Our great sponsors
-
trivy
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
#// code/task_groups/build.yml#L16-L89 jobs: - job: build pool: vmImage: ${{ parameters.pool }} workspace: clean: all steps: - checkout: self path: src - task: [email protected] inputs: terraformVersion: ${{ parameters.terraformVersion }} - task: [email protected] displayName: 'Download and Install Trivy vulnerability scanner' inputs: script: | sudo apt-get install rpm wget https://github.com/aquasecurity/trivy/releases/download/v${{ parameters.trivyVersion }}/trivy_${{ parameters.trivyVersion }}_Linux-64bit.deb sudo dpkg -i trivy_${{ parameters.trivyVersion }}_Linux-64bit.deb trivy -v - task: [email protected] displayName: Terraform Init inputs: provider: 'azurerm' command: 'init' workingDirectory: '$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}' backendServiceArm: ${{ parameters.backend_service_connection_name }} backendAzureRmResourceGroupName: ${{ parameters.backend_resource_group }} backendAzureRmStorageAccountName: ${{ parameters.backend_storage_accountname }} backendAzureRmContainerName: ${{ parameters.container_name }} backendAzureRmKey: ${{ parameters.container_key }} - task: [email protected] displayName: 'LOW/MED - Trivy vulnerability scanner in IaC mode' inputs: script: | trivy config --severity LOW,MEDIUM --exit-code 0 $(Agent.BuildDirectory)/src/${{ parameters.root_directory }} - task: [email protected] displayName: 'HIGH/CRIT - Trivy vulnerability scanner in IaC mode' inputs: script: | trivy config --severity HIGH,CRITICAL --exit-code 1 $(Agent.BuildDirectory)/src/${{ parameters.root_directory }} - task: [email protected] displayName: Terraform Plan inputs: provider: 'azurerm' command: 'plan' workingDirectory: '$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}' commandOptions: '--var-file=$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}${{ parameters.tfvarFile }} --out=$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}plan.tfplan' environmentServiceNameAzureRM: ${{ parameters.deployment_service_connection_name }} - task: [email protected] displayName: 'Copy Files to Staging' inputs: SourceFolder: '$(Agent.BuildDirectory)/src' Contents: 'Terraform/**' TargetFolder: '$(Build.ArtifactStagingDirectory)' - task: [email protected] inputs: rootFolderOrFile: '$(Build.ArtifactStagingDirectory)' archiveFile: '$(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip' replaceExistingArchive: true includeRootFolder: false displayName: Archive Terraform Artifact - publish: '$(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip' artifact: '$(Build.BuildId)-trivy' displayName: Publish Pipeline Artifact
-
This tutorial is based on the following Azure DevOps Repository blueprint, which will use a CI/CD YAML pipeline to deploy an Azure Virtual Network using terraform IaC configuration files.
-
Scout APM
Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.
-
Trivy checks Terraform IaC using TFSEC. You can take a look at all the checks that Trivy performs under the included checks documentation. In the previous example above Trivy detected a risk called: Potentially sensitive data stored in block attribute, which notified us that our code was potentially exposing sensitive data.
Related posts
- A simple security scanner for vulnerabilities and configuration issues in IaC such as Kubernetes, Dockerfile and Terraform
- Terraform Best Practices for Better Infrastructure Management
- [App Discovery] Favorite and Underrated Self Hosted App
- All about Komodor :- A Kubernetes Troubleshooting Platform and more
- [open-source] Validkube - Validate, Clean and Secure your K8s YAML