From 0376550492f40bf89d9ce66061b8bf4210fadd52 Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Wed, 9 Apr 2025 16:01:30 +0100
Subject: [PATCH] CCM-9336 Fixing whitespace detection

---
 .github/actions/{tfsec => trivy}/action.yaml  | 11 ++--
 .github/workflows/stage-1-commit.yaml         |  8 +--
 .tool-versions                                |  6 +-
 .../acct/iam_policy_github_deploy_overload.tf |  2 +-
 .../components/app/iam_role_amplify.tf        |  4 +-
 ...duty_malware_protection_plan_quarantine.tf |  2 +-
 scripts/config/tfsec.yaml                     |  2 -
 scripts/config/trivy.yaml                     |  6 ++
 scripts/terraform/{tfsec.sh => trivy.sh}      | 55 +++++++++----------
 9 files changed, 47 insertions(+), 49 deletions(-)
 rename .github/actions/{tfsec => trivy}/action.yaml (53%)
 delete mode 100644 scripts/config/tfsec.yaml
 create mode 100644 scripts/config/trivy.yaml
 rename scripts/terraform/{tfsec.sh => trivy.sh} (57%)

diff --git a/.github/actions/tfsec/action.yaml b/.github/actions/trivy/action.yaml
similarity index 53%
rename from .github/actions/tfsec/action.yaml
rename to .github/actions/trivy/action.yaml
index ff5fec485..be940ce56 100644
--- a/.github/actions/tfsec/action.yaml
+++ b/.github/actions/trivy/action.yaml
@@ -1,18 +1,17 @@
-name: "TFSec Scan"
-description: "Scan HCL using TFSec"
+name: "Trivy Scan"
 runs:
   using: "composite"
   steps:
-    - name: "TFSec Scan - Components"
+    - name: "Trivy Terraform IAC Scan"
       shell: bash
       run: |
         components_exit_code=0
         modules_exit_code=0
 
-        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/components || components_exit_code=$?
-        ./scripts/terraform/tfsec.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
+        ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
 
         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
-          echo "One or more TFSec scans failed."
+          echo "Trivy misconfigurations detected."
           exit 1
         fi
diff --git a/.github/workflows/stage-1-commit.yaml b/.github/workflows/stage-1-commit.yaml
index 72070afd6..e168ba960 100644
--- a/.github/workflows/stage-1-commit.yaml
+++ b/.github/workflows/stage-1-commit.yaml
@@ -135,8 +135,8 @@ jobs:
         uses: actions/checkout@v4
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
-  tfsec:
-    name: "TFSec Scan"
+  trivy:
+    name: "Trivy Scan"
     runs-on: ubuntu-latest
     timeout-minutes: 5
     needs: detect-terraform-changes
@@ -148,8 +148,8 @@ jobs:
         uses: asdf-vm/actions/setup@v3
       - name: "Perform Setup"
         uses: ./.github/actions/setup
-      - name: "TFSec Scan"
-        uses: ./.github/actions/tfsec
+      - name: "Trivy Scan"
+        uses: ./.github/actions/trivy
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest
diff --git a/.tool-versions b/.tool-versions
index 8f9af443b..04c3d4a92 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1,12 +1,12 @@
 act 0.2.64
 gitleaks 8.24.0
+jq 1.6
+nodejs 20.18.2
 pre-commit 3.6.0
 terraform 1.9.2
 terraform-docs 0.19.0
+trivy 0.61.0
 vale 3.6.0
-tfsec 1.28.10
-nodejs 20.18.2
-jq 1.6
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.
diff --git a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf b/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
index 188508134..7c2fae6d6 100644
--- a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
+++ b/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
@@ -9,7 +9,7 @@ resource "aws_iam_role_policy_attachment" "github_deploy_overload" {
   policy_arn = aws_iam_policy.github_deploy_overload.arn
 }
 
-#tfsec:ignore:aws-iam-no-policy-wildcards Policy voilation expected for CI user role
+#trivy:ignore:aws-iam-no-policy-wildcards Policy voilation expected for CI user role
 data "aws_iam_policy_document" "github_deploy" {
   statement {
     effect = "Allow"
diff --git a/infrastructure/terraform/components/app/iam_role_amplify.tf b/infrastructure/terraform/components/app/iam_role_amplify.tf
index 52b8571a3..221f401ed 100644
--- a/infrastructure/terraform/components/app/iam_role_amplify.tf
+++ b/infrastructure/terraform/components/app/iam_role_amplify.tf
@@ -46,7 +46,7 @@ data "aws_iam_policy_document" "amplify" {
       "logs:PutLogEvents",
     ]
 
-    #tfsec:ignore:aws-iam-no-policy-wildcards
+    #trivy:ignore:aws-iam-no-policy-wildcards
     resources = [
       "${aws_cloudwatch_log_group.amplify.arn}:*",
       "${aws_cloudwatch_log_group.amplify.arn}:log-stream:*",
@@ -59,7 +59,7 @@ data "aws_iam_policy_document" "amplify" {
       "logs:DescribeLogGroups",
     ]
 
