From 04564c92e4623c6ddd25b7d6f885b177692e068f Mon Sep 17 00:00:00 2001 From: Yousef de baz Date: Mon, 13 Jul 2026 04:45:42 +0400 Subject: [PATCH] feat: replace tfsec with Trivy for IaC security scanning tfsec uses an outdated HCL parser that cannot handle Terraform 1.7+ import blocks and has been deprecated in favor of Trivy. - Replace triat/terraform-security-scan@v3.2.0 with aquasecurity/trivy-action@master - Configure Trivy with scan-type config, severity HIGH,CRITICAL - Preserve existing tfsec-continue-on-error input for backward compatibility --- .github/workflows/terraform-job.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/terraform-job.yml b/.github/workflows/terraform-job.yml index 815de4c..3216093 100644 --- a/.github/workflows/terraform-job.yml +++ b/.github/workflows/terraform-job.yml @@ -79,16 +79,18 @@ jobs: env: AWS_DEFAULT_REGION: ${{ inputs.aws-default-region }} - tfsec: - name: TFSec + trivy: + name: Trivy Security Scan runs-on: ubuntu-22.04 - continue-on-error: ${{ inputs.tfsec-continue-on-error }} steps: - uses: actions/checkout@v4.2.1 - - name: TFSec - uses: triat/terraform-security-scan@v3.2.0 + - name: Trivy IaC Scan + uses: aquasecurity/trivy-action@master + continue-on-error: ${{ inputs.tfsec-continue-on-error }} with: - tfsec_actions_comment: false + scan-type: 'config' + scan-ref: '.' + severity: 'HIGH,CRITICAL' # tfdocs: # name: TFDocs