Merge pull request #1 from Sensedia/trivy

feat: Trivy hook for terraform

.gitignore

@@ -0,0 +1,78 @@
+# These are some examples of commonly ignored file patterns.
+# You should customize this list as applicable to your project.
+# Learn more about .gitignore:
+#     https://www.atlassian.com/git/tutorials/saving-changes/gitignore
+
+# Node artifact files
+node_modules/
+dist/
+
+# Compiled Java class files
+*.class
+
+# Compiled Python bytecode
+*.py[cod]
+
+# Log files
+*.log
+
+# Package files
+*.jar
+
+# Maven
+target/
+dist/
+
+# JetBrains IDE
+.idea/
+
+# Unit test reports
+TEST*.xml
+
+# Auto generated
+.iml
+*.iml
+
+# Generated by MacOS
+.DS_Store
+
+# Generated by Windows
+Thumbs.db
+
+# Applications
+*.app
+*.exe
+*.war
+
+# Large media files
+*.mp4
+*.tiff
+*.avi
+*.flv
+*.mov
+*.wmv
+
+# Terraform / Terragrunt
+**/.terraform
+.terragrunt-cache
+helm/repo
+.idea
+
+# Terraform files
+*.lock.hcl
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+**/.vscode
+
+# Ignore zip files
+*.zip
+
+# Ignore trivy cache
+.pre-commit-trivy-cache/

.pre-commit-config.yaml

@@ -0,0 +1,36 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      # Git style
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: check-vcs-permalinks
+      - id: forbid-new-submodules
+      - id: no-commit-to-branch
+
+      # Common errors
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+        exclude: CHANGELOG.md
+      - id: check-yaml
+      - id: check-merge-conflict
+      - id: check-executables-have-shebangs
+
+      # Cross platform
+      - id: check-case-conflict
+      - id: mixed-line-ending
+        args: [--fix=lf]
+
+      # Security
+      - id: detect-aws-credentials
+        args: ["--allow-missing-credentials"]
+      - id: detect-private-key
+
+  - repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 3.0.0
+    hooks:
+      - id: shfmt
+        args: ["-l", "-i", "4", "-ci", "-sr", "-w"]
+      - id: shellcheck

.pre-commit-hooks.yaml

@@ -0,0 +1,6 @@
+- id: terraform_trivy
+  name: Terraform validate with trivy
+  description: Static analysis of Terraform templates to spot potential security issues.
+  require_serial: true
+  entry: hooks/trivy_terraform.sh
+  language: script

hooks/trivy_terraform.sh

@@ -0,0 +1,22 @@
+#!/bin/env bash
+#
+
+set -eo pipefail
+
+# Get list of modified terraform modules
+TF_DIR="$(dirname "${@}" | uniq)"
+
+# Run trivy against modified terraform modules
+for dir in $TF_DIR; do
+
+    # Trying running trivy binary first
+    if [[ $(which trivy) ]]; then
+        # Downloading last definitions
+        trivy image --download-db-only
+        trivy config --severity MEDIUM,HIGH,CRITICAL --exit-code 1 "$dir"
+    else
+        # Running trivy docker image
+        docker run --rm -v "$PWD:/src:rw,Z" -w "/src" aquasec/trivy:0.44.0 config --severity MEDIUM,HIGH,CRITICAL --cache-dir /src/.pre-commit-trivy-cache --exit-code 1 "$dir"
+    fi
+
+done