From 6af52dd179ea5e46bb9cd88aae5b1f5551787d8b Mon Sep 17 00:00:00 2001 From: Dagan McGregor Date: Sun, 9 Mar 2025 23:53:25 +1300 Subject: [PATCH] fix: update to use aquasecurity/trivy-action to replace tfsec Aquasecurity stopped updating tfsec and it fails on newer Terraform code Updating to use the supported Trivy action for code scanning --- .../reusable-terraform-management.yml | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/reusable-terraform-management.yml b/.github/workflows/reusable-terraform-management.yml index e87165d1..144c7bbe 100644 --- a/.github/workflows/reusable-terraform-management.yml +++ b/.github/workflows/reusable-terraform-management.yml @@ -26,8 +26,8 @@ jobs: GITHUB_TOKEN: ${{ github.token }} - name: Run TFLint run: tflint -f compact - tfsec: - name: tfsec + aquasecurity-trivy: + name: aquasecurity-trivy runs-on: ubuntu-latest steps: - if: ${{ startsWith(github.repository, 'GeoNet/') == false }} @@ -35,10 +35,25 @@ jobs: run: | exit 1 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: tfsec - uses: aquasecurity/tfsec-action@b466648d6e39e7c75324f25d83891162a721f2d6 # v1.0.3 + - name: Aqua Security Trivy + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 with: - github_token: ${{ github.token }} + scan-type: 'config' + hide-progress: true + output: trivy.txt + - name: Publish Trivy Output to Summary + run: | + if [[ -f trivy.txt ]]; then + { + echo "### Security Output" + echo "
Click to expand" + echo "" + echo '```terraform' + cat trivy.txt + echo '````' + echo "
" + } >> $GITHUB_STEP_SUMMARY + fi terraform: name: Terraform runs-on: ubuntu-latest