Merge pull request #228 from ministryofjustice/fix-trivy-input

Fix trivy_tfsec input
ministryofjustice · Jan 11, 2024 · 7855159 · 7855159
2 parents 5581a7d + 72bf9b7
commit 7855159
Showing 1 changed file with 20 additions and 20 deletions.
diff --git a/terraform-static-analysis/entrypoint.sh b/terraform-static-analysis/entrypoint.sh
@@ -17,17 +17,17 @@ echo "INPUT_TFLINT_CALL_MODULE_TYPE: $INPUT_TFLINT_CALL_MODULE_TYPE"
 echo "INPUT_TRIVY_VERSION: $INPUT_TRIVY_VERSION"
 echo "INPUT_TRIVY_EXCLUDE: $INPUT_TRIVY_EXCLUDE"
 echo "INPUT_TRIVY_SEVERITY: $INPUT_TRIVY_SEVERITY"
-echo "TFSEC_TRIVY: $TFSEC_TRIVY"
+echo "INPUT_TFSEC_TRIVY: $INPUT_TFSEC_TRIVY"
 echo
 # install tfsec from GitHub (taken from README.md)
-if [[ -n "$INPUT_TFSEC_VERSION" && "${TFSEC_TRIVY}" == "tfsec" ]]; then
+if [[ -n "$INPUT_TFSEC_VERSION" && "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
   env GO111MODULE=on go install github.com/aquasecurity/tfsec/cmd/tfsec@"${INPUT_TFSEC_VERSION}"
 else
   env GO111MODULE=on go install github.com/aquasecurity/tfsec/cmd/tfsec@latest
 fi
 
 # install trivy from github (taken from docs install guide)
-if [[ -n "$INPUT_TRIVY_VERSION" && "${TFSEC_TRIVY}" == "trivy" ]]; then
+if [[ -n "$INPUT_TRIVY_VERSION" && "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
   curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${INPUT_TRIVY_VERSION}
 else
   curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin latest
@@ -175,12 +175,12 @@ case ${INPUT_SCAN_TYPE} in
   full)
     line_break
     echo "Starting full scan"
-    if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
+    if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
       TFSEC_OUTPUT=$(run_tfsec "${all_tf_folders}")
       tfsec_exitcode=$?
       wait
     fi
-    if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
+    if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
       TRIVY_OUTPUT=$(run_trivy "${all_tf_folders}")
       trivy_exitcode=$?
       wait
@@ -196,12 +196,12 @@ case ${INPUT_SCAN_TYPE} in
   changed)
     line_break
     echo "Starting scan of changed folders"
-    if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
+    if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
       TFSEC_OUTPUT=$(run_tfsec "${tf_folders_with_changes}")
       tfsec_exitcode=$?
       wait
     fi
-    if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
+    if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
       TRIVY_OUTPUT=$(run_trivy "${tf_folders_with_changes}")
       trivy_exitcode=$?
       wait
@@ -216,12 +216,12 @@ case ${INPUT_SCAN_TYPE} in
   *)
     line_break
     echo "Starting single folder scan"
-    if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
+    if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
       TFSEC_OUTPUT=$(run_tfsec "${INPUT_TERRAFORM_WORKING_DIR}")
       tfsec_exitcode=$?
       wait
     fi
-    if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
+    if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
       TRIVY_OUTPUT=$(run_trivy "${INPUT_TERRAFORM_WORKING_DIR}")
       trivy_exitcode=$?
       wait
@@ -235,14 +235,14 @@ case ${INPUT_SCAN_TYPE} in
     ;;
 esac
 
-if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
+if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
   if [ $tfsec_exitcode -eq 0 ]; then
     TFSEC_STATUS="Success"
   else
     TFSEC_STATUS="Failed"
   fi
 fi
-if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
+if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
   if [ $trivy_exitcode -eq 0 ]; then
     TRIVY_STATUS="Success"
   else
@@ -264,10 +264,10 @@ fi
 
 # Print output.
 line_break
-if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
+if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
  echo "${TFSEC_OUTPUT}"
 fi
-if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
+if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
  echo "${TRIVY_OUTPUT}"
 fi
 echo "${CHECKOV_OUTPUT}"
@@ -281,16 +281,16 @@ else
 fi
 
 if [ "${GITHUB_EVENT_NAME}" == "pull_request" ] && [ -n "${GITHUB_TOKEN}" ] && [ "${COMMENT}" == "1" ] ; then
-  if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
-    TFSEC_TRIVY_COMMENT="#### \`TFSEC Scan\` ${TFSEC_STATUS}
+  if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
+    INPUT_TFSEC_TRIVY_COMMENT="#### \`TFSEC Scan\` ${TFSEC_STATUS}
 <details><summary>Show Output</summary>
 \`\`\`hcl
 ${TFSEC_OUTPUT}
 \`\`\`
 </details>"
   fi
-  if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
-    TFSEC_TRIVY_COMMENT="#### \`Trivy Scan\` ${TRIVY_STATUS}
+  if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
+    INPUT_TFSEC_TRIVY_COMMENT="#### \`Trivy Scan\` ${TRIVY_STATUS}
 <details><summary>Show Output</summary>
 \`\`\`hcl
 ${TRIVY_OUTPUT}
@@ -325,18 +325,18 @@ ${TRIVY_OUTPUT}
 </details>
 "
 
-  PAYLOAD_COMMENT="${TFSEC_TRIVY_COMMENT} ${COMMENT}"
+  PAYLOAD_COMMENT="${INPUT_TFSEC_TRIVY_COMMENT} ${COMMENT}"
 
   PAYLOAD=$(echo "${PAYLOAD_COMMENT}" | jq -R --slurp '{body: .}')
   URL=$(jq -r .pull_request.comments_url "${GITHUB_EVENT_PATH}")
   echo "${PAYLOAD}" | curl -s -S -H "Authorization: token ${GITHUB_TOKEN}" --header "Content-Type: application/json" --data @- "${URL}" > /dev/null
 fi
 
 line_break
-if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
+if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
   echo "Total of TFSEC exit codes: $tfsec_exitcode"
 fi
-if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
+if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
   echo "Total of trivy exit codes: $trivy_exitcode"
 fi
 echo "Total of Checkov exit codes: $checkov_exitcode"