Adding support for tfvars in terraform scanning

[yossigilad]

Hi, can you please add support to specify tfvars in Terraform scanning, similar to the CLI? CLI example: trivy config . --tf-vars ./envs/xxx.tfvars

[simar7]

All trivy options are available via the trivy config file, even those that are today not available as dedicated options via the trivy action.

You can read more on how to use the trivy config file here: https://aquasecurity.github.io/trivy/v0.42/docs/references/configuration/config-file/

[yossigilad]

@simar7 Thanks for the quick answer, but for tfvars config file is not a good option, because its dynamic for every pr. Please consider again and think that customers are having a lot of tf workspaces.

[simar7]

sorry I didn't mean to close the issue, pressed the wrong button by accident.

Could you clarify what you mean by "dynamic"? today the --tf-vars flag accepts a path to a file where the terraform variables are defined. Using this from the CLI option or the trivy configuration file is no different.

[yossigilad]

@simar7 when using ftvars there are more then one file, and we need to spesify for every env the ftvar, and if we want to use the trivy.conf we will need to create it dynmicly with the tfvar name or create many conf files. example: in the screen shot there are 2 tfvar files, and they can enable or dissable some of the tf code, so if we want to scan the exact vul we need to spesify the tfvar file in the trivy scan. so it will be much easier to spesify it in the action code and not use the conf file.

[yossigilad]

@simar7 any update?

[simar7]

so it will be much easier to spesify it in the action code and not use the conf file.

I'm not sure if I understand this. Could you explain how it will be easier? CLI options and config file are identical and have the same behaviour.

[yossigilad]

@simar7 Think that I need to create config file for every tfvar file. The number of files will be same as workspaces ( from one to many)

[simar7]

In that case, how would you be able to "dynamically" specify tf-vars when using them as a GitHub action parameter? Does GitHub allow that?

[yossigilad]

if you will give the option to spesify it as varibale in trivy action, I can set it with env like others action that using the tfvars (terraform apply and more)

[yossigilad]

@simar7 any update? or you need more information?

[simar7]

We welcome a PR if you'd like to contribute.

[yossigilad]

Sure, I will try to create a pr

[kderck]

Hi. This would be great

[kderck]

Hi I've been working on this, However, I believe that it's currently blocked by Unable to pass tfvars file.

[kderck]

Hi I've opened a pull request for this: https://github.com/aquasecurity/trivy-action/pull/285 - Might need a little support with testing

[kderck]

This has been merged @yossigilad and @simar7 . Can this be closed?