Skip to content

tofu-security

Three security scanners for OpenTofu / Terraform code, run inside infra-tools. Unlike infra-tools' own self-scan (which soft-fails on upstream Go-stdlib CVEs out of the project's control), these scan the consumer's Terraform code — findings are in the consumer's control, so the jobs hard-fail.

  • trivy-configtrivy config --severity HIGH,CRITICAL.
  • checkovcheckov --framework terraform.
  • gitleaks — secret-pattern scan, scoped to the MR's own commit range on a merge-request pipeline (so a shared runner's cached refs from other branches can't trip a false positive).

Always-on — no change-detection input. Every security component is exempt from change-detection by design; see Explanation: security, always-on.

Jobs

Job What it runs
trivy-config trivy config --severity HIGH,CRITICAL --exit-code 1 --quiet $[[ inputs.paths ]]
checkov checkov -d $[[ inputs.paths ]] --framework terraform --quiet --compact
gitleaks gitleaks detect, scoped to $CI_MERGE_REQUEST_DIFF_BASE_SHA..$CI_COMMIT_SHA on an MR pipeline

Inputs

Input Type Default Description
image_version string "v0.3.0" infra-tools image tag to run the security jobs in.
stage string security GitLab CI stage.
paths string "." Space-separated directories to scan. Each scanner takes a single combined argument; call the component multiple times for separate per-directory scans.

Usage

include:
  - component: gitlab.com/phpboyscout/cicd/[email protected]

See also