Wrapper Script to use Trivy for IAC static code analysis

.tool-versions

@@ -3,6 +3,7 @@
 terraform 1.7.0
 pre-commit 3.6.0
 vale 3.6.0
+trivy 0.57.1
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

scripts/terraform/terraform-static-code-check.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# WARNING: Please DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead.
+
+set -euo pipefail
+
+# Trivy command wrapper. It will run Trivy natively if it is
+# installed, otherwise it will run it in a Docker container.
+#
+# Usage:
+#   $ [options] ./terraform-static-code-check.sh
+#
+# Arguments (provided as environment variables):
+#   directory=path          # Path to the Terraform code directory to check, relative to the project's top-level directory, default is itself
+#   FORCE_USE_DOCKER=true   # If set to true the command is run in a Docker container, default is 'false'
+#   VERBOSE=true            # Show all the executed commands, default is 'false'
+
+# ==============================================================================
+
+function main() {
+
+  cd "$(git rev-parse --show-toplevel)"
+
+  [ -z "${directory:-}" ] && echo "WARNING: 'directory' variable not set, defaulting to current directory"
+  local directory=${directory:-.}
+  if command -v trivy > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+    directory="$directory" run-trivy-natively
+  else
+    directory="$directory" run-trivy-in-docker
+  fi
+}
+
+# Run Trivy natively.
+# Arguments (provided as environment variables):
+#   directory=[path to the Terraform directory to check, relative to the project's top-level directory]
+function run-trivy-natively() {
+
+  if [ -e "$(echo ${directory}/.trivy.yml | sed "s#$PWD#.#")" ]; then
+    echo "Using config directory: $(echo ${directory}/.trivy.yml | sed "s#$PWD#.#")"
+    trivy config  "$(echo "$directory" | sed "s#$PWD#.#")" --config "$(echo ${directory}/.trivy.yml | sed "s#$PWD#.#")"
+  else
+    trivy config "$(echo "$directory" | sed "s#$PWD#.#")"
+  fi
+}
+
+# Run Trivy in a Docker container.
+# Arguments (provided as environment variables):
+#   directory=[path to the Terraform to check, relative to the project's top-level directory]
+function run-trivy-in-docker() {
+
+  # shellcheck disable=SC1091
+  source ./scripts/docker/docker.lib.sh
+
+  # shellcheck disable=SC2155
+  local image=$(name=aquasec/trivy docker-get-image-version-and-pull)
+  # shellcheck disable=SC2001
+  if [ -e "$(echo ${directory}/.trivy.yml | sed "s#$PWD#.#")" ]; then
+    echo "Using config directory: $(echo ${directory}/.trivy.yml | sed "s#$PWD#.#")"
+    docker run --rm --platform linux/amd64 \
+      --volume "$PWD:/code" \
+      --workdir /code \
+      "$image" \
+      config "/code/$(echo "$directory" | sed "s#$PWD#.#")" \
+      --config "$(echo "${directory}/.trivy.yml" | sed "s#$PWD#.#")"
+  else
+    docker run --rm --platform linux/amd64 \
+      --volume "$PWD:/code" \
+      --workdir /code \
+      "$image" \
+      config "/code/$(echo "$directory" | sed "s#$PWD#.#")"
+  fi
+}
+
+# ==============================================================================
+
+function is-arg-true() {
+
+  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# ==============================================================================
+
+is-arg-true "${VERBOSE:-false}" && set -x
+
+main "$@"
+
+exit 0