Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix trivy_tfsec input #228

Merged
merged 2 commits into from
Jan 11, 2024
Merged

Fix trivy_tfsec input #228

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c021b96
Update entrypoint.sh
georgepstaylor Jan 11, 2024
72bf9b7
typo
georgepstaylor Jan 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 20 additions & 20 deletions terraform-static-analysis/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,17 +17,17 @@ echo "INPUT_TFLINT_CALL_MODULE_TYPE: $INPUT_TFLINT_CALL_MODULE_TYPE"
echo "INPUT_TRIVY_VERSION: $INPUT_TRIVY_VERSION"
echo "INPUT_TRIVY_EXCLUDE: $INPUT_TRIVY_EXCLUDE"
echo "INPUT_TRIVY_SEVERITY: $INPUT_TRIVY_SEVERITY"
echo "TFSEC_TRIVY: $TFSEC_TRIVY"
echo "INPUT_TFSEC_TRIVY: $INPUT_TFSEC_TRIVY"
echo
# install tfsec from GitHub (taken from README.md)
if [[ -n "$INPUT_TFSEC_VERSION" && "${TFSEC_TRIVY}" == "tfsec" ]]; then
if [[ -n "$INPUT_TFSEC_VERSION" && "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
env GO111MODULE=on go install github.com/aquasecurity/tfsec/cmd/tfsec@"${INPUT_TFSEC_VERSION}"
else
env GO111MODULE=on go install github.com/aquasecurity/tfsec/cmd/tfsec@latest
fi

# install trivy from github (taken from docs install guide)
if [[ -n "$INPUT_TRIVY_VERSION" && "${TFSEC_TRIVY}" == "trivy" ]]; then
if [[ -n "$INPUT_TRIVY_VERSION" && "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${INPUT_TRIVY_VERSION}
else
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin latest
Expand Down Expand Up @@ -175,12 +175,12 @@ case ${INPUT_SCAN_TYPE} in
full)
line_break
echo "Starting full scan"
if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
TFSEC_OUTPUT=$(run_tfsec "${all_tf_folders}")
tfsec_exitcode=$?
wait
fi
if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
TRIVY_OUTPUT=$(run_trivy "${all_tf_folders}")
trivy_exitcode=$?
wait
Expand All @@ -196,12 +196,12 @@ case ${INPUT_SCAN_TYPE} in
changed)
line_break
echo "Starting scan of changed folders"
if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
TFSEC_OUTPUT=$(run_tfsec "${tf_folders_with_changes}")
tfsec_exitcode=$?
wait
fi
if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
TRIVY_OUTPUT=$(run_trivy "${tf_folders_with_changes}")
trivy_exitcode=$?
wait
Expand All @@ -216,12 +216,12 @@ case ${INPUT_SCAN_TYPE} in
*)
line_break
echo "Starting single folder scan"
if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
TFSEC_OUTPUT=$(run_tfsec "${INPUT_TERRAFORM_WORKING_DIR}")
tfsec_exitcode=$?
wait
fi
if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
TRIVY_OUTPUT=$(run_trivy "${INPUT_TERRAFORM_WORKING_DIR}")
trivy_exitcode=$?
wait
Expand All @@ -235,14 +235,14 @@ case ${INPUT_SCAN_TYPE} in
;;
esac

if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
if [ $tfsec_exitcode -eq 0 ]; then
TFSEC_STATUS="Success"
else
TFSEC_STATUS="Failed"
fi
fi
if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
if [ $trivy_exitcode -eq 0 ]; then
TRIVY_STATUS="Success"
else
Expand All @@ -264,10 +264,10 @@ fi

# Print output.
line_break
if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
echo "${TFSEC_OUTPUT}"
fi
if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
echo "${TRIVY_OUTPUT}"
fi
echo "${CHECKOV_OUTPUT}"
Expand All @@ -281,16 +281,16 @@ else
fi

if [ "${GITHUB_EVENT_NAME}" == "pull_request" ] && [ -n "${GITHUB_TOKEN}" ] && [ "${COMMENT}" == "1" ] ; then
if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
TFSEC_TRIVY_COMMENT="#### \`TFSEC Scan\` ${TFSEC_STATUS}
if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
INPUT_TFSEC_TRIVY_COMMENT="#### \`TFSEC Scan\` ${TFSEC_STATUS}
<details><summary>Show Output</summary>
\`\`\`hcl
${TFSEC_OUTPUT}
\`\`\`
</details>"
fi
if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
TFSEC_TRIVY_COMMENT="#### \`Trivy Scan\` ${TRIVY_STATUS}
if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
INPUT_TFSEC_TRIVY_COMMENT="#### \`Trivy Scan\` ${TRIVY_STATUS}
<details><summary>Show Output</summary>
\`\`\`hcl
${TRIVY_OUTPUT}
Expand Down Expand Up @@ -325,18 +325,18 @@ ${TRIVY_OUTPUT}
</details>
"

PAYLOAD_COMMENT="${TFSEC_TRIVY_COMMENT} ${COMMENT}"
PAYLOAD_COMMENT="${INPUT_TFSEC_TRIVY_COMMENT} ${COMMENT}"

PAYLOAD=$(echo "${PAYLOAD_COMMENT}" | jq -R --slurp '{body: .}')
URL=$(jq -r .pull_request.comments_url "${GITHUB_EVENT_PATH}")
echo "${PAYLOAD}" | curl -s -S -H "Authorization: token ${GITHUB_TOKEN}" --header "Content-Type: application/json" --data @- "${URL}" > /dev/null
fi

line_break
if [[ "${TFSEC_TRIVY}" == "tfsec" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "tfsec" ]]; then
echo "Total of TFSEC exit codes: $tfsec_exitcode"
fi
if [[ "${TFSEC_TRIVY}" == "trivy" ]]; then
if [[ "${INPUT_TFSEC_TRIVY}" == "trivy" ]]; then
echo "Total of trivy exit codes: $trivy_exitcode"
fi
echo "Total of Checkov exit codes: $checkov_exitcode"
Expand Down