terrareg icon indicating copy to clipboard operation
terrareg copied to clipboard
verified publisher icon MatthewJohn

Migrate from tfsec to trivy

Open sebastiencaty opened this issue 1 year ago • 7 comments

tfsec is moving away to trivy, it's mostly the same thing so it shouldn't be too difficult.

https://github.com/aquasecurity/tfsec/discussions/1994 https://github.com/aquasecurity/tfsec/blob/master/tfsec-to-trivy-migration-guide.md

I can help with this.

I have also made some changes to the dockerfile and requirements version file to update version for vulnerabilities while testing for compatibility locally. If you're interested I'd also like to help with this.

sebastiencaty avatar Jan 07 '25 15:01 sebastiencaty

Created gitlab issue: https://gitlab.dockstudios.co.uk/pub/terrareg/-/issues/552 gitlab-issue-id:552

MatthewJohn avatar Jan 07 '25 16:01 MatthewJohn

Hey @sebastiencaty,

That would be great, if you're happy to - I've had the ticket sat on the backlog for a while https://gitlab.dockstudios.co.uk/pub/terrareg/-/issues/440 If you're happy to take a look, it would be great. If you're happy to include a ticket reference in any commits and 'fix: ' prefixes, as per https://matthewjohn.github.io/terrareg/CONTRIBUTING/, it would be great :)

Many thanks

MatthewJohn avatar Jan 08 '25 18:01 MatthewJohn

Just to be aware, the "hardest" (or at least most cumbersome) part of switching from tfsec to trivy will be updating the tests, worth seeing:

  • https://github.com/MatthewJohn/terrareg/blob/2634c422eba76cf508607ca773fb67447f211e37/test/integration/terrareg/module_extractor/test_process_upload.py#L779
  • https://github.com/MatthewJohn/terrareg/blob/2634c422eba76cf508607ca773fb67447f211e37/test/selenium/test_data.py#L2715

MatthewJohn avatar Jan 08 '25 18:01 MatthewJohn

tfsec is moving away to trivy, it's mostly the same thing so it shouldn't be too difficult.

aquasecurity/tfsec#1994 https://github.com/aquasecurity/tfsec/blob/master/tfsec-to-trivy-migration-guide.md

I can help with this.

I have also made some changes to the dockerfile and requirements version file to update version for vulnerabilities while testing for compatibility locally. If you're interested I'd also like to help with this.

Nice, we also have a Dockerfile and requirements with updated versions with vulnerabilities as that is a big deal at our company at the moment. So, I am on board with this.

@MatthewJohn We don't use infracost or some of the other features and to remove Go vulnerabilities I comment out those downloads. What do you guys think about a "minimal" version Dockerfile as well for just the base module download feature? This reduces vulnerabilities. My only concern is that it might break your tests?

markdjones82 avatar Jan 15 '25 14:01 markdjones82

We don't use infracost or some of the other features and to remove Go vulnerabilities I comment out those downloads

Hmm, certainly makes sense - I wonder to what extent it's worth taking to - e.g. tfswitch, tfsec etc

MatthewJohn avatar Jan 16 '25 17:01 MatthewJohn

I actually realized we still need tfswitch/tfsec when I tried to remove those downloads. Didnt realize they were part of the module indexing. That being said, I've gotten most of the vulnerabilities we are getting hits on by updating go package download and updating others. Infracost had a ton so removing that was good for now.

I'm not sure how easy it would be to add a new flag to turn off tfswitch/tfsec. It seems pretty embedded, but I'm far from an app code expert. Just enough to be dangerous.

markdjones82 avatar Jan 16 '25 17:01 markdjones82

Didnt realize they were part of the module indexing

Infracost is also part of module indexing (though also depends on API key, or maybe some other config, can't remember off the top of my head) - so if one can be disabled, they can all be (made to be) disablable :)

MatthewJohn avatar Jan 17 '25 15:01 MatthewJohn