-    #tfsec:ignore:aws-iam-no-policy-wildcards
+    #trivy:ignore:aws-iam-no-policy-wildcards
     resources = [
       "arn:aws:logs:${var.region}:${var.aws_account_id}:*"
     ]
diff --git a/infrastructure/terraform/modules/backend-api/guardduty_malware_protection_plan_quarantine.tf b/infrastructure/terraform/modules/backend-api/guardduty_malware_protection_plan_quarantine.tf
index fa8ba8164..7ca512946 100644
--- a/infrastructure/terraform/modules/backend-api/guardduty_malware_protection_plan_quarantine.tf
+++ b/infrastructure/terraform/modules/backend-api/guardduty_malware_protection_plan_quarantine.tf
@@ -51,7 +51,7 @@ data "aws_iam_policy_document" "guardduty_assumerole" {
   }
 }
 
-#tfsec:ignore:aws-iam-no-policy-wildcards
+#trivy:ignore:aws-iam-no-policy-wildcards
 data "aws_iam_policy_document" "guardduty_quarantine" {
   statement {
     sid    = "AllowManagedRuleToSendS3EventsToGuardDuty"
diff --git a/scripts/config/tfsec.yaml b/scripts/config/tfsec.yaml
deleted file mode 100644
index 550203b2a..000000000
--- a/scripts/config/tfsec.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-minimum_severity: MEDIUM
diff --git a/scripts/config/trivy.yaml b/scripts/config/trivy.yaml
new file mode 100644
index 000000000..a4eff466e
--- /dev/null
+++ b/scripts/config/trivy.yaml
@@ -0,0 +1,6 @@
+---
+severity: MEDIUM              # Minimum reported findings
+exit-code: 1                  # When issues are found
+scan:
+  skip-files:
+    - "**/.terraform/**/*"
diff --git a/scripts/terraform/tfsec.sh b/scripts/terraform/trivy.sh
similarity index 57%
rename from scripts/terraform/tfsec.sh
rename to scripts/terraform/trivy.sh
index 5d13e60af..93caabd8d 100755
--- a/scripts/terraform/tfsec.sh
+++ b/scripts/terraform/trivy.sh
@@ -9,7 +9,7 @@ set -euo pipefail
 # Run tfsec for security checks on Terraform code.
 #
 # Usage:
-#   $ ./tfsec.sh [directory]
+#   $ ./trivy.sh [directory]
 # ==============================================================================
 
 function main() {
@@ -18,68 +18,63 @@ function main() {
 
   local dir_to_scan=${1:-.}
 
-  if command -v tfsec > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+  if command -v trivy > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
     # shellcheck disable=SC2154
-    run-tfsec-natively "$dir_to_scan"
+    run-trivy-natively "$dir_to_scan"
   else
-    run-tfsec-in-docker "$dir_to_scan"
+    run-trivy-in-docker "$dir_to_scan"
   fi
 }
 
-# Run tfsec on the specified directory.
+# Run trivy on the specified directory.
 # Arguments:
 #   $1 - Directory to scan
-function run-tfsec-natively() {
+function run-trivy-natively() {
 
   local dir_to_scan="$1"
 
-  echo "TFSec found locally, running natively"
+  echo "Trivy found locally, running natively"
 
-  echo "Running TFSec on directory: $dir_to_scan"
-  tfsec \
-    --force-all-dirs \
-    --exclude-downloaded-modules \
-    --config-file scripts/config/tfsec.yaml \
-    --format text \
-    "$dir_to_scan"
+  echo "Running Trivy on directory: $dir_to_scan"
+  trivy config \
+    --config scripts/config/trivy.yaml \
+    --tf-exclude-downloaded-modules \
+    "${dir_to_scan}"
 
-  check-tfsec-status
+  check-trivy-status
 }
 
 # Check the exit status of tfsec.
-function check-tfsec-status() {
+function check-trivy-status() {
 
   if [ $? -eq 0 ]; then
-    echo "TFSec completed successfully."
+    echo "Trivy completed successfully."
   else
-    echo "TFSec found issues."
+    echo "Trivy found issues."
     exit 1
   fi
 }
 
-function run-tfsec-in-docker() {
+function run-trivy-in-docker() {
 
   # shellcheck disable=SC1091
   source ./scripts/docker/docker.lib.sh
   local dir_to_scan="$1"
 
   # shellcheck disable=SC2155
-  local image=$(name=aquasec/tfsec docker-get-image-version-and-pull)
+  local image=$(name=aquasec/trivy docker-get-image-version-and-pull)
   # shellcheck disable=SC2086
-  echo "TFSec not found locally, running in Docker Container"
-  echo "Running TFSec on directory: $dir_to_scan"
+  echo "Trivy not found locally, running in Docker Container"
+  echo "Running Trivy on directory: $dir_to_scan"
   docker run --rm --platform linux/amd64 \
     --volume "$PWD":/workdir \
     --workdir /workdir \
     "$image" \
-        --concise-output \
-        --force-all-dirs \
-        --exclude-downloaded-modules \
-        --config-file scripts/config/tfsec.yaml \
-        --format text \
-        --soft-fail \
-        "$dir_to_scan"
-    check-tfsec-status
+    config \
+    --config scripts/config/trivy.yaml \
+    --tf-exclude-downloaded-modules \
+    "${dir_to_scan}"
+    check-trivy-status
 }
 # ==============================================================================