Terraform IaC Scanning with Trivy

This page summarizes the projects mentioned and recommended in the original post on dev.to

Our great sponsors
  • Scout APM - Less time debugging, more time building
  • SonarQube - Static code analysis for 29 languages.
  • SaaSHub - Software Alternatives and Reviews
  • trivy

    Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets

    #// code/task_groups/build.yml#L16-L89 jobs: - job: build pool: vmImage: ${{ parameters.pool }} workspace: clean: all steps: - checkout: self path: src - task: [email protected] inputs: terraformVersion: ${{ parameters.terraformVersion }} - task: [email protected] displayName: 'Download and Install Trivy vulnerability scanner' inputs: script: | sudo apt-get install rpm wget https://github.com/aquasecurity/trivy/releases/download/v${{ parameters.trivyVersion }}/trivy_${{ parameters.trivyVersion }}_Linux-64bit.deb sudo dpkg -i trivy_${{ parameters.trivyVersion }}_Linux-64bit.deb trivy -v - task: [email protected] displayName: Terraform Init inputs: provider: 'azurerm' command: 'init' workingDirectory: '$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}' backendServiceArm: ${{ parameters.backend_service_connection_name }} backendAzureRmResourceGroupName: ${{ parameters.backend_resource_group }} backendAzureRmStorageAccountName: ${{ parameters.backend_storage_accountname }} backendAzureRmContainerName: ${{ parameters.container_name }} backendAzureRmKey: ${{ parameters.container_key }} - task: [email protected] displayName: 'LOW/MED - Trivy vulnerability scanner in IaC mode' inputs: script: | trivy config --severity LOW,MEDIUM --exit-code 0 $(Agent.BuildDirectory)/src/${{ parameters.root_directory }} - task: [email protected] displayName: 'HIGH/CRIT - Trivy vulnerability scanner in IaC mode' inputs: script: | trivy config --severity HIGH,CRITICAL --exit-code 1 $(Agent.BuildDirectory)/src/${{ parameters.root_directory }} - task: [email protected] displayName: Terraform Plan inputs: provider: 'azurerm' command: 'plan' workingDirectory: '$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}' commandOptions: '--var-file=$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}${{ parameters.tfvarFile }} --out=$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}plan.tfplan' environmentServiceNameAzureRM: ${{ parameters.deployment_service_connection_name }} - task: [email protected] displayName: 'Copy Files to Staging' inputs: SourceFolder: '$(Agent.BuildDirectory)/src' Contents: 'Terraform/**' TargetFolder: '$(Build.ArtifactStagingDirectory)' - task: [email protected] inputs: rootFolderOrFile: '$(Build.ArtifactStagingDirectory)' archiveFile: '$(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip' replaceExistingArchive: true includeRootFolder: false displayName: Archive Terraform Artifact - publish: '$(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip' artifact: '$(Build.BuildId)-trivy' displayName: Publish Pipeline Artifact

  • blog-devto

    Dev.to blog posts

    This tutorial is based on the following Azure DevOps Repository blueprint, which will use a CI/CD YAML pipeline to deploy an Azure Virtual Network using terraform IaC configuration files.

  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • tfsec

    Security scanner for your Terraform code

    Trivy checks Terraform IaC using TFSEC. You can take a look at all the checks that Trivy performs under the included checks documentation. In the previous example above Trivy detected a risk called: Potentially sensitive data stored in block attribute, which notified us that our code was potentially exposing sensitive data.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts