Migrate tfsec to trivy as tfsec is joining Trivy

Following the notice that tfsec is joining Trivy, update the terraform-checks workflow to use trivy instead of tfsec.
n3tuk · Nov 12, 2023 · 813ced6 · 813ced6
1 parent 7f70b05
commit 813ced6
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/.github/workflows/terraform-checks.yaml b/.github/workflows/terraform-checks.yaml
@@ -188,16 +188,18 @@ jobs:
           git-push: true
           git-commit-message: Syncing terraform-docs update for ${{ inputs.working-directory }}/README.md
 
-      - name: Run tfsec against the ${{ inputs.type }}
-        uses: aquasecurity/tfsec-action@v1.0.3
+      - name: Run trivy against the ${{ inputs.type }}
+        uses: aquasecurity/trivy-action@v0.14
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          working_directory: ${{ inputs.working-directory }}
-          format: lovely,sarif
-          additional_args: --out=tfsec
-
-      - name: Upload the tfsec SARIF file for the ${{ inputs.type }}
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+          trivy-config: .trivy.yaml
+          scan-type: fs
+          scan-ref: ${{ inputs.working-directory }}
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload the trivy SARIF file for the ${{ inputs.type }}
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: ${{ inputs.working-directory }}/tfsec.sarif.json
-          category: tfsec-${{ inputs.type }}
+          sarif_file: ${{ inputs.working-directory }}/trivy-results.sarif
+          category: trivy-${{ inputs.type }}