
tflint:
runs-on: ubuntu-latest
steps:
Expand All @@ -41,7 +41,7 @@ jobs:
filter_mode: added
flags: --module
level: error
tfsec:
trivy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
Expand Down
26 changes: 0 additions & 26 deletions .github/workflows/tfsec.yaml

This file was deleted.

31 changes: 31 additions & 0 deletions .github/workflows/trivy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
---
name: trivy
on:
push:
branches:
- master

jobs:
trivy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Install prerequisites
run: ./bin/install-ubuntu.sh
- name: Terraform init
run: terraform init --backend=false
- name: Trivy scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
2 changes: 0 additions & 2 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,3 @@

# temp folders
tmp

.terraform.lock.hcl
61 changes: 13 additions & 48 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,70 +1,35 @@
exclude: ".terraform"
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.92.1
rev: v1.92.2
hooks:
- id: terraform_docs
always_run: true
- id: terraform_fmt
- id: terraform_validate
args:
- --hook-config=--retry-once-with-cleanup=true
exclude: ^examples
- id: terraform_tflint
alias: terraform_tflint_nocreds
exclude: ^examples
name: terraform_tflint_nocreds
- id: terraform_tfsec
- repo: local
hooks:
- id: terraform_validate
name: terraform_validate
entry: |
bash -c '
AWS_DEFAULT_REGION=us-east-1
declare -a DIRS
for FILE in "$@"
do
DIRS+=($(dirname "$FILE"))
done
for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
do
cd $(dirname "$FILE")
terraform init --backend=false
terraform validate .
cd ..
done
'
language: system
verbose: true
files: \.tf(vars)?$
exclude: examples
- id: tflock
name: provider_locks
entry: |
bash -c '
AWS_DEFAULT_REGION=us-east-1
declare -a DIRS
for FILE in "$@"
do
DIRS+=($(dirname "$FILE"))
done
for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u)
do
cd $(dirname "$FILE")
terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64
cd ..
done
'
language: system
verbose: true
files: \.tf(vars)?$
exclude: examples
- id: terraform_trivy
args:
- --args=--skip-dirs="**/.terraform,examples/*"
- id: terraform_providers_lock
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
hooks:
- id: check-added-large-files
- id: check-case-conflict
- id: check-json
- id: check-merge-conflict
- id: check-symlinks
- id: check-yaml
args:
- --unsafe
- id: detect-private-key
- id: end-of-file-fixer
- id: mixed-line-ending
args:
Expand All @@ -86,4 +51,4 @@ repos:
- --markdown-linebreak-ext=md
exclude: README.md
ci:
skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_tfsec, tflock]
skip: [terraform_docs, terraform_fmt, terraform_validate, terraform_tflint, terraform_trivy, terraform_providers_lock]
2 changes: 1 addition & 1 deletion .terraform-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
latest:^1.1
latest:^1.6
6 changes: 6 additions & 0 deletions .tflint.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@ config {
module = true
}

plugin "aws" {
enabled = true
version = "0.30.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}

rule "terraform_deprecated_interpolation" {
enabled = true
}
Expand Down
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
MIT License

Copyright (c) 2020 Rhythmic Technologies, Inc.
Copyright (c) 2024 Rhythmic Technologies, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Template repository for terraform modules. Good for any cloud and any provider.

[![tflint](https://github.com/rhythmictech/terraform-terraform-template/workflows/tflint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)
[![tfsec](https://github.com/rhythmictech/terraform-terraform-template/workflows/tfsec/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster)
[![trivy](https://github.com/rhythmictech/terraform-terraform-template/workflows/trivy/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atrivy+event%3Apush+branch%3Amaster)
[![yamllint](https://github.com/rhythmictech/terraform-terraform-template/workflows/yamllint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)
[![misspell](https://github.com/rhythmictech/terraform-terraform-template/workflows/misspell/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)
[![pre-commit-check](https://github.com/rhythmictech/terraform-terraform-template/workflows/pre-commit-check/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)
Expand Down Expand Up @@ -32,7 +32,7 @@ No providers.

| Name | Source | Version |
|------|--------|---------|
| <a name="module_tags"></a> [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1.0 |
| <a name="module_tags"></a> [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1 |

## Resources

Expand Down
5 changes: 2 additions & 3 deletions bin/install-macos.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,8 @@

echo 'installing brew packages'
brew update
brew tap liamg/tfsec
brew install tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
brew upgrade tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils
brew install tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils
brew upgrade tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils

echo 'installing pre-commit hooks'
pre-commit install
Expand Down
5 changes: 4 additions & 1 deletion bin/install-ubuntu.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ pip3 install pre-commit
# terraform docs
mkdir tmp
cd tmp
curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz
curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.18.0/terraform-docs-v0.18.0-$(uname)-amd64.tar.gz
tar -xzf terraform-docs.tar.gz
chmod +x terraform-docs
sudo mv terraform-docs /usr/bin/
Expand All @@ -30,3 +30,6 @@ pre-commit init-templatedir ~/.git-template

echo 'installing terraform with tfenv'
tfenv install

wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.deb
sudo dpkg -i trivy_0.54.1_Linux-64bit.deb
2 changes: 1 addition & 1 deletion main.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@

module "tags" {
source = "rhythmictech/tags/terraform"
version = "~> 1.1.0"
version = "~> 1.1"

enforce_case = "UPPER"
names = [var.name]
Expand Down

0 comments on commit d3dc675

Please sign in to comment.