Use Trivy for infra code scanning

[doshitan]

Context

Trivy is currently used for application image vulnerability scans. It supports additional scanning, including of infrastructure code. Formerly tfsec was used for part of this, but tfsec scope was rolled into Trivy in 2023.

Instructions

Follow docs (https://trivy.dev/docs/latest/scanner/misconfiguration/) to set up Trivy scanning of infra code.

Success criteria

• Can run trivy infra linting via make target locally
• Infra CI runs trivy
• Docs are updated
• [nice-to-have] Trivy scan results are pushed to GitHub repo security tab

References

• https://github.com/aquasecurity/tfsec/blob/master/tfsec-to-trivy-migration-guide.md
• https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#using-trivy-to-scan-infrastructure-as-code

[bencalegari]

I came here to make a PR following the Trivy hack that affected another team recently should be patched here by pinning to a particular sha but after finding this issue suggesting it be added I'm confused. Trivy is already here. What am I missing?

[doshitan]

@bencalegari please read the context in the description:

[bencalegari]

Ah I see reading comprehension was what I'm missing 😅 thanks!