v0.6.3

Issues | Pull Requests | v0.6.2...v0.6.3 | Base revision

Features

#1106 test: Support enabling Trivy and disabling tflint and tfsec

--

test action ever ran tflint and tfsec.
From this release, test action supports running Trivy and stop running tflint and tfsec.
The default behaviour isn't changed, so test action runs tflint and tfsec and doesn't run Trivy by default.

To run Trivy, you need to install Trivy by aqua.

aqua g -i aquasecurity/trivy

You can enable or disable Trivy, tfsec, and tflint with tfaction-root.yaml.

tfsec:
  enabled: false # By default, this is true
trivy:
  enabled: true # By default, this is false
# tflint:
#   enabled: true # By default, this is true

⚠️ For now, these settings can be configured only at the root of tfaction-root.yaml.
We will consider allowing to configure these setting at tfaction-root.yaml's target_groups and tfaction.yaml too if necessary.

Background

• https://github.com/suzuki-shunsuke/tfaction/discussions/957
• https://github.com/aquasecurity/tfsec/discussions/1994
• https://github.com/aquasecurity/tfsec/blob/master/docs/index.md#-tfsec-to-trivy-migration

tfsec maintainers encourage the tfsec community to transition over to Trivy.
So tfaction needed to support migrating tfsec to Trivy.

tfsec doesn't support Terraform import block and the issue was closed because maintainers encourage to migrate to Trivy.

https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1673920879

So you should migrate tfsec to Trivy in near future.

Scaffold working directories

If you want to use Trivy instead of tfsec in new working directories, you should skip creating aqua.yaml following to the guide. https://suzuki-shunsuke.github.io/tfaction/docs/feature/scaffold-working-dir#-skip-creating-aquayaml-and-adding-packages

tfaction-root.yaml

scaffold_working_directory:
  skip_adding_aqua_packages: true

And please add aqua.yaml to templates.

aqua init
aqua g -i open-policy-agent/conftest terraform-linters/tflint aquasecurity/trivy hashicorp/terraform

Known issues

test-module action doesn't support Trivy and doesn't support enabling and disabling linters.
We will work on it.

Fixes

#1102 test: Enable tfsec's --ignore-hcl-errors to prevent the parse error of Terraform's import block

• suzuki-shunsuke/github-action-tfsec#612
• https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1669056215

You don't need to do anything.
tfsec is always run with --ignore-hcl-errors to prevent the parse error of Terraform's import block.

tfsec doesn't support Terraform's import block, but --ignore-hcl-errors can be used for workaround. https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1669056215