docs: add Trivy scan badges (5cddeb92) · Commits · to be continuous... / Terraform

README.md

+8 −8

Original line number	Diff line number	Diff line
		@@ -368,7 +368,7 @@ The Terraform template uses some global configuration used throughout all jobs.

		\| Input / Variable \| Description \| Default value \|
		\| ------------------------ \| -------------------------------------- \| ----------------- \|
		\| `image` / `TF_IMAGE` \| the Docker image used to run Terraform CLI commands <br/>:warning: set the version required by your project \| `registry.hub.docker.com/hashicorp/terraform:latest` \|
		\| `image` / `TF_IMAGE` \| the Docker image used to run Terraform CLI commands <br/>:warning: set the version required by your project \| `registry.hub.docker.com/hashicorp/terraform:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_IMAGE) \|
		\| `gitlab-backend-disabled` / `TF_GITLAB_BACKEND_DISABLED` \| Set to `true` to disable [GitLab managed Terraform State](https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html) \| _none_ (enabled) \|
		\| `project-dir` / `TF_PROJECT_DIR` \| Terraform project root directory \| `.` \|
		\| `scripts-dir` / `TF_SCRIPTS_DIR` \| Terraform (hook) scripts base directory (relative to `$TF_PROJECT_DIR`) \| `.` \|
		@@ -480,7 +480,7 @@ Here are variables supported to configure the production environment:

		\| Input / Variable \| Description \| Default value \|
		\| --------------------- \| ---------------------------------------- \| ----------------- \|
		\| `tflint-image` / `TF_TFLINT_IMAGE` \| the Docker image used to run tflint \| `ghcr.io/terraform-linters/tflint-bundle:latest` \|
		\| `tflint-image` / `TF_TFLINT_IMAGE` \| the Docker image used to run tflint \| `ghcr.io/terraform-linters/tflint-bundle:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_TFLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_TFLINT_IMAGE) \|
		\| `tflint-disabled` / `TF_TFLINT_DISABLED` \| Set to `true` to disable tflint \| _none_ (enabled) \|
		\| `tflint-args` / `TF_TFLINT_ARGS` \| tflint extra [options and args](https://github.com/terraform-linters/tflint/#usage) \| `--enable-plugin=google --enable-plugin=azurerm --enable-plugin=aws --recursive` \|

		@@ -498,7 +498,7 @@ In addition to a textual report in the console, this job produces the following

		\| Input / Variable \| Description \| Default value \|
		\| --------------------- \| ---------------------------------------- \| ----------------- \|
		\| `tfsec-image` / `TF_TFSEC_IMAGE` \| the Docker image used to run tfsec \| `registry.hub.docker.com/aquasec/tfsec-ci` \|
		\| `tfsec-image` / `TF_TFSEC_IMAGE` \| the Docker image used to run tfsec \| `registry.hub.docker.com/aquasec/tfsec-ci` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_TFSEC_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_TFSEC_IMAGE) \|
		\| `tfsec-enabled` / `TF_TFSEC_ENABLED` \| Set to `true` to enable tfsec \| _none_ (disabled) \|
		\| `tfsec-args` / `TF_TFSEC_ARGS` \| tfsec [options and args](https://aquasecurity.github.io/tfsec/latest/guides/usage/) \| `.` \|

		@@ -515,7 +515,7 @@ In addition to a textual report in the console, this job produces the following

		\| Input / Variable \| Description \| Default value \|
		\| --------------------- \| ---------------------------------------- \| ----------------- \|
		\| `trivy-image` / `TF_TRIVY_IMAGE` \| the Docker image used to run trivy \| `registry.hub.docker.com/aquasec/trivy` \|
		\| `trivy-image` / `TF_TRIVY_IMAGE` \| the Docker image used to run trivy \| `registry.hub.docker.com/aquasec/trivy` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_TRIVY_IMAGE) \|
		\| `trivy-disabled` / `TF_TRIVY_DISABLED` \| Set to `true` to disable trivy \| _none_ (enabled) \|
		\| `trivy-args` / `TF_TRIVY_ARGS` \| trivy config [options and args](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_config/) \| `.` \|

		@@ -532,7 +532,7 @@ In addition to a textual report in the console, this job produces the following

