diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 5b62a87..dc8c2f0 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -41,28 +41,31 @@ jobs: uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 with: sarif_file: tflint.sarif - tfsec: - name: tfsec - runs-on: ubuntu-latest + trivy: permissions: - actions: read - contents: read - security-events: write + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status. + name: trivy + runs-on: ubuntu-latest steps: - - name: Clone repo + - name: Checkout uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 with: - token: '${{ secrets.GITHUB_TOKEN }}' - fetch-depth: 0 - - name: Run tfsec - uses: aquasecurity/tfsec-action@b466648d6e39e7c75324f25d83891162a721f2d6 # v1.0.3 - with: - additional_args: '--format sarif --out tfsec.sarif --exclude aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits' - - name: Upload SARIF file + scan-type: 'fs' + scanners: misconfig,vuln,secret + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + trivyignores: ./.trivyignore.yaml + + - name: Upload Trivy scan results to GitHub Security tab if: success() || failure() uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 with: - sarif_file: tfsec.sarif + sarif_file: 'trivy-results.sarif' checkov: name: checkov runs-on: ubuntu-latest diff --git a/.github/workflows/terraform-static-analysis.yml b/.github/workflows/terraform-static-analysis.yml index 60e894a..d1d20fb 100644 --- a/.github/workflows/terraform-static-analysis.yml +++ b/.github/workflows/terraform-static-analysis.yml @@ -1,3 +1,4 @@ + name: Terraform Static Code Analysis on: @@ -20,39 +21,49 @@ jobs: runs-on: ubuntu-latest if: github.event_name != 'workflow_dispatch' steps: - - name: Checkout - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - with: - fetch-depth: 0 - - name: Run Analysis - uses: ministryofjustice/github-actions/terraform-static-analysis@7855159a5c3a9bcd658207c894cc4ed22bd35a22 # v15.3.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - scan_type: single - tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018 - checkov_exclude: CKV_GIT_1 - tflint_exclude: terraform_unused_declarations - tflint_call_module_type: none + - name: Checkout + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + with: + fetch-depth: 0 + - name: Run Analysis + uses: ministryofjustice/github-actions/terraform-static-analysis@bdab1cff6d23336b6d5adc662fb57af72f0ae160 # v17.1.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + scan_type: changed + trivy_severity: HIGH,CRITICAL + trivy_ignore: ./.trivyignore.yaml + checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 + tflint_exclude: terraform_unused_declarations + tflint_call_module_type: none + tfsec_trivy: trivy terraform-static-analysis-full-scan: permissions: + contents: read + actions: read + security-events: write pull-requests: write name: Terraform Static Analysis - scan all directories runs-on: ubuntu-latest if: github.event_name == 'workflow_dispatch' steps: - - name: Checkout - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - with: - fetch-depth: 0 - - name: Run Analysis - uses: ministryofjustice/github-actions/terraform-static-analysis@7855159a5c3a9bcd658207c894cc4ed22bd35a22 # v15.3.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - scan_type: full - tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018 - checkov_exclude: CKV_GIT_1 - tflint_exclude: terraform_unused_declarations - tflint_call_module_type: none + - name: Checkout + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + with: + fetch-depth: 0 + - name: Run Analysis + uses: ministryofjustice/github-actions/terraform-static-analysis@bdab1cff6d23336b6d5adc662fb57af72f0ae160 # v17.1.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + scan_type: full + tfsec_trivy: trivy + trivy_skip_dir: "" + trivy_severity: HIGH,CRITICAL + trivy_ignore: ./.trivyignore.yaml + tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits + checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 + tflint_exclude: terraform_unused_declarations + tflint_call_module_type: none + diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000..1cc78c2 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,45 @@ +vulnerabilities: + - id: GHSA-m425-mq94-257g + - id: CVE-2017-20146 + - id: CVE-2019-11253 + - id: CVE-2020-8558 + - id: CVE-2020-10675 + - id: CVE-2020-15114 + expired_at: 2024-08-20 + statement: "Review in 6 months" + - id: CVE-2020-26160 + - id: CVE-2020-35381 + - id: CVE-2021-25741 + - id: CVE-2021-30465 + - id: CVE-2021-38561 + - id: CVE-2021-43565 + - id: CVE-2021-43816 + - id: CVE-2022-1996 + - id: CVE-2022-21698 + - id: CVE-2022-23648 + - id: CVE-2022-24778 + - id: CVE-2022-27191 + - id: CVE-2022-27664 + - id: CVE-2022-32149 + - id: CVE-2022-41723 + - id: CVE-2023-3676 + - id: CVE-2023-3955 + - id: CVE-2023-5528 + - id: CVE-2023-37788 + - id: CVE-2023-39325 + - id: CVE-2024-15114 + expired_at: 2024-08-19 + statement: "Review in 6 months" + - id: CVE-2024-21626 + expired_at: 2024-08-19 + statement: "Review in 6 months" + +misconfigurations: + - id: AVD-GIT-0001 + - id: AVD-AWS-0031 + - id: AVD-AWS-0039 + - id: AVD-AWS-0057 + +secrets: + +licenses: