feat: implement trivy scanning of terraform modules (issues ignored)

camunda · Jan 14, 2025 · 9a65e23 · 9a65e23
1 parent aecaa07
commit 9a65e23
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 0 deletions.
diff --git a/.lint/trivy/trivy-scan.sh b/.lint/trivy/trivy-scan.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euxo pipefail
+
+# list of the folders that we want to parse, only if a README.md exists and no .trivy_ignore
+for dir in $(find modules -type d -maxdepth 1) $(find examples -type d -maxdepth 1); do
+  if [ -f "$dir/README.md" ] && ! [ -e "$dir/.trivy_ignore" ]; then
+      echo "Scanning terraform module with trivy: $dir"
+      trivy config --config .lint/trivy/trivy.yaml --ignorefile .trivyignore "$dir"
+  fi
+done
diff --git a/.lint/trivy/trivy.yaml b/.lint/trivy/trivy.yaml
@@ -0,0 +1,9 @@
+---
+quiet: false
+debug: false
+format: table
+exit-code: 1
+
+misconfiguration:
+    scanners:
+        - terraform
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -65,3 +65,12 @@ repos:
       rev: 0.2.3
       hooks:
           - id: yamlfmt
+
+    - repo: local
+      hooks:
+          - id: trivy-scan
+            name: Trivy Scan
+            entry: .lint/trivy/trivy-scan.sh
+            language: script
+            types: [terraform]
+            pass_filenames: false
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1 @@
+AVD-AWS-0178 #(MEDIUM): VPC does not have VPC Flow Logs enabled.
diff --git a/modules/fixtures/.trivy_ignore b/modules/fixtures/.trivy_ignore
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		AVD-AWS-0178 #(MEDIUM): VPC does not have VPC Flow Logs enabled.