Trivy and TFLint CI check implementation

[tmikula-dev]

Overview

This pull request introduces a new GitHub Actions workflow for static checking of Terraform. It using Trivy for security scanning and TFLint for linting. Results are uploaded in SARIF format for integration with GitHub's security dashboard.

Release Notes:

• Trivy and TFLint Terraform static checks in a CI form

Related

Closes #67

Summary by CodeRabbit

• Chores

  • Implemented automated static analysis workflow for Terraform configurations, including security scanning and linting checks on pull requests and deployments

• Documentation

  • Added local development guides for running Terraform analysis tools
  • Updated development reference tables with new analysis tool information

[coderabbitai]

Walkthrough

New GitHub Actions workflow implements static code analysis for Terraform files using Trivy (security scanning) and TFLint (linting), triggered on pull requests and pushes to master. Supporting documentation and configuration files updated to document the new tools and ignore SARIF output artifacts.

Changes

Cohort / File(s)	Summary
CI/CD Workflow .github/workflows/check_terraform.yml	New workflow executing concurrent Trivy security scan and TFLint linter checks on Terraform files, uploading results to CodeQL, enforcing failure on HIGH/CRITICAL findings and policy violations
Configuration .gitignore	Reordered .idea/ entry and added *.sarif pattern to exclude SARIF report files
Developer Documentation DEVELOPER.md	Renamed static analysis section to "Run Pylint Tool Locally," added "Run TFLint Tool Locally" and "Run Trivy Tool Locally" sections with installation and usage guidance, added "Code Coverage" subsection
Project Documentation README.md	Reformatted Local Development & Testing table with aligned fixed-width header, added rows for TFLint and Trivy tools

Sequence Diagram

sequenceDiagram
    participant GH as GitHub
    participant Workflow as Workflow
    participant Trivy
    participant TFLint
    participant CodeQL
    
    GH->>Workflow: Trigger (PR/Push/Dispatch)
    Workflow->>Workflow: Checkout Code
    
    par Parallel Execution
        Workflow->>Trivy: Run Config Scan
        Trivy->>Trivy: Scan terraform/
        Trivy-->>Workflow: Generate SARIF Report
        Workflow->>CodeQL: Upload Trivy SARIF
        Workflow->>Workflow: Check Exit Code
    and
        Workflow->>TFLint: Initialize & Lint
        TFLint->>TFLint: Lint terraform/
        TFLint-->>Workflow: Generate SARIF Report
        Workflow->>CodeQL: Upload TFLint SARIF
        Workflow->>Workflow: Check Findings
    end
    
    Workflow->>Workflow: Enforce Failure on Issues
    Workflow-->>GH: Workflow Complete

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

The changes represent a cohesive feature addition with consistent patterns: a straightforward GitHub Actions workflow configuration, minimal configuration updates, and uniform documentation additions. The workflow logic is clear and follows standard practices for tool integration and SARIF reporting.

Poem

🐰 Hop, lint, scan with care,
Terraform's now fixed in the air,
Trivy checks for danger near,
TFLint makes the code clear,
CI workflows without despair! ✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Trivy and TFLint CI check implementation" directly and clearly summarizes the primary change in the pull request, which is the addition of a new GitHub Actions workflow that integrates both Trivy (for security scanning) and TFLint (for linting) to perform static checks on Terraform code. The title is concise, specific about the tools being added, and accurately reflects the core objective of implementing CI checks for Terraform files. It avoids vague terms and noise while being specific enough for a teammate to understand the main change from the title alone.
Linked Issues Check	✅ Passed	The pull request successfully addresses all coding-related requirements from linked issue #67. The primary objective of providing a CI workflow that runs TFLint (linting) and Trivy (security scanning) for Terraform code is fully implemented through the new .github/workflows/check_terraform.yml file, which triggers on PRs affecting the terraform directory, sets up both tools, executes their checks, and uploads SARIF results to the GitHub security dashboard. Additionally, the supporting infrastructure changes (.gitignore additions for .sarif files) and documentation updates (DEVELOPER.md and README.md) provide local tool guidance and visibility, which complement the CI workflow implementation and address the overall goal of filling missing QA coverage for Terraform files.
Out of Scope Changes Check	✅ Passed	All changes in the pull request are either directly required or meaningfully supporting the implementation of Terraform CI checks as specified in issue #67. The primary implementation (the .github/workflows/check_terraform.yml workflow) is directly in scope, the .gitignore updates provide necessary infrastructure support for SARIF file handling, and the documentation enhancements in DEVELOPER.md and README.md are supplementary changes that explain and support the feature without introducing unrelated functionality. No changes appear to address requirements outside the stated objective of implementing Terraform linter and security scanning checks.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/67-terraform-ci-linter-check

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29d40e8 and eac6966.

📒 Files selected for processing (1)

• .github/workflows/check_terraform.yml (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e64eb0d and a99b73a.

📒 Files selected for processing (2)

• .github/workflows/check_terraform.yml (1 hunks)
• .gitignore (1 hunks)

[coderabbitai]

✅ UTG Post-Process Complete

No new issues were detected in the generated code and all check runs have completed. The unit test generation process has completed successfully.

[coderabbitai]

Creating a PR to put the unit tests in...

