jacobball11
commented
1 year ago Here is the place to find discussions about vulnerabilities with Terraform. https://discuss.hashicorp.com/c/security/52
Open jacobball11 opened 1 year ago
jacobball11
commented
1 year ago Here is the place to find discussions about vulnerabilities with Terraform. https://discuss.hashicorp.com/c/security/52
courtneycl
commented
1 year ago 👋 Hi @jacobball11! I'm not too familiar with Terraform, but you may be able to use Anchore's SBOM action, which will generate a bill of materials and submit it to the dependency graph. The action leverages the dependency submission API that allows you to submit different kinds of dependencies that are not supported out of the box.
If Anchore's action isn't helpful, and you're eager, you could write your own to submit your dependencies using the dependency submission toolkit or use the API directly.
My organization uses Terraform for nearly all automated deployments. Each Terraform Workspace has an associated lock file that represents each provider and version the configuration uses. I would like to enable dependency graphs and analysis for this suite of tools but it appears GitHub does not support dependencies on this ecosystem.
I may be submitting this to the wrong location, but this is where the rabbit hole has taken me! Thanks in advance for any and all guidance.