tfsec deprecated, replaced by Trivy. Create a new hook for Trivy

[bodgit]

What problem are you facing?

tfsec is deprecated and it's recommended to migrate to use Trivy instead.

How could pre-commit-terraform help solve your problem?

A new hook that runs trivy config ... in some form would therefore be useful. Trivy seems to currently honour existing tfsec:ignore:* comment blocks so you can switch hooks without needing to rewrite existing comments.

[pdecat]

As trivy is not only for terraform, maybe it makes sense to use https://github.com/mxab/pre-commit-trivy

It was added to docs here: aquasecurity/trivy#3203

[MaxymVlasov]

Nice, let's them just add to docs info about tfsec deprecation and info where can be found trivy hook (which maintenance will be not our problem 🎉 )

[MaxymVlasov]

Of course, if the repo author adds a LICENCE (mxab/pre-commit-trivy#12), otherwise his hooks are not usable

[bodgit]

I'd actually rather not use that hook as it requires Docker and is pinned to the version of trivy specified in the hook configuration, which means I'm reliant on the author to keep updating the hook.

Given trivy is a single binary, I can (and do) install that by other means, so a hook that just tries to run trivy and assume it's somewhere in $PATH would be more flexible.

[pdecat]

Maybe that's something the author of https://github.com/mxab/pre-commit-trivy/ would accept to implement, especially easy to add without breaking anything IMO as the current hooks are suffixed by -docker.

[pdecat]

On the other hand, I see that pre-commit-terraform already supports checkov which is also not only terraform.

[MaxymVlasov]

Well, then you can just copy-paste tfsec hook, change tfsec execution command, and that mostly all from hook logic addition prospective

There is a full doc on how to add docs and so on - https://github.com/antonbabenko/pre-commit-terraform/blob/master/.github/CONTRIBUTING.md#add-new-hook

Also, we will need a deprecation notice to tfsec both in README and in hook itself

The hook notice can be just

common::colorify "yellow" "tfsec tool was deprecated, and replaced by trivy. You can check trivy hook here:"
common::colorify "yellow" "https://github.com/antonbabenko/pre-commit-terraform/tree/master#terraform_trivy"

at the end of main function (of right before common::per_dir_hook execution - not sure that it will shown after)

In any case, notice will show only when something will go wrong (hook found issues and failed). That's planned

[umbertix]

Wondering if someone has picked up this in any meaninful way. I'm very keen on this feature and not sure at what point this is standing. Is this waiting for someone to actually come with the PR for the mentioned changes?

[MaxymVlasov]

Is this waiting for someone to actually come with the PR for the mentioned changes?

Exactly. And it can be you :)

[antonbabenko]

This issue has been resolved