The changes have been created in this pull request: View PR

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

DEVELOPER.md (2)

108-127: Minor phrasing and terminology improvements.

A few small refinements for clarity:

• Line 111: "We are forcing to eliminate" → "All errors reported by TFLint must be eliminated"
• Line 117: Missing space after period in link text → [following link.]( → [following link]( or keep period with space
• Line 121: "from the root file" → "from the root directory"

Apply this diff:

-This project uses the [TFLint](https://github.com/terraform-linters/tflint) tool for static analysis of Terraform code.
-We are forcing to eliminate **all** errors reported by TFLint. Any detected warnings and notices should be corrected as well as a best practice.
+This project uses the [TFLint](https://github.com/terraform-linters/tflint) tool for static analysis of Terraform code.
+All errors reported by TFLint must be eliminated. Any detected warnings and notices should be corrected as well as a best practice.
 
 - Find possible errors (like invalid instance types) for Major Cloud providers (AWS/Azure/GCP).
 - Warn about deprecated syntax, unused declarations. 
 - Enforce best practices, naming conventions.
 
-> For installation instructions, please refer to the [following link.](https://github.com/terraform-linters/tflint)
+> For installation instructions, please refer to the [following link](https://github.com/terraform-linters/tflint).
 
 ### Run TFLint
 
-For running TFLint you need to be in the `terraform/` directory. From the root file run the following commands:
+For running TFLint you need to be in the `terraform/` directory. From the root directory run the following commands:

---

129-143: Minor terminology correction.

Line 138: "from the root file" should be "from the root directory" for consistency with standard terminology.

Apply this diff:

 ### Run Trivy
 
-For running Trivy tool locally run the following command from the root file:
+For running Trivy tool locally run the following command from the root directory:
 ```shell
 trivy config terraform/ # Default table output (all severities)
 trivy config --severity HIGH,CRITICAL terraform/ # Show only HIGH and CRITICAL severities

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9c1d123 and 29d40e8.

📒 Files selected for processing (5)

• .github/CODEOWNERS (1 hunks)
• .github/workflows/check_terraform.yml (1 hunks)
• DEVELOPER.md (3 hunks)
• README.md (1 hunks)
• terraform/lambda.tf (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• terraform/lambda.tf

🧰 Additional context used

🪛 LanguageTool

DEVELOPER.md

[grammar] ~5-~5: There might be a mistake here.
Context: ...-environment) - Run Pylint Tool Locally - [Run Black Tool Locally](#run-black-tool-...

(QB_NEW_EN)

---

[grammar] ~6-~6: There might be a mistake here.
Context: ...-tool-locally) - Run Black Tool Locally - [Run mypy Tool Locally](#run-mypy-tool-lo...

(QB_NEW_EN)

---

[grammar] ~7-~7: There might be a mistake here.
Context: ...k-tool-locally) - Run mypy Tool Locally - [Run TFLint Tool Locally](#run-tflint-too...

(QB_NEW_EN)

---

[grammar] ~8-~8: There might be a mistake here.
Context: ...tool-locally) - Run TFLint Tool Locally - [Run Trivy Tool Locally](#run-trivy-tool-...

(QB_NEW_EN)

---

[grammar] ~9-~9: There might be a mistake here.
Context: ...-tool-locally) - Run Trivy Tool Locally - Run Unit Test - [Co...

(QB_NEW_EN)

---

[grammar] ~10-~10: There might be a mistake here.
Context: ...run-trivy-tool-locally) - Run Unit Test - Code Coverage ## Get S...

(QB_NEW_EN)

---

[grammar] ~113-~113: There might be a mistake here.
Context: ...r Major Cloud providers (AWS/Azure/GCP). - Warn about deprecated syntax, unused dec...

(QB_NEW_EN)

---

[grammar] ~114-~114: There might be a mistake here.
Context: ... deprecated syntax, unused declarations. - Enforce best practices, naming conventio...

(QB_NEW_EN)

---

[grammar] ~131-~131: There might be a mistake here.
Context: ...r security issues and misconfigurations. It is an open‑source security scanner ma...

(QB_NEW_EN)

🔇 Additional comments (4)

DEVELOPER.md (1)

168-177: LGTM! Good addition of code coverage documentation.

The new Code Coverage section clearly documents how to run coverage reports and view results. The enforcement of an 80% minimum threshold and HTML report generation are valuable practices.

.github/workflows/check_terraform.yml (2)

1-21: LGTM! Well-structured workflow configuration.

The workflow metadata, triggers, and permissions are properly configured:

• Appropriate path filters for terraform changes
• Concurrency group prevents duplicate runs
• Correct permissions for SARIF uploads

---

23-56: LGTM! Trivy job correctly implements exit code enforcement.

The Trivy job properly:

• Captures exit codes with set +e
• Filters to HIGH/CRITICAL severities
• Uploads SARIF before enforcing failure
• Provides clear failure messaging

README.md (1)

127-137: LGTM! Clean table formatting and comprehensive tool coverage.

The reformatted table with fixed-width columns improves readability, and the new TFLint and Trivy entries properly document the expanded static analysis tooling. This aligns well with the additions in DEVELOPER.md and the new CI workflow.

[miroslavpojer]

• pulled
• read