trivy-action icon indicating copy to clipboard operation
trivy-action copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Adding support for tfvars in terraform scanning

Open yossigilad opened this issue 1 year ago • 16 comments

Hi, can you please add support to specify tfvars in Terraform scanning, similar to the CLI? CLI example: trivy config . --tf-vars ./envs/xxx.tfvars

yossigilad avatar Jun 20 '23 06:06 yossigilad

All trivy options are available via the trivy config file, even those that are today not available as dedicated options via the trivy action.

You can read more on how to use the trivy config file here: https://aquasecurity.github.io/trivy/v0.42/docs/references/configuration/config-file/

simar7 avatar Jun 20 '23 22:06 simar7

@simar7 Thanks for the quick answer, but for tfvars config file is not a good option, because its dynamic for every pr. Please consider again and think that customers are having a lot of tf workspaces.

yossigilad avatar Jun 21 '23 00:06 yossigilad

sorry I didn't mean to close the issue, pressed the wrong button by accident.

Could you clarify what you mean by "dynamic"? today the --tf-vars flag accepts a path to a file where the terraform variables are defined. Using this from the CLI option or the trivy configuration file is no different.

simar7 avatar Jun 21 '23 05:06 simar7

@simar7 when using ftvars there are more then one file, and we need to spesify for every env the ftvar, and if we want to use the trivy.conf we will need to create it dynmicly with the tfvar name or create many conf files. example: image in the screen shot there are 2 tfvar files, and they can enable or dissable some of the tf code, so if we want to scan the exact vul we need to spesify the tfvar file in the trivy scan. so it will be much easier to spesify it in the action code and not use the conf file.

yossigilad avatar Jun 21 '23 06:06 yossigilad

@simar7 any update?

yossigilad avatar Jun 27 '23 10:06 yossigilad

so it will be much easier to spesify it in the action code and not use the conf file.

I'm not sure if I understand this. Could you explain how it will be easier? CLI options and config file are identical and have the same behaviour.

simar7 avatar Jun 27 '23 15:06 simar7

@simar7 Think that I need to create config file for every tfvar file. The number of files will be same as workspaces ( from one to many)

yossigilad avatar Jun 27 '23 19:06 yossigilad

In that case, how would you be able to "dynamically" specify tf-vars when using them as a GitHub action parameter? Does GitHub allow that?

simar7 avatar Jun 28 '23 07:06 simar7

if you will give the option to spesify it as varibale in trivy action, I can set it with env like others action that using the tfvars (terraform apply and more)

yossigilad avatar Jun 28 '23 07:06 yossigilad

@simar7 any update? or you need more information?

yossigilad avatar Jul 10 '23 08:07 yossigilad

We welcome a PR if you'd like to contribute.

simar7 avatar Jul 11 '23 18:07 simar7

Sure, I will try to create a pr

yossigilad avatar Jul 12 '23 13:07 yossigilad

Hi. This would be great

kderck avatar Oct 03 '23 17:10 kderck

Hi I've been working on this, However, I believe that it's currently blocked by Unable to pass tfvars file.

kderck avatar Oct 17 '23 18:10 kderck

Hi I've opened a pull request for this: https://github.com/aquasecurity/trivy-action/pull/285 - Might need a little support with testing

kderck avatar Nov 22 '23 14:11 kderck

This has been merged @yossigilad and @simar7 . Can this be closed?

kderck avatar Dec 28 '23 16:12 kderck