tofu-security¶
Three security scanners for OpenTofu / Terraform code, run inside
infra-tools. Unlike infra-tools' own self-scan (which soft-fails on
upstream Go-stdlib CVEs out of the project's control), these scan the
consumer's Terraform code — findings are in the consumer's control, so the
jobs hard-fail.
trivy-config—trivy config --severity HIGH,CRITICAL.checkov—checkov --framework terraform.gitleaks— secret-pattern scan, scoped to the MR's own commit range on a merge-request pipeline (so a shared runner's cached refs from other branches can't trip a false positive).
Always-on — no change-detection input. Every security component is exempt from change-detection by design; see Explanation: security, always-on.
Jobs¶
| Job | What it runs |
|---|---|
trivy-config |
trivy config --severity HIGH,CRITICAL --exit-code 1 --quiet $[[ inputs.paths ]] |
checkov |
checkov -d $[[ inputs.paths ]] --framework terraform --quiet --compact |
gitleaks |
gitleaks detect, scoped to $CI_MERGE_REQUEST_DIFF_BASE_SHA..$CI_COMMIT_SHA on an MR pipeline |
Inputs¶
| Input | Type | Default | Description |
|---|---|---|---|
image_version |
string | "v0.3.0" |
infra-tools image tag to run the security jobs in. |
stage |
string | security |
GitLab CI stage. |
paths |
string | "." |
Space-separated directories to scan. Each scanner takes a single combined argument; call the component multiple times for separate per-directory scans. |
Usage¶
include:
- component: gitlab.com/phpboyscout/cicd/[email protected]
See also¶
tofu-lint,tofu-validate- Explanation: security, always-on