How to secure Terraform code with Trivy

This page summarizes the projects mentioned and recommended in the original post on dev.to

InfluxDB - Purpose built for real-time analytics at any scale.
InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • trivy

    Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

    There are also pre-built packages available for various Linux distros, or grab the binary from GitHub releases: https://github.com/aquasecurity/trivy/releases

  • InfluxDB

    Purpose built for real-time analytics at any scale. InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.

    InfluxDB logo
  • aws-cloudformation-coverage-roadmap

    The AWS CloudFormation Public Coverage Roadmap

    At the time of writing Trivy supports scanning of various IaC configurations such as Terraform, CloudFormation and Azure Resource Manager. So even if your organisation uses different tools across teams, Trivy might just be the right tool. Trivy comes with built-in checks for various cloud platforms and in this blog post we will only use the built-in checks, but you can also define your own custom checks/policies.

  • trivy-action

    Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities

    When using Trivy in CI it’s wise to use a configuration file instead of the command line flags, this makes it easy to reproduce the scan using same configuration locally if you need to investigate some new findings. If you are using GitHub Actions, there’s an official Action that you can use to integrate Trivy into your CI pipeline, here’s a simple example which uses a configuration file:

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons

    6 projects | dev.to | 16 Apr 2024
  • How are you securing your Azure DevOps IaC pipelines?

    1 project | /r/AZURE | 26 May 2023
  • Popular and recommended tools for vulnerability scanning

    2 projects | /r/Terraform | 10 Mar 2023
  • Securing the software supply chain in the cloud

    9 projects | dev.to | 10 Dec 2022
  • Can you use Powershell to mimic behavior of Azure policy

    2 projects | /r/AZURE | 7 Nov 2022