From 495270aee9daa551ca0d42c4d3ef7749df534149 Mon Sep 17 00:00:00 2001 From: Sofia Date: Mon, 1 Sep 2025 13:19:32 +0400 Subject: [PATCH] Integrate Trivy --- .github/workflows/tests.yml | 21 +++++++++++++++++++++ aws/eks/auth/cicd/cicd-auth.tf | 3 +++ aws/eks/eks.tf | 3 +++ aws/terraform_backend/main.tf | 18 ++++++++++++++++++ bin/scan | 5 +++++ do/k8s/main.tf | 11 ++++++----- 6 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/tests.yml create mode 100755 bin/scan diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 0000000..48bafa4 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,21 @@ +name: CI +on: + push: + branches: + - main + pull_request: + +concurrency: + group: ${{ github.ref }} + cancel-in-progress: true + +jobs: + scan: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1 + with: + version: v0.65.0 + cache: true + - run: bin/scan diff --git a/aws/eks/auth/cicd/cicd-auth.tf b/aws/eks/auth/cicd/cicd-auth.tf index 5c004de..6402f2d 100644 --- a/aws/eks/auth/cicd/cicd-auth.tf +++ b/aws/eks/auth/cicd/cicd-auth.tf @@ -27,6 +27,9 @@ variable "ecr_repository_arns" { type = list(string) } +# Ignored rule: One or more policies are attached directly to a user +# is ignored since it shouldn't be critical in cicd +#trivy:ignore:AVD-AWS-0143 resource "aws_iam_user" "cicd" { name = "cicd" path = "/automation/${var.app}/${var.environment}/" diff --git a/aws/eks/eks.tf b/aws/eks/eks.tf index 6bc99ff..3d0c19b 100644 --- a/aws/eks/eks.tf +++ b/aws/eks/eks.tf @@ -86,6 +86,9 @@ module "eks" { # We need it to make cert-manager to work since it makes an http request to # public self during the self-check while issuing a new certificate. +# Ignored rule: Security group rule allows unrestricted egress to any IP address +# is ignored for cert-manager since it makes an request to public server +#trivy:ignore:AVD-AWS-0104 resource "aws_security_group_rule" "eks_node_egress_to_http" { security_group_id = module.eks.node_security_group_id description = "Egress to http (port 80)" diff --git a/aws/terraform_backend/main.tf b/aws/terraform_backend/main.tf index 23f45ee..55d2246 100644 --- a/aws/terraform_backend/main.tf +++ b/aws/terraform_backend/main.tf @@ -1,3 +1,8 @@ +# Ignored rules: +# Bucket does not have encryption enabled +# Bucket has logging disabled +# Bucket does not encrypt data with a customer managed key +#trivy:ignore:AVD-AWS-0089 trivy:ignore:AVD-AWS-0132 trivy:ignore:AVD-AWS-0088 resource "aws_s3_bucket" "state" { bucket = var.s3_bucket } @@ -10,6 +15,10 @@ resource "aws_s3_bucket_versioning" "state" { } } +# Ignored rules: +# Point-in-time recovery is not enabled +# Table encryption does not use a customer-managed KMS key +#trivy:ignore:AVD-AWS-0024 trivy:ignore:AVD-AWS-0025 resource "aws_dynamodb_table" "state" { name = var.dynamodb_table billing_mode = "PAY_PER_REQUEST" @@ -20,3 +29,12 @@ resource "aws_dynamodb_table" "state" { type = "S" } } + +resource "aws_s3_bucket_public_access_block" "state" { + bucket = aws_s3_bucket.state.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} diff --git a/bin/scan b/bin/scan new file mode 100755 index 0000000..8f5aff7 --- /dev/null +++ b/bin/scan @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +set -e -o pipefail +cd "$(dirname "$0")/.." + +trivy config ./ --tf-exclude-downloaded-modules --skip-dirs examples --skip-dirs templates $@ diff --git a/do/k8s/main.tf b/do/k8s/main.tf index a537de1..4af075d 100644 --- a/do/k8s/main.tf +++ b/do/k8s/main.tf @@ -16,11 +16,12 @@ resource "digitalocean_vpc" "vpc" { data "digitalocean_kubernetes_versions" "k8s_versions" {} resource "digitalocean_kubernetes_cluster" "k8s_cluster" { - name = var.project - region = var.region - auto_upgrade = true - version = data.digitalocean_kubernetes_versions.k8s_versions.latest_version - vpc_uuid = digitalocean_vpc.vpc.id + name = var.project + region = var.region + auto_upgrade = true + surge_upgrade = true + version = data.digitalocean_kubernetes_versions.k8s_versions.latest_version + vpc_uuid = digitalocean_vpc.vpc.id node_pool { name = "default-pool"