Our great sponsors
-
trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
#// code/task_groups/build.yml#L16-L89 jobs: - job: build pool: vmImage: ${{ parameters.pool }} workspace: clean: all steps: - checkout: self path: src - task: TerraformInstaller@0 inputs: terraformVersion: ${{ parameters.terraformVersion }} - task: CmdLine@2 displayName: 'Download and Install Trivy vulnerability scanner' inputs: script: | sudo apt-get install rpm wget https://github.com/aquasecurity/trivy/releases/download/v${{ parameters.trivyVersion }}/trivy_${{ parameters.trivyVersion }}_Linux-64bit.deb sudo dpkg -i trivy_${{ parameters.trivyVersion }}_Linux-64bit.deb trivy -v - task: TerraformTaskV2@2 displayName: Terraform Init inputs: provider: 'azurerm' command: 'init' workingDirectory: '$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}' backendServiceArm: ${{ parameters.backend_service_connection_name }} backendAzureRmResourceGroupName: ${{ parameters.backend_resource_group }} backendAzureRmStorageAccountName: ${{ parameters.backend_storage_accountname }} backendAzureRmContainerName: ${{ parameters.container_name }} backendAzureRmKey: ${{ parameters.container_key }} - task: CmdLine@2 displayName: 'LOW/MED - Trivy vulnerability scanner in IaC mode' inputs: script: | trivy config --severity LOW,MEDIUM --exit-code 0 $(Agent.BuildDirectory)/src/${{ parameters.root_directory }} - task: CmdLine@2 displayName: 'HIGH/CRIT - Trivy vulnerability scanner in IaC mode' inputs: script: | trivy config --severity HIGH,CRITICAL --exit-code 1 $(Agent.BuildDirectory)/src/${{ parameters.root_directory }} - task: TerraformTaskV2@2 displayName: Terraform Plan inputs: provider: 'azurerm' command: 'plan' workingDirectory: '$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}' commandOptions: '--var-file=$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}${{ parameters.tfvarFile }} --out=$(Agent.BuildDirectory)/src/${{ parameters.root_directory }}plan.tfplan' environmentServiceNameAzureRM: ${{ parameters.deployment_service_connection_name }} - task: CopyFiles@2 displayName: 'Copy Files to Staging' inputs: SourceFolder: '$(Agent.BuildDirectory)/src' Contents: 'Terraform/**' TargetFolder: '$(Build.ArtifactStagingDirectory)' - task: ArchiveFiles@2 inputs: rootFolderOrFile: '$(Build.ArtifactStagingDirectory)' archiveFile: '$(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip' replaceExistingArchive: true includeRootFolder: false displayName: Archive Terraform Artifact - publish: '$(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip' artifact: '$(Build.BuildId)-trivy' displayName: Publish Pipeline Artifact
This tutorial is based on the following Azure DevOps Repository blueprint, which will use a CI/CD YAML pipeline to deploy an Azure Virtual Network using terraform IaC configuration files.
Trivy checks Terraform IaC using TFSEC. You can take a look at all the checks that Trivy performs under the included checks documentation. In the previous example above Trivy detected a risk called: Potentially sensitive data stored in block attribute, which notified us that our code was potentially exposing sensitive data.
Related posts
- A simple security scanner for vulnerabilities and configuration issues in IaC such as Kubernetes, Dockerfile and Terraform
- A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons
- Why SQLite Does Not Use Git
- Understanding Container Security
- How to scan and control the K8 objects are being created against security threats?