From 9a65e23b565a3e01c6ebdfef790112701fcfc75f Mon Sep 17 00:00:00 2001
From: Balazs Kenez <96087935+bkenez@users.noreply.github.com>
Date: Tue, 14 Jan 2025 16:20:44 +0100
Subject: [PATCH] feat: implement trivy scanning of terraform modules (issues
 ignored)

---
 .lint/trivy/trivy-scan.sh      | 10 ++++++++++
 .lint/trivy/trivy.yaml         |  9 +++++++++
 .pre-commit-config.yaml        |  9 +++++++++
 .trivyignore                   |  1 +
 modules/fixtures/.trivy_ignore |  0
 5 files changed, 29 insertions(+)
 create mode 100755 .lint/trivy/trivy-scan.sh
 create mode 100644 .lint/trivy/trivy.yaml
 create mode 100644 .trivyignore
 create mode 100644 modules/fixtures/.trivy_ignore

diff --git a/.lint/trivy/trivy-scan.sh b/.lint/trivy/trivy-scan.sh
new file mode 100755
index 0000000..21cf6aa
--- /dev/null
+++ b/.lint/trivy/trivy-scan.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euxo pipefail
+
+# list of the folders that we want to parse, only if a README.md exists and no .trivy_ignore
+for dir in $(find modules -type d -maxdepth 1) $(find examples -type d -maxdepth 1); do
+  if [ -f "$dir/README.md" ] && ! [ -e "$dir/.trivy_ignore" ]; then
+      echo "Scanning terraform module with trivy: $dir"
+      trivy config --config .lint/trivy/trivy.yaml --ignorefile .trivyignore "$dir"
+  fi
+done
diff --git a/.lint/trivy/trivy.yaml b/.lint/trivy/trivy.yaml
new file mode 100644
index 0000000..cc28c90
--- /dev/null
+++ b/.lint/trivy/trivy.yaml
@@ -0,0 +1,9 @@
+---
+quiet: false
+debug: false
+format: table
+exit-code: 1
+
+misconfiguration:
+    scanners:
+        - terraform
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 814fb70..0d4e396 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -65,3 +65,12 @@ repos:
       rev: 0.2.3
       hooks:
           - id: yamlfmt
+
+    - repo: local
+      hooks:
+          - id: trivy-scan
+            name: Trivy Scan
+            entry: .lint/trivy/trivy-scan.sh
+            language: script
+            types: [terraform]
+            pass_filenames: false
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..56a831f
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1 @@
+AVD-AWS-0178 #(MEDIUM): VPC does not have VPC Flow Logs enabled.
diff --git a/modules/fixtures/.trivy_ignore b/modules/fixtures/.trivy_ignore
new file mode 100644
index 0000000..e69de29