Commit 54fc5283 authored by Bertrand Goareguer's avatar Bertrand Goareguer Committed by Pierre Smeyers
Browse files

feat: add Trivy job

parent 18676c39

README.md

+20 −1
Original line number Diff line number Diff line
@@ -489,7 +489,9 @@ In addition to a textual report in the console, this job produces the following 
| -------------- | ---------------------------------------------------------------------------- | ----------------- |

| `$TF_PROJECT_DIR/reports/tflint.xunit.xml` | [xUnit](https://en.wikipedia.org/wiki/XUnit) test report(s) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit) |



### `tf-tfsec` job

### [DEPRECATED] `tf-tfsec` job



:warning: `tfsec` has been deprecated, it is recommended to use [trivy](#tf-trivy-job) instead.



[tfsec](https://github.com/tfsec/tfsec) uses static analysis of your terraform templates to spot potential security issues and uses the following variables:
@@ -506,6 +508,23 @@ In addition to a textual report in the console, this job produces the following 
| `$TF_PROJECT_DIR/reports/tfsec.xunit.xml` | [xUnit](https://en.wikipedia.org/wiki/XUnit) test report(s) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit) |

| `$TF_PROJECT_DIR/reports/tfsec.native.json` | tfsec JSON | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#tfsec)<br/>_This report is generated only if DefectDojo template is detected_ |



### `tf-trivy` job



[trivy](https://aquasecurity.github.io/trivy/latest/docs/configuration/) is used to perform static analysis of your terraform templates to spot potential security issues and uses the following variables:



| Input / Variable      | Description                              | Default value     |

| --------------------- | ---------------------------------------- | ----------------- |

| `trivy-image` / `TF_TRIVY_IMAGE` | the Docker image used to run trivy       | `registry.hub.docker.com/aquasec/trivy`  |

| `trivy-disabled` / `TF_TRIVY_DISABLED` | Set to `true` to disable trivy            | _none_ (enabled) |

| `trivy-args` / `TF_TRIVY_ARGS` | trivy config [options and args](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_config/) | `.` |



In addition to a textual report in the console, this job produces the following reports, kept for one day:



| Report         | Format                                                                       | Usage             |

| -------------- | ---------------------------------------------------------------------------- | ----------------- |

| `$TF_PROJECT_DIR/reports/tf-trivy.codeclimate.json` | [Code Climate](https://github.com/aquasecurity/trivy/blob/main/contrib/gitlab-codequality.tpl) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |

| `$TF_PROJECT_DIR/reports/tf-trivy.trivy.json` | Trivy [JSON](https://aquasecurity.github.io/trivy/latest/docs/configuration/reporting/#json) report | [DefectDojo integration](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/file/trivy/)<br/>_This report is generated only if DefectDojo template is detected_ |



### `tf-checkov` job



[checkov](https://github.com/bridgecrewio/checkov) is a static code analysis tool for infrastructure-as-code and uses the following variables:

kicker.json

+19 −0
Original line number Diff line number Diff line
@@ -86,6 +86,25 @@ 
        }

      ]

    },

    {

      "id": "trivy",

      "name": "trivy",

      "description": "Detect security issues with [trivy config](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/)",

      "disable_with": "TF_TRIVY_DISABLED",

      "variables": [

        {

          "name": "TF_TRIVY_IMAGE",

          "description": "trivy docker image",

          "default": "registry.hub.docker.com/aquasec/trivy",

          "advanced": true

        },

        {

          "name": "TF_TRIVY_ARGS",

          "description": "trivy config [options and args](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_config/)",

          "default": "."

        }

      ]

    },

    {

      "id": "checkov",

      "name": "checkov",

templates/gitlab-ci-terraform.yml

+46 −0
Original line number Diff line number Diff line
@@ -62,6 +62,16 @@ spec: 
    tfsec-args:

      description: tfsec [options and args](https://aquasecurity.github.io/tfsec/latest/guides/usage/)

      default: .

    trivy-disabled:

      description: Disable trivy config checks

      type: boolean

      default: false

    trivy-image:

      description: trivy docker image

      default: registry.hub.docker.com/aquasec/trivy

    trivy-args:

      description: trivy config [options and args](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_config/)

      default: .

    checkov-enabled:

      description: Enable checkov

      type: boolean
@@ -307,6 +317,8 @@ variables: 
  TF_IMAGE: $[[ inputs.image ]]

  TF_TFSEC_IMAGE: $[[ inputs.tfsec-image ]]

  TF_TFSEC_ARGS: $[[ inputs.tfsec-args ]]

  TF_TRIVY_IMAGE: $[[ inputs.trivy-image ]]

  TF_TRIVY_ARGS: $[[ inputs.trivy-args ]]

  TF_TFLINT_IMAGE: $[[ inputs.tflint-image ]]

  TF_TFLINT_ARGS: $[[ inputs.tflint-args ]]

  TF_CHECKOV_IMAGE: $[[ inputs.checkov-image ]]
@@ -354,6 +366,7 @@ variables: 
  TF_APPLY_OPTS: $[[ inputs.apply-opts ]]

  TF_DESTROY_OPTS: $[[ inputs.destroy-opts ]]

  TF_TFSEC_ENABLED: $[[ inputs.tfsec-enabled ]]

  TF_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]

  TF_CHECKOV_ENABLED: $[[ inputs.checkov-enabled ]]

  TF_INFRACOST_ENABLED: $[[ inputs.infracost-enabled ]]

  TF_TFLINT_DISABLED: $[[ inputs.tflint-disabled ]]
@@ -1087,6 +1100,39 @@ tf-tfsec: 
      when: never

    - !reference [.test-policy, rules]



tf-trivy:

  extends: .tf-base

  image:

    name : $TF_TRIVY_IMAGE

    entrypoint: [""]

  stage: test

  needs: []

  script:

    - mkdir -p -m 777 reports

    # maybe generate report for DefectDojo (non-failing)

    - |

      if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]

      then

        trivy config --exit-code 0 --misconfig-scanners=terraform --format json --output reports/tf-trivy.trivy.json $TF_TRIVY_ARGS

      fi

    # generate report for GitLab (non-failing)

    - trivy config --exit-code 0 --misconfig-scanners=terraform --format template --template @/contrib/gitlab-codequality.tpl --output reports/tf-trivy.codeclimate.json $TF_TRIVY_ARGS

    # console output & failing

    - trivy config --exit-code 1 --misconfig-scanners=terraform $TF_TRIVY_ARGS

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

    when: always

    reports:

      codequality: $TF_PROJECT_DIR/reports/tf-trivy.codeclimate.json

    paths:

      - "$TF_PROJECT_DIR/reports/tf-trivy.*"

  dependencies: []

  rules:

    - if: '$TF_TRIVY_DISABLED == "true"'

      when: never

    - !reference [.test-policy, rules]



tf-tflint:

  extends: .tf-base

  image: