Skip to content

Commit f410e53

Browse files
committed
feat(terraform): update Trivy configuration and add .trivyignore file
1 parent b0653a7 commit f410e53

2 files changed

Lines changed: 16 additions & 9 deletions

File tree

.github/workflows/audit-terraform.yml

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,12 @@ name: Scan Terraform code
77

88
on:
99
push:
10-
branches:
10+
branches:
1111
- main
1212
paths:
1313
- "infra/terraform/**"
1414
pull_request:
15-
branches:
15+
branches:
1616
- main
1717
paths:
1818
- "infra/terraform/**"
@@ -34,16 +34,17 @@ jobs:
3434
- name: Run Trivy vulnerability scanner in IaC mode for Terraform
3535
uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
3636
with:
37-
scan-type: 'config'
38-
scan-ref: './infra/terraform'
37+
scan-type: "config"
38+
scan-ref: "./infra/terraform"
3939
hide-progress: true
40-
format: 'sarif'
41-
output: 'trivy-terraform-results.sarif'
42-
exit-code: '1'
40+
format: "sarif"
41+
output: "trivy-terraform-results.sarif"
42+
exit-code: "1"
4343
ignore-unfixed: true
44-
severity: 'CRITICAL,HIGH'
44+
severity: "CRITICAL,HIGH"
45+
trivyignores: "./infra/terraform/.trivyignore"
4546

4647
- name: Upload Trivy scan results to GitHub Security tab
4748
uses: github/codeql-action/upload-sarif@e14ec90e52a057614c707baecf2ed88a81b68bc9 # v2
4849
with:
49-
sarif_file: 'trivy-terraform-results.sarif'
50+
sarif_file: "trivy-terraform-results.sarif"

infra/terraform/.trivyignore

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
# Ignore misconfigurations
2+
3+
# https://avd.aquasec.com/misconfig/azure/container/avd-azu-0040/
4+
# This rule wants to set a property that is set conditionally in the code.
5+
# Not all deployments will have this to save on costs.
6+
AVD-AZU-0040

0 commit comments

Comments
 (0)