Adding nightly and PR trivy scans (#11)

jmfiola · Jacob Fiola · web-flow · commit 06f3820c7270 · 2025-06-09T11:37:05.000-06:00
* initial commit

* test pr scan functionality

* update action path

* test vuln fix behavior

* test create issue

* update fmt, re-add vuln fix

* test issue create

* print trivy report to log

* trivy report consolidation

* test failure once more

* test again

* fix the vuln

* update github issue step to only be for schedules on main

* trivy report file condition update

* allow for legacy metadata service use

* use shared action repo

* test for issue creation from shared actions repo

* re-add to .trivyignore file, test complete

---------

Co-authored-by: Jacob Fiola &lt;jacob.fiola@corelight.com&gt;
diff --git a/.github/workflows/fmt:check.yml b/.github/workflows/fmt:check.yml
@@ -23,3 +23,4 @@ jobs:
           terraform_version: "1.8.2"
       - name: Terraform fmt
         run: task fmt:check
+
diff --git a/.github/workflows/scan:trivy.yml b/.github/workflows/scan:trivy.yml
@@ -0,0 +1,22 @@
+name: Trivy Terraform Scan
+
+on:
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 3 * * *'          # Nightly at 03:00 UTC
+  workflow_dispatch:
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    
+    permissions:
+      contents: read
+      issues: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Trivy scan
+        uses: corelight/shared-actions/trivy-terraform-scan@main 
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -11,3 +11,8 @@ tasks:
     desc: Check if the input is formatted
     cmds:
       - terraform fmt -recursive -check -diff .
+
+  trivy:scan:
+    desc: Scan Terraform files with Trivy
+    cmds:
+      - trivy fs --config scripts/trivy/trivy.yml .
diff --git a/scripts/trivy/.trivyignore.yml b/scripts/trivy/.trivyignore.yml
@@ -0,0 +1,5 @@
+misconfigurations:
+  - id: AVD-AWS-0104
+    statement: public egress traffic is allowed to the internet
+  - id: AVD-AWS-0130
+    statement: allow for legacy metadata service use
diff --git a/scripts/trivy/trivy.yml b/scripts/trivy/trivy.yml
@@ -0,0 +1,19 @@
+scan:
+  security-checks:
+    - secret
+    - config
+
+ignorefile: scripts/trivy/.trivyignore.yml
+
+severity:
+  - HIGH
+  - CRITICAL
+
+misconfiguration:
+  scanners:
+    - terraform
+  config:
+    terraform:
+      file_patterns:
+        - "**/*.tf"
+  ignore_unfixed: true
