v0.6.3
Issues | Pull Requests | v0.6.2...v0.6.3 | Base revision
Features
#1106 test: Support enabling Trivy and disabling tflint and tfsec
--
test
action ever ran tflint and tfsec.
From this release, test
action supports running Trivy and stop running tflint and tfsec.
The default behaviour isn't changed, so test
action runs tflint and tfsec and doesn't run Trivy by default.
To run Trivy, you need to install Trivy by aqua.
aqua g -i aquasecurity/trivy
You can enable or disable Trivy, tfsec, and tflint with tfaction-root.yaml
.
tfsec:
enabled: false # By default, this is true
trivy:
enabled: true # By default, this is false
# tflint:
# enabled: true # By default, this is true
We will consider allowing to configure these setting at tfaction-root.yaml's target_groups and tfaction.yaml too if necessary.
Background
- https://github.com/suzuki-shunsuke/tfaction/discussions/957
- https://github.com/aquasecurity/tfsec/discussions/1994
- https://github.com/aquasecurity/tfsec/blob/master/docs/index.md#-tfsec-to-trivy-migration
tfsec maintainers encourage the tfsec community to transition over to Trivy.
So tfaction needed to support migrating tfsec to Trivy.
tfsec doesn't support Terraform import
block and the issue was closed because maintainers encourage to migrate to Trivy.
https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1673920879
So you should migrate tfsec to Trivy in near future.
Scaffold working directories
If you want to use Trivy instead of tfsec in new working directories, you should skip creating aqua.yaml following to the guide. https://suzuki-shunsuke.github.io/tfaction/docs/feature/scaffold-working-dir#-skip-creating-aquayaml-and-adding-packages
tfaction-root.yaml
scaffold_working_directory:
skip_adding_aqua_packages: true
And please add aqua.yaml to templates.
aqua init
aqua g -i open-policy-agent/conftest terraform-linters/tflint aquasecurity/trivy hashicorp/terraform
Known issues
test-module
action doesn't support Trivy and doesn't support enabling and disabling linters.
We will work on it.
Fixes
#1102 test: Enable tfsec's --ignore-hcl-errors
to prevent the parse error of Terraform's import
block
- suzuki-shunsuke/github-action-tfsec#612
- https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1669056215
You don't need to do anything.
tfsec is always run with --ignore-hcl-errors
to prevent the parse error of Terraform's import
block.
tfsec doesn't support Terraform's import
block, but --ignore-hcl-errors
can be used for workaround. https://github.com/aquasecurity/tfsec/issues/2070#issuecomment-1669056215