		\| Input / Variable \| Description \| Default value \|
		\| -------------------- \| ---------------------------------------- \| -------------------------------------------- \|
		\| `checkov-image` / `TF_CHECKOV_IMAGE` \| the Docker image used to run checkov \| `registry.hub.docker.com/bridgecrew/checkov` \|
		\| `checkov-image` / `TF_CHECKOV_IMAGE` \| the Docker image used to run checkov \| `registry.hub.docker.com/bridgecrew/checkov` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_CHECKOV_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_CHECKOV_IMAGE) \|
		\| `checkov-enabled` / `TF_CHECKOV_ENABLED` \| Set to `true` to enable checkov \| _none_ (disabled) \|
		\| `checkov-args` / `TF_CHECKOV_ARGS` \| additional checkov [options and args][1] \| `--framework terraform` \|

		@@ -567,7 +567,7 @@ resource "aws_s3_bucket" "foo-bucket" {
		\| Input / Variable \| Description \| Default value \|
		\| ---------------------- \| ----------------------------- \| --------------------- \|
		\| `infracost-enabled` / `TF_INFRACOST_ENABLED` \| Set to `true` to enable infracost \| _none_ (disabled) \|
		\| `infracost-image` / `TF_INFRACOST_IMAGE` \| the infracost container image \| `registry.hub.docker.com/infracost/infracost` \|
		\| `infracost-image` / `TF_INFRACOST_IMAGE` \| the infracost container image \| `registry.hub.docker.com/infracost/infracost` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_INFRACOST_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_INFRACOST_IMAGE) \|
		\| `infracost-args` / `TF_INFRACOST_ARGS` \| infracost [CLI options and args](https://www.infracost.io/docs/#usage) \| `breakdown` \|
		\| `infacost-usage-file` / `TF_INFACOST_USAGE_FILE` \| infracost [usage file](https://www.infracost.io/docs/usage_based_resources/#infracost-usage-file) \| `infracost-usage.yml` \|
		\| :lock: `INFRACOST_API_KEY`\| the infracost API key \| required \|
		@@ -616,7 +616,7 @@ Build Terraform documentation based on [terraform docs](https://terraform-docs.i
		\| Input / Variable \| Description \| Default value \|
		\| -------------------- \| ------------------------------------------------------------------------------------------ \| -------------------- \|
		\| `docs-enabled` / `TF_DOCS_ENABLED` \| Set to `true` to enable terraform docs \| _none_ (disabled) \|
		\| `docs-image` / `TF_DOCS_IMAGE` \| [terraform docs](https://terraform-docs.io/) container image \| `quay.io/terraform-docs/terraform-docs:edge` \|
		\| `docs-image` / `TF_DOCS_IMAGE` \| [terraform docs](https://terraform-docs.io/) container image \| `quay.io/terraform-docs/terraform-docs:edge` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_DOCS_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_DOCS_IMAGE) \|
		\| `docs-extra-opts` / `TF_DOCS_EXTRA_OPTS` \| Extra [terraform docs option](https://terraform-docs.io/reference/terraform-docs/) \| _none_ \|
		\| `docs-config` / `TF_DOCS_CONFIG` \| terraform docs [configuration file](https://terraform-docs.io/user-guide/configuration/) (relative to `$TF_PROJECT_DIR`) \| `.terraform-docs.yml` \|
		\| `docs-output-dir` / `TF_DOCS_OUTPUT_DIR` \| terraform docs output directory (relative to `$TF_PROJECT_DIR`). \| `docs` \|
		@@ -635,7 +635,7 @@ When enabled, this job triggers on a Git tag with semantic version pattern (`v?[
		\| Input / Variable \| Description \| Default value \|
		\| -------------------- \| -------------------------------------------------------------------- \| -------------------- \|
		\| `publish-enabled` / `TF_PUBLISH_ENABLED` \| Set to `true` to enable Terraform Module Publish \| _none_ (disabled) \|
		\| `publish-image` / `TF_PUBLISH_IMAGE` \| Container image used to publish module. \| `registry.hub.docker.com/curlimages/curl:latest` \|
		\| `publish-image` / `TF_PUBLISH_IMAGE` \| Container image used to publish module. \| `registry.hub.docker.com/curlimages/curl:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_PUBLISH_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_PUBLISH_IMAGE) \|
		\| `module-name` / `TF_MODULE_NAME` \| The module name. May not contain any spaces or underscores. \| `$CI_PROJECT_NAME` \|
		\| `module-system` / `TF_MODULE_SYSTEM` \| The module system or provider (example: `local`, `aws`, `google`). \| `local` \|
		\| `module-version` / `TF_MODULE_VERSION` \| The module version. It must be valid according to the [semantic versioning](https://semver.org/) specification. \| `$CI_COMMIT_TAG` _(leave default unless you have good reasons to override)_ \|

Original line number	Diff line number	Diff line
		@@ -368,7 +368,7 @@ The Terraform template uses some global configuration used throughout all jobs.

