Migrate from tfsec to trivy

[sebastiencaty]

tfsec is moving away to trivy, it's mostly the same thing so it shouldn't be too difficult.

aquasecurity/tfsec#1994
https://github.com/aquasecurity/tfsec/blob/master/tfsec-to-trivy-migration-guide.md

I can help with this.

I have also made some changes to the dockerfile and requirements version file to update version for vulnerabilities while testing for compatibility locally. If you're interested I'd also like to help with this.

[MatthewJohn]

Created gitlab issue: https://gitlab.dockstudios.co.uk/pub/terrareg/-/issues/552
gitlab-issue-id:552

[MatthewJohn]

Hey @sebastiencaty,

That would be great, if you're happy to - I've had the ticket sat on the backlog for a while https://gitlab.dockstudios.co.uk/pub/terrareg/-/issues/440
If you're happy to take a look, it would be great. If you're happy to include a ticket reference in any commits and 'fix: ' prefixes, as per https://matthewjohn.github.io/terrareg/CONTRIBUTING/, it would be great :)

Many thanks

[MatthewJohn]

Just to be aware, the "hardest" (or at least most cumbersome) part of switching from tfsec to trivy will be updating the tests, worth seeing:

• terrareg/test/integration/terrareg/module_extractor/test_process_upload.py

  Line 779 in 2634c42

  def test_uploading_module_with_security_issue(self):

• terrareg/test/selenium/test_data.py

  Line 2715 in 2634c42

  'withsecurityissues': {'testprovider': {

[markdjones82]

tfsec is moving away to trivy, it's mostly the same thing so it shouldn't be too difficult.

aquasecurity/tfsec#1994 https://github.com/aquasecurity/tfsec/blob/master/tfsec-to-trivy-migration-guide.md

I can help with this.

I have also made some changes to the dockerfile and requirements version file to update version for vulnerabilities while testing for compatibility locally. If you're interested I'd also like to help with this.

Nice, we also have a Dockerfile and requirements with updated versions with vulnerabilities as that is a big deal at our company at the moment. So, I am on board with this.

@MatthewJohn We don't use infracost or some of the other features and to remove Go vulnerabilities I comment out those downloads. What do you guys think about a "minimal" version Dockerfile as well for just the base module download feature? This reduces vulnerabilities. My only concern is that it might break your tests?

[MatthewJohn]

We don't use infracost or some of the other features and to remove Go vulnerabilities I comment out those downloads

Hmm, certainly makes sense - I wonder to what extent it's worth taking to - e.g. tfswitch, tfsec etc

[markdjones82]

I actually realized we still need tfswitch/tfsec when I tried to remove those downloads. Didnt realize they were part of the module indexing. That being said, I've gotten most of the vulnerabilities we are getting hits on by updating go package download and updating others. Infracost had a ton so removing that was good for now.

I'm not sure how easy it would be to add a new flag to turn off tfswitch/tfsec. It seems pretty embedded, but I'm far from an app code expert. Just enough to be dangerous.

[MatthewJohn]

Didnt realize they were part of the module indexing

Infracost is also part of module indexing (though also depends on API key, or maybe some other config, can't remember off the top of my head) - so if one can be disabled, they can all be (made to be) disablable :)