FAQ | This is a LIVE service | Changelog

Skip to content
Commits on Source (2)
Hide whitespace changes
Inline Side-by-side
CHANGELOG.md
View file @ 3fba26d2
......@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [3.8.0] - 2024-03-26
### Changed
- `terraform-pipeline.yml`: `tfsec` job replaced with `trivy` as tfsec is now deprecated.
## [3.7.1] - 2024-03-01
### Fixed
......
auto-devops/terraform-pipeline.yml
View file @ 3fba26d2
......@@ -23,8 +23,8 @@
#
# Tests/linting
#
# This template includes four jobs in the test stage, terraform-validate, terraform-fmt, terraform-tflint, and
# terraform-tfsec. These jobs run on every commit pushed or if a merge request is open. For more info see the comments
# This template includes four jobs in the test stage, terraform-validate, terraform-fmt, tflint, and trivy.
# These jobs run on every commit pushed or if a merge request is open. For more info see the comments
# alongside each of these job definitions below.
#
# Terraform plan
......@@ -54,7 +54,7 @@
# - TERRAFORM_VALIDATE_DISABLED
# - TERRAFORM_FMT_DISABLED
# - TFLINT_DISABLED
# - TFSEC_DISABLED
# - TRIVY_DISABLED
# - TERRAFORM_PLAN_DEVELOPMENT_DISABLED
# - TERRAFORM_APPLY_DEVELOPMENT_DISABLED
# - TERRAFORM_PLAN_STAGING_DISABLED
......@@ -142,7 +142,7 @@ variables:
optional: true
- job: tflint
optional: true
- job: tfsec
- job: trivy
optional: true
# This job takes a plan object generated by a .terraform-plan job and applies it to the relevant workspace.
......@@ -227,31 +227,37 @@ tflint:
- $GKE_RUNNER_TAG
needs: []
# tfsec (https://aquasecurity.github.io/tfsec) is a comprehensive static analysis tool with many security related checks
# for multiple cloud providers. This job uploads a junit report of the test results which is viewable in the merge
# request UI. To ignore specific checks see -
# https://aquasecurity.github.io/tfsec/v1.28.1/guides/configuration/ignores/. By default, we're ignoring certain checks
# which we have decided to allow due to our boilerplate template design.
tfsec:
# Trivy (https://aquasecurity.github.io/trivy) is a comprehensive and versatile security scanner.
# Trivy has scanners that look for security issues, and targets where it can find those issues.
# This job uploads a junit report of the test results which is viewable in the merge request UI.
# To ignore specific checks see -
# https://aquasecurity.github.io/trivy/v0.50/docs/configuration/filtering/#trivyignoreyaml.
# By default, we're ignoring certain checks which we have decided to allow due to our boilerplate template design.
trivy:
stage: test
image:
name: aquasec/tfsec:latest
name: aquasec/trivy:latest
entrypoint: [""]
variables:
TFSEC_EXCLUDE: "google-storage-bucket-encryption-customer-key,\
google-compute-enable-vpc-flow-logs,\
google-sql-enable-pg-temp-file-logging,\
google-sql-no-public-access,\
google-sql-pg-log-checkpoints,\
google-sql-pg-log-connections,\
google-sql-pg-log-disconnections,\
google-sql-pg-log-lock-waits"
script: |
TRIVY_IGNORE: |-
AVD-GCP-0066
AVD-GCP-0029
AVD-GCP-0014
AVD-GCP-0017
AVD-GCP-0025
AVD-GCP-0016
AVD-GCP-0022
AVD-GCP-0020
before_script: |
mkdir ${TF_DATA_DIR}
tfsec --force-all-dirs --include-passed --format lovely,junit \
--exclude "$TFSEC_EXCLUDE" --out ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-tfsec
for i in $TRIVY_IGNORE; do echo $i >> .trivyignore; done
script: |
trivy fs --scanners misconfig --format json --output trivy.json --exit-code 1 .
after_script: |
trivy convert --format template --template "@/contrib/junit.tpl" --output ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-trivy.junit trivy.json
trivy convert --format table --output trivy.out trivy.json && cat trivy.out
rules:
- if: $TFSEC_DISABLED
- if: $TRIVY_DISABLED
when: never
- !reference [.test-job-rules]
tags:
......@@ -261,7 +267,7 @@ tfsec:
expire_in: 1 week
when: always
reports:
junit: ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-tfsec.junit
junit: ${TF_DATA_DIR}/${CI_COMMIT_REF_SLUG}-trivy.junit
needs: []
# The following jobs make up the default workflow for our standard three-environment products. For products with
......