Hi Guys Anybody using any IaC code scanning methods in your atlantis workflows?

Yes

can you give more context about the flow

Custom container Install tools Custom workflow init tflint tfsec then plan and apply steps

So this scan will do only the updated file in the PR or entire code?

It depends on the flags

I have tflint etc in a pre-commit hook and then just run that as a separate validate step in a github action

That's probably the best way to do it! :)

@Chastity Blackwell Are you trigger the github action from the pre_commit_hook?

No, the hook is triggered via a push to a PR

Could you please paste it here for a reference 🙂

This is what I have here:

name: validate

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master

# Pre-commit checking code was cribbed from trussworks/shared-actions
jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v3
      - name: Set up homebrew
        uses: Homebrew/actions/setup-homebrew@master
      - name: Install prereqs for checks
        run: |
          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
          brew install terraform-docs
          brew install gh
          pip install pre-commit
      - name: Cache
        uses: actions/cache@v3
        with:
          path: ~/.cache/pre-commit
          key: pre-commit-dot-cache-{{ hashFiles('.pre-commit-config.yaml') }}
      - name: Pre-commit checks
        run: |
          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
          pre-commit run --all-files --show-diff-on-failure

We run these kinds of things in a CI pipeline (and also in pre-commit though that only works if people enable it)

Yeah. Using precommit makes it easy to just throw it in a pipeline too though

For us, the pipeline is a lot more complex, but yeah.

tfsec always drove me nuts because it scanned modules I pulled in from the registry

@Chastity Blackwell I had that problem too.

trivy

does that even worse.

tfsec

fixed at least most of the problems with that that I had in the past

:blerg:

with tfsec, it at least seems to be smart enough to follow the chain of what’s actually included (most of the time).

trivy

uses the same scanning engine; I guess hopefully they fix all the remaining bugs, because they haven’t updated tfsec at all in a while

Care to share? 🙂

https://github.com/marketplace/actions/run-tfsec-with-sarif-upload any idea how this sarif works?

Absolutely. It’s dead simple, but is working pretty well so far. This is a Circle config, but the basic commands should work anywhere.

I'll give that a shot.

It deals with the issue where if the .terraform directory is stale, validation fails. Or something like that.

ah...that might fix my issue then. Thanks!

to the OP’s original question: I’ve normally used the CI provider to run the checks, and then relied on the VCS provider’s required checks combined with things like Atlantis’s “mergeable” requirement to enforce them. I don’t know of many cases where people are using atlantis to run / enforce those checks directly. it might be possible with some kind of custom workflow, but I think the other way is most typical, if it’s usable for you