diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1662eb2..ee73dbd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,34 +9,50 @@ on: jobs: analyze: name: Analyze the Terraform scripts - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 + timeout-minutes: 5 permissions: actions: read contents: read security-events: write steps: - - name: Clone repository - uses: actions/checkout@v3 - - - name: Setup Terraform CLI - uses: hashicorp/setup-terraform@v2 - - - name: Run Terraform init + - id: clone_repository + name: Clone repository + # actions/checkout@v4.1.1 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + + - id: setup_terraform + name: Setup Terraform CLI + # hashicorp/setup-terraform@v3.0.0 + uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 + + - id: run_terraform_init + name: Run Terraform init run: terraform init - - name: Run Terraform format check + - id: run_terraform_fmt + name: Run Terraform format check run: terraform fmt -check -recursive - - name: Run Terraform validate check + - id: run_terraform_validate + name: Run Terraform validate check run: terraform validate - - name: Run tfsec - uses: aquasecurity/tfsec-sarif-action@v0.1.4 + - id: run_trivy_config + name: Run Trivy vulnerability scanner + # aquasecurity/trivy-action@v0.16.0 + uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 with: - config_file: tfsec.yml - sarif_file: tfsec.sarif - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + scan-type: config + trivy-config: trivy.yaml + hide-progress: false + format: sarif + output: trivy.sarif + + - id: run_sarif_upload + name: Upload Trivy SARIF results + # github/codeql-action/upload-sarif@v2.22.9 + uses: github/codeql-action/upload-sarif@382a50a0284c0de445104889a9d6003acb4b3c1d + timeout-minutes: 1 with: - sarif_file: tfsec.sarif + sarif_file: trivy.sarif diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..9ba2670 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +AVD-GCP-0027 +AVD-GCP-0031 + diff --git a/README.md b/README.md index 73eb4f7..a0aa29d 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # GraphDB deployment package on GCP -This terraform module allows you to deploy GraphDB instance in GCE(Google Compute Engine). +This terraform module allows you to deploy GraphDB instance in Google Compute Engine. ## Table of contents @@ -39,8 +39,7 @@ preferred database choice of both small independent developers and big enterpris The module provides the building blocks of configuring, deploying and provisioning a single VM of GraphDB using Google Compute Engine. Key features of the module include: -- Google Cloud Engine Compute Instance -- Google Compute Firewall +- Google Cloud Compute Engine Instance ## Versioning @@ -125,8 +124,6 @@ Instead of using the module dependency, you can create a local variables file na configuration overrides there. Here's an example of a `terraform.tfvars` file: -### terraform.tfvars - ```hcl project_id = "example-project-id" diff --git a/main.tf b/main.tf index 4314a87..7f99d7f 100644 --- a/main.tf +++ b/main.tf @@ -31,6 +31,7 @@ resource "google_compute_instance" "graphdb" { # Enable VTPM module shielded_instance_config { + enable_secure_boot = true enable_vtpm = true enable_integrity_monitoring = true } diff --git a/tfsec.yml b/tfsec.yml deleted file mode 100644 index a7417c1..0000000 --- a/tfsec.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -minimum_severity: MEDIUM -exclude: - # We want to access Graphdb from internet by default - - google-compute-no-public-ingress - # Instance should have public IP since we don't have a load balancer in front of it - - google-compute-no-public-ip - # We don't want to use customer key for disk encryption - - google-compute-vm-disk-encryption-customer-key diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..49804a8 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,7 @@ +timeout: 5m +exit-code: 1 +severity: + - HIGH + - CRITICAL + - MEDIUM +format: table