From 813ced67c52ab88f127d72b70a289df143ee964b Mon Sep 17 00:00:00 2001 From: Jonathan Wright Date: Sun, 12 Nov 2023 15:36:26 +0000 Subject: [PATCH] Migrate tfsec to trivy as tfsec is joining Trivy Following the notice that tfsec is joining Trivy, update the terraform-checks workflow to use trivy instead of tfsec. --- .github/workflows/terraform-checks.yaml | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/.github/workflows/terraform-checks.yaml b/.github/workflows/terraform-checks.yaml index de3a233..d6d6e4f 100644 --- a/.github/workflows/terraform-checks.yaml +++ b/.github/workflows/terraform-checks.yaml @@ -188,16 +188,18 @@ jobs: git-push: true git-commit-message: Syncing terraform-docs update for ${{ inputs.working-directory }}/README.md - - name: Run tfsec against the ${{ inputs.type }} - uses: aquasecurity/tfsec-action@v1.0.3 + - name: Run trivy against the ${{ inputs.type }} + uses: aquasecurity/trivy-action@v0.14 with: - github_token: ${{ secrets.GITHUB_TOKEN }} - working_directory: ${{ inputs.working-directory }} - format: lovely,sarif - additional_args: --out=tfsec - - - name: Upload the tfsec SARIF file for the ${{ inputs.type }} + github-pat: ${{ secrets.GITHUB_TOKEN }} + trivy-config: .trivy.yaml + scan-type: fs + scan-ref: ${{ inputs.working-directory }} + format: sarif + output: trivy-results.sarif + + - name: Upload the trivy SARIF file for the ${{ inputs.type }} uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: ${{ inputs.working-directory }}/tfsec.sarif.json - category: tfsec-${{ inputs.type }} + sarif_file: ${{ inputs.working-directory }}/trivy-results.sarif + category: trivy-${{ inputs.type }}