From d3dc675b0a1d2af2e45cd667e964fb221d6febf2 Mon Sep 17 00:00:00 2001 From: Cris Daniluk <cdaniluk@rhythmictech.com> Date: Wed, 18 Sep 2024 11:47:53 -0400 Subject: [PATCH] bump pre-commit checks and move to trivy (#95) * bump pre-commit checks and move to trivy * fix trivy * update check * update check * update check * update check --- .github/workflows/pre-commit.yaml | 1 + .github/workflows/pullRequest.yaml | 4 +- .github/workflows/tfsec.yaml | 26 ------------- .github/workflows/trivy.yaml | 31 +++++++++++++++ .gitignore | 2 - .pre-commit-config.yaml | 61 +++++++----------------------- .terraform-version | 2 +- .tflint.hcl | 6 +++ LICENSE | 2 +- README.md | 4 +- bin/install-macos.sh | 5 +-- bin/install-ubuntu.sh | 5 ++- main.tf | 2 +- 13 files changed, 64 insertions(+), 87 deletions(-) delete mode 100644 .github/workflows/tfsec.yaml create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 398767c..daf3160 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -3,6 +3,7 @@ name: pre-commit-check on: push: branches: + - main - master - prod - develop diff --git a/.github/workflows/pullRequest.yaml b/.github/workflows/pullRequest.yaml index 8f1eba5..101b621 100644 --- a/.github/workflows/pullRequest.yaml +++ b/.github/workflows/pullRequest.yaml @@ -24,7 +24,7 @@ jobs: terraform_tflint_deep, no-commit-to-branch, terraform_tflint_nocreds, - terraform_tfsec + terraform_trivy tflint: runs-on: ubuntu-latest steps: @@ -41,7 +41,7 @@ jobs: filter_mode: added flags: --module level: error - tfsec: + trivy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/tfsec.yaml b/.github/workflows/tfsec.yaml deleted file mode 100644 index 2f75a3e..0000000 --- a/.github/workflows/tfsec.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -name: tfsec -on: - push: - branches: - - main - - master - - prod - - develop - -jobs: - tfsec: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Install prerequisites - run: ./bin/install-ubuntu.sh - - name: Terraform init - run: terraform init --backend=false - - name: tfsec - uses: reviewdog/action-tfsec@master - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - reporter: github-check - filter_mode: nofilter - level: error diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000..53a9d16 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,31 @@ +--- +name: trivy +on: + push: + branches: + - master + +jobs: + trivy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Install prerequisites + run: ./bin/install-ubuntu.sh + - name: Terraform init + run: terraform init --backend=false + - name: Trivy scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'config' + hide-progress: false + format: 'sarif' + output: 'trivy-results.sarif' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.gitignore b/.gitignore index 74c83e8..371d818 100644 --- a/.gitignore +++ b/.gitignore @@ -13,5 +13,3 @@ # temp folders tmp - -.terraform.lock.hcl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0b856e7..f209b71 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,63 +1,27 @@ exclude: ".terraform" repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.92.1 + rev: v1.92.2 hooks: - id: terraform_docs always_run: true - id: terraform_fmt + - id: terraform_validate + args: + - --hook-config=--retry-once-with-cleanup=true + exclude: ^examples - id: terraform_tflint alias: terraform_tflint_nocreds + exclude: ^examples name: terraform_tflint_nocreds - - id: terraform_tfsec - - repo: local - hooks: - - id: terraform_validate - name: terraform_validate - entry: | - bash -c ' - AWS_DEFAULT_REGION=us-east-1 - declare -a DIRS - for FILE in "$@" - do - DIRS+=($(dirname "$FILE")) - done - for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u) - do - cd $(dirname "$FILE") - terraform init --backend=false - terraform validate . - cd .. - done - ' - language: system - verbose: true - files: \.tf(vars)?$ - exclude: examples - - id: tflock - name: provider_locks - entry: | - bash -c ' - AWS_DEFAULT_REGION=us-east-1 - declare -a DIRS - for FILE in "$@" - do - DIRS+=($(dirname "$FILE")) - done - for DIR in $(printf "%s\n" "${DIRS[@]}" | sort -u) - do - cd $(dirname "$FILE") - terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64 - cd .. - done - ' - language: system - verbose: true - files: \.tf(vars)?