Security action with tfsec / trivy

[al-lac]

It would be great to have an action that scans for security issues with tfsec/trivy and posts the output as a comment similar to how the plan is posted. So far i could not find anything like this.

Any idea how this could be achieved or if an action for this would be possible?

[rswrz]

Over the past few weeks I have been experimenting with this type of action and have hacked this one here.

The basic concept is to use a Trivy custom template that outputs the report as GitHub Actions workflow commands.

Unfortunately, the official Trivy GitHub Action is broken regarding custom templates. So I forked it and used this as the action. I plan to do a PR on the official Trivy action, but have not found the time yet.

Another approach I can think of is to use problem matchers, like TFLint's setup-tflint action does.

env:
  WORKING_DIRECTORY: .
jobs:
  validate:
  code-analysis:
    runs-on: ubuntu-latest
      - name: Run Misconfiguration & Secret Scanner
        uses: rswrz/trivy-action@fix-scan-ref-with-spaces
        id: trivy
        with:
          cache-dir: .trivy
          format: template
          ignore-unfixed: true
          scan-ref: ${{ env.WORKING_DIRECTORY || '.' }}
          scan-type: filesystem
          scanners: misconfig,secret
          template: |
            {{- $fail := false }}
            {{- $group := "::group::" }}
            {{- $endgroup := "::endgroup::" }}
            {{- $severityToWorkflowCommand := dict "CRITICAL" "::error" "HIGH" "::error" "MEDIUM" "::warning" "LOW" "::notice" "UNKNOWN" "::notice" }}
            {{- range . }}
            {{- $file := print "${{ env.WORKING_DIRECTORY || '.' }}" "/" .Target }}
            {{- range .Misconfigurations }}
            {{- $workflowCommand := "notice" }}
            {{ $group }}{{ $file }}:{{ .CauseMetadata.StartLine }}{{- if ne .CauseMetadata.StartLine .CauseMetadata.EndLine }}-{{ .CauseMetadata.EndLine }}{{- end }}
            {{- $workflowCommand := index $severityToWorkflowCommand .Severity }}
            {{ $workflowCommand }} file={{ $file }},line={{ .CauseMetadata.StartLine }}{{- if ne .CauseMetadata.StartLine .CauseMetadata.EndLine }},endLine={{ .CauseMetadata.EndLine }}{{ end }},title={{ .Message | trimSuffix "." }}::{{ .Description | replace "\n" "%0A" }}%0A%0A{{ .PrimaryURL }}
            {{- if eq $workflowCommand "::error" }}{{ $fail = true }}{{- end }}
            {{ $endgroup }}
            {{- end }}
            {{- range .Secrets }}
            {{ $group }}{{ $file }}:{{ .StartLine }}{{- if ne .StartLine .EndLine }}-{{ .EndLine }}{{- end }}
            {{- $workflowCommand := index $severityToWorkflowCommand .Severity }}
            {{ $workflowCommand }} file={{ $file }},line={{ .StartLine }}{{- if ne .StartLine .EndLine }},endLine={{ .EndLine }}{{ end }},title=Exposed secret found::{{ .Title }}.
            {{- if eq $workflowCommand "::error" }}{{ $fail = true }}{{- end }}
            {{ $endgroup }}
            {{- end }}
            {{- end }}
            {{ if $fail }}::set-output name=fail::true{{- end }}

Result example:

[al-lac]

Looks great. Thanks for this.

For now i went with the trivy action and posting the output as a comment. But may adapt an approach like you have in the future for easier debugging.