initial commit

Author: Jacob Fiola

.github/workflows/scan:trivy.yml

@@ -0,0 +1,22 @@
+name: Trivy Terraform Scan
+
+on:
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 3 * * *'          # Nightly at 03:00 UTC
+  workflow_dispatch:
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      issues: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Trivy scan
+        uses: corelight/shared-actions/trivy-terraform-scan@main 

Taskfile.yml

@@ -11,3 +11,8 @@ tasks:
     desc: Check if the input is formatted
     cmds:
       - terraform fmt -recursive -check -diff .
+
+  trivy:scan:
+    desc: Scan Terraform files with Trivy
+    cmds:
+      - trivy fs --config scripts/trivy/trivy.yml .

modules/bastion/instance.tf

@@ -1,3 +1,4 @@
+#trivy:ignore:AVD-GCP-0031   allow bastion instance to be created with public IP
 resource "google_compute_instance" "bastion_instance" {
   name         = var.instance_resource_name
   machine_type = var.instance_size

scripts/trivy/.trivyignore.yml

@@ -0,0 +1 @@
+misconfigurations:

scripts/trivy/trivy.yml

@@ -0,0 +1,19 @@
+scan:
+  security-checks:
+    - secret
+    - config
+
+ignorefile: scripts/trivy/.trivyignore.yml
+
+severity:
+  - HIGH
+  - CRITICAL
+
+misconfiguration:
+  scanners:
+    - terraform
+  config:
+    terraform:
+      file_patterns:
+        - "**/*.tf"
+  ignore_unfixed: true