$ - exclude: examples + - id: terraform_trivy + args: + - --args=--skip-dirs="**/.terraform,examples/*" + - id: terraform_providers_lock - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.6.0 hooks: + - id: check-added-large-files - id: check-case-conflict - id: check-json - id: check-merge-conflict @@ -65,6 +29,7 @@ repos: - id: check-yaml args: - --unsafe + - id: detect-private-key - id: end-of-file-fixer - id: mixed-line-ending args: @@ -86,4 +51,4 @@ repos: - --markdown-linebreak-ext=md exclude: README.md ci: - skip: [terraform_docs, terraform_fmt, terraform_tflint, terraform_tfsec, tflock] + skip: [terraform_docs, terraform_fmt, terraform_validate, terraform_tflint, terraform_trivy, terraform_providers_lock] diff --git a/.terraform-version b/.terraform-version index 4f20ea7..5a13b33 100644 --- a/.terraform-version +++ b/.terraform-version @@ -1 +1 @@ -latest:^1.1 +latest:^1.6 diff --git a/.tflint.hcl b/.tflint.hcl index 854fb92..c700b79 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -2,6 +2,12 @@ config { module = true } +plugin "aws" { + enabled = true + version = "0.30.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} + rule "terraform_deprecated_interpolation" { enabled = true } diff --git a/LICENSE b/LICENSE index 3fe5c34..9f1b0ba 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2020 Rhythmic Technologies, Inc. +Copyright (c) 2024 Rhythmic Technologies, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index e693e78..168691f 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Template repository for terraform modules. Good for any cloud and any provider. [![tflint](https://github.com/rhythmictech/terraform-terraform-template/workflows/tflint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster) -[![tfsec](https://github.com/rhythmictech/terraform-terraform-template/workflows/tfsec/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster) +[![trivy](https://github.com/rhythmictech/terraform-terraform-template/workflows/trivy/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Atrivy+event%3Apush+branch%3Amaster) [![yamllint](https://github.com/rhythmictech/terraform-terraform-template/workflows/yamllint/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster) [![misspell](https://github.com/rhythmictech/terraform-terraform-template/workflows/misspell/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster) [![pre-commit-check](https://github.com/rhythmictech/terraform-terraform-template/workflows/pre-commit-check/badge.svg?branch=master&event=push)](https://github.com/rhythmictech/terraform-terraform-template/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster) @@ -32,7 +32,7 @@ No providers. | Name | Source | Version | |------|--------|---------| -| <a name="module_tags"></a> [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1.0 | +| <a name="module_tags"></a> [tags](#module\_tags) | rhythmictech/tags/terraform | ~> 1.1 | ## Resources diff --git a/bin/install-macos.sh b/bin/install-macos.sh index 3800165..349bb9d 100755 --- a/bin/install-macos.sh +++ b/bin/install-macos.sh @@ -2,9 +2,8 @@ echo 'installing brew packages' brew update -brew tap liamg/tfsec -brew install tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils -brew upgrade tfenv tflint terraform-docs pre-commit liamg/tfsec/tfsec coreutils +brew install tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils +brew upgrade tfenv tflint terraform-docs aquasecurity/trivy/trivy pre-commit coreutils echo 'installing pre-commit hooks' pre-commit install diff --git a/bin/install-ubuntu.sh b/bin/install-ubuntu.sh index 670d0b9..331e45b 100755 --- a/bin/install-ubuntu.sh +++ b/bin/install-ubuntu.sh @@ -7,7 +7,7 @@ pip3 install pre-commit # terraform docs mkdir tmp cd tmp -curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz +curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.18.0/terraform-docs-v0.18.0-$(uname)-amd64.tar.gz tar -xzf terraform-docs.tar.gz chmod +x terraform-docs sudo mv terraform-docs /usr/bin/ @@ -30,3 +30,6 @@ pre-commit init-templatedir ~/.git-template echo 'installing terraform with tfenv' tfenv install + +wget https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.deb +sudo dpkg -i trivy_0.54.1_Linux-64bit.deb diff --git a/main.tf b/main.tf index b0bc3ba..6b99d12 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,7 @@ module "tags" { source = "rhythmictech/tags/terraform" - version = "~> 1.1.0" + version = "~> 1.1" enforce_case = "UPPER" names = [var.name]