Skip to content

Commit

Permalink
Upgrade CI, trivy, remove checkov
Browse files Browse the repository at this point in the history
  • Loading branch information
brandoncruz3 committed Mar 21, 2024
1 parent 4aaa0b8 commit 822e1a1
Show file tree
Hide file tree
Showing 6 changed files with 39 additions and 49 deletions.
7 changes: 3 additions & 4 deletions .github/ci-versions.env
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
TERRAGRUNT_VERSION=v0.38.7
TERRAFORM_VERSION=1.2.6
TFSEC_VERSION=v1.27.1
TFLINT_VERSION=v0.39.2
TERRAFORM_VERSION=1.5.6
TRIVY_VERSION=v1.27.1
TFLINT_VERSION=v0.50.3
49 changes: 20 additions & 29 deletions .github/workflows/tf-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@ jobs:
- name: Import CI .env file
uses: cardinalby/export-env-action@v1
with:
envFile: '.github/ci-versions.env'
expand: 'true'
envFile: ".github/ci-versions.env"
expand: "true"

- name: Install Terraform
uses: hashicorp/setup-terraform@v2
Expand All @@ -56,39 +56,30 @@ jobs:
- name: Import CI .env file
uses: cardinalby/export-env-action@v1
with:
envFile: '.github/ci-versions.env'
expand: 'true'
envFile: ".github/ci-versions.env"
expand: "true"

- name: Install Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_wrapper: false
terraform_version: ${{ env.TERRAFORM_VERSION }}

- name: Setup tfsec
run: |
wget https://github.com/aquasecurity/tfsec/releases/download/${{ env.TFSEC_VERSION }}/tfsec-linux-amd64
chmod +x tfsec-linux-amd64
sudo mv tfsec-linux-amd64 /usr/local/bin/tfsec
- name: Run tfsec
shell: bash --noprofile --norc -exo pipefail {0}
run: tfsec .

checkov:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2

- name: checkov
id: checkov
uses: bridgecrewio/checkov-action@c9e3e20671a02850d20e1b1dae97e34b39ff9b37
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: "config"
hide-progress: false
format: "sarif"
output: "trivy-results.sarif"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
quiet: true
framework: terraform
output_format: github_failed_only # optional: the output format, one of: cli, json, junitxml, github_failed_only
download_external_modules: true
sarif_file: "trivy-results.sarif"

validate:
runs-on: ubuntu-latest
Expand All @@ -99,8 +90,8 @@ jobs:
- name: Import CI .env file
uses: cardinalby/export-env-action@v1
with:
envFile: '.github/ci-versions.env'
expand: 'true'
envFile: ".github/ci-versions.env"
expand: "true"

- name: Install Terraform
uses: hashicorp/setup-terraform@v2
Expand Down
22 changes: 11 additions & 11 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
repos:
# Run terraform fmt to fix our terraform styling
# Run terraform docs to generate documentation for our terraform code
# Run tflint to lint our terraform code
# Run tfsec to scan our terraform code for security problems
- repo: git://github.com/antonbabenko/pre-commit-terraform
rev: v1.62.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
hooks:
- id: terraform_fmt
- id: terraform_docs
- id: terraform_tflint
- id: terraform_tfsec
# Run terraform fmt to fix our terraform styling
# Run terraform docs to generate documentation for our terraform code
# Run tflint to lint our terraform code
# Run tfsec to scan our terraform code for security problems
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.88.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
hooks:
- id: terraform_fmt
- id: terraform_docs
- id: terraform_tflint
- id: terraform_trivy
5 changes: 3 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,14 @@ The module also supports passing in a custom IAM policy document (typically gene

| Name | Version |
|------|---------|
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0.0, < 5.0.0 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0.0, < 5.0.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0.0 |

## Modules

Expand Down
2 changes: 0 additions & 2 deletions iam-preset-poweruseraccess.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@ resource "aws_iam_role_policy_attachment" "PowerUserAccess" {
}

data "aws_iam_policy_document" "PowerUserIAMAccess" {
# checkov:skip=CKV_AWS_109:This role is needed if using a role that needs limited IAM write access, even if it does allow permission escalation
# checkov:skip=CKV_AWS_110:This role is needed if using a role that needs limited IAM write access, even if it does allow permission escalation
statement {
effect = "Allow"
actions = [
Expand Down
3 changes: 2 additions & 1 deletion versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.0.0, < 5.0.0"
version = ">= 5.0.0"
}
}
required_version = ">= 1.0.0"
}

0 comments on commit 822e1a1

Please sign in to comment.