		\| Input / Variable \| Description \| Default value \|
		\| ------------------------ \| -------------------------------------- \| ----------------- \|
		\| `image` / `TF_IMAGE` \| the Docker image used to run Terraform CLI commands <br/>:warning: set the version required by your project \| `registry.hub.docker.com/hashicorp/terraform:latest` \|
		\| `image` / `TF_IMAGE` \| the Docker image used to run Terraform CLI commands <br/>:warning: set the version required by your project \| `registry.hub.docker.com/hashicorp/terraform:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_IMAGE) \|
		\| `gitlab-backend-disabled` / `TF_GITLAB_BACKEND_DISABLED` \| Set to `true` to disable [GitLab managed Terraform State](https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html) \| _none_ (enabled) \|
		\| `project-dir` / `TF_PROJECT_DIR` \| Terraform project root directory \| `.` \|
		\| `scripts-dir` / `TF_SCRIPTS_DIR` \| Terraform (hook) scripts base directory (relative to `$TF_PROJECT_DIR`) \| `.` \|
		@@ -480,7 +480,7 @@ Here are variables supported to configure the production environment:

		\| Input / Variable \| Description \| Default value \|
		\| --------------------- \| ---------------------------------------- \| ----------------- \|
		\| `tflint-image` / `TF_TFLINT_IMAGE` \| the Docker image used to run tflint \| `ghcr.io/terraform-linters/tflint-bundle:latest` \|
		\| `tflint-image` / `TF_TFLINT_IMAGE` \| the Docker image used to run tflint \| `ghcr.io/terraform-linters/tflint-bundle:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_TFLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_TFLINT_IMAGE) \|
		\| `tflint-disabled` / `TF_TFLINT_DISABLED` \| Set to `true` to disable tflint \| _none_ (enabled) \|
		\| `tflint-args` / `TF_TFLINT_ARGS` \| tflint extra [options and args](https://github.com/terraform-linters/tflint/#usage) \| `--enable-plugin=google --enable-plugin=azurerm --enable-plugin=aws --recursive` \|

		@@ -498,7 +498,7 @@ In addition to a textual report in the console, this job produces the following

		\| Input / Variable \| Description \| Default value \|
		\| --------------------- \| ---------------------------------------- \| ----------------- \|
		\| `tfsec-image` / `TF_TFSEC_IMAGE` \| the Docker image used to run tfsec \| `registry.hub.docker.com/aquasec/tfsec-ci` \|
		\| `tfsec-image` / `TF_TFSEC_IMAGE` \| the Docker image used to run tfsec \| `registry.hub.docker.com/aquasec/tfsec-ci` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_TFSEC_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_TFSEC_IMAGE) \|
		\| `tfsec-enabled` / `TF_TFSEC_ENABLED` \| Set to `true` to enable tfsec \| _none_ (disabled) \|
		\| `tfsec-args` / `TF_TFSEC_ARGS` \| tfsec [options and args](https://aquasecurity.github.io/tfsec/latest/guides/usage/) \| `.` \|

		@@ -515,7 +515,7 @@ In addition to a textual report in the console, this job produces the following

		\| Input / Variable \| Description \| Default value \|
		\| --------------------- \| ---------------------------------------- \| ----------------- \|
		\| `trivy-image` / `TF_TRIVY_IMAGE` \| the Docker image used to run trivy \| `registry.hub.docker.com/aquasec/trivy` \|
		\| `trivy-image` / `TF_TRIVY_IMAGE` \| the Docker image used to run trivy \| `registry.hub.docker.com/aquasec/trivy` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_TRIVY_IMAGE) \|
		\| `trivy-disabled` / `TF_TRIVY_DISABLED` \| Set to `true` to disable trivy \| _none_ (enabled) \|
		\| `trivy-args` / `TF_TRIVY_ARGS` \| trivy config [options and args](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_config/) \| `.` \|

		@@ -532,7 +532,7 @@ In addition to a textual report in the console, this job produces the following

