feat: Trivy Security

.github/workflows/trivy.yml

@@ -0,0 +1,37 @@
+---
+name: trivy
+
+on:
+  pull_request:
+    types: ['opened', 'reopened', 'synchronize']
+  merge_group:
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  build:
+    name: 'trivy scan'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner (file system)
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          scan-ref: .
+          format: 'sarif'
+          scanners: 'vuln,secret,config'
+          output: report-fs.sarif
+
+      - name: Upload Trivy report (fs) GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: report.sarif
+          category: 'fs'

unsecure.tf

@@ -0,0 +1,33 @@
+provider "aws" {
+  access_key = "AKIAIOSFODNN7EXAMPLE"
+  secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+  region     = "us-west-2"
+}
+
+resource "aws_security_group_rule" "my-rule" {
+    type        = "ingress"
+    cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_alb_listener" "my-alb-listener"{
+    port     = "80"
+    protocol = "HTTP"
+}
+
+resource "azurerm_managed_disk" "source" {
+    encryption_settings {
+        enabled = var.enableEncryption
+    }
+}
+
+resource "aws_api_gateway_domain_name" "outdated_security_policy" {
+    security_policy = "TLS_1_0"
+}
+
+resource "aws_api_gateway_domain_name" "valid_security_policy" {
+    security_policy = "TLS_1_2"
+}
+
+variable "enableEncryption" {
+    default = false
+}