		\| Input / Variable \| Description \| Default value \|
		\| -------------------- \| ---------------------------------------- \| -------------------------------------------- \|
		\| `checkov-image` / `TF_CHECKOV_IMAGE` \| the Docker image used to run checkov \| `registry.hub.docker.com/bridgecrew/checkov` \|
		\| `checkov-image` / `TF_CHECKOV_IMAGE` \| the Docker image used to run checkov \| `registry.hub.docker.com/bridgecrew/checkov` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_CHECKOV_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_CHECKOV_IMAGE) \|
		\| `checkov-enabled` / `TF_CHECKOV_ENABLED` \| Set to `true` to enable checkov \| _none_ (disabled) \|
		\| `checkov-args` / `TF_CHECKOV_ARGS` \| additional checkov [options and args][1] \| `--framework terraform` \|

		@@ -567,7 +567,7 @@ resource "aws_s3_bucket" "foo-bucket" {
		\| Input / Variable \| Description \| Default value \|
		\| ---------------------- \| ----------------------------- \| --------------------- \|
		\| `infracost-enabled` / `TF_INFRACOST_ENABLED` \| Set to `true` to enable infracost \| _none_ (disabled) \|
		\| `infracost-image` / `TF_INFRACOST_IMAGE` \| the infracost container image \| `registry.hub.docker.com/infracost/infracost` \|
		\| `infracost-image` / `TF_INFRACOST_IMAGE` \| the infracost container image \| `registry.hub.docker.com/infracost/infracost` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_INFRACOST_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_INFRACOST_IMAGE) \|
		\| `infracost-args` / `TF_INFRACOST_ARGS` \| infracost [CLI options and args](https://www.infracost.io/docs/#usage) \| `breakdown` \|
		\| `infacost-usage-file` / `TF_INFACOST_USAGE_FILE` \| infracost [usage file](https://www.infracost.io/docs/usage_based_resources/#infracost-usage-file) \| `infracost-usage.yml` \|
		\| :lock: `INFRACOST_API_KEY`\| the infracost API key \| required \|
		@@ -616,7 +616,7 @@ Build Terraform documentation based on [terraform docs](https://terraform-docs.i
		\| Input / Variable \| Description \| Default value \|
		\| -------------------- \| ------------------------------------------------------------------------------------------ \| -------------------- \|
		\| `docs-enabled` / `TF_DOCS_ENABLED` \| Set to `true` to enable terraform docs \| _none_ (disabled) \|
		\| `docs-image` / `TF_DOCS_IMAGE` \| [terraform docs](https://terraform-docs.io/) container image \| `quay.io/terraform-docs/terraform-docs:edge` \|
		\| `docs-image` / `TF_DOCS_IMAGE` \| [terraform docs](https://terraform-docs.io/) container image \| `quay.io/terraform-docs/terraform-docs:edge` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_DOCS_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_DOCS_IMAGE) \|
		\| `docs-extra-opts` / `TF_DOCS_EXTRA_OPTS` \| Extra [terraform docs option](https://terraform-docs.io/reference/terraform-docs/) \| _none_ \|
		\| `docs-config` / `TF_DOCS_CONFIG` \| terraform docs [configuration file](https://terraform-docs.io/user-guide/configuration/) (relative to `$TF_PROJECT_DIR`) \| `.terraform-docs.yml` \|
		\| `docs-output-dir` / `TF_DOCS_OUTPUT_DIR` \| terraform docs output directory (relative to `$TF_PROJECT_DIR`). \| `docs` \|
		@@ -635,7 +635,7 @@ When enabled, this job triggers on a Git tag with semantic version pattern (`v?[
		\| Input / Variable \| Description \| Default value \|
		\| -------------------- \| -------------------------------------------------------------------- \| -------------------- \|
		\| `publish-enabled` / `TF_PUBLISH_ENABLED` \| Set to `true` to enable Terraform Module Publish \| _none_ (disabled) \|
		\| `publish-image` / `TF_PUBLISH_IMAGE` \| Container image used to publish module. \| `registry.hub.docker.com/curlimages/curl:latest` \|
		\| `publish-image` / `TF_PUBLISH_IMAGE` \| Container image used to publish module. \| `registry.hub.docker.com/curlimages/curl:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-TF_PUBLISH_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-TF_PUBLISH_IMAGE) \|
		\| `module-name` / `TF_MODULE_NAME` \| The module name. May not contain any spaces or underscores. \| `$CI_PROJECT_NAME` \|
		\| `module-system` / `TF_MODULE_SYSTEM` \| The module system or provider (example: `local`, `aws`, `google`). \| `local` \|
		\| `module-version` / `TF_MODULE_VERSION` \| The module version. It must be valid according to the [semantic versioning](https://semver.org/) specification. \| `$CI_COMMIT_TAG` _(leave default unless you have good reasons to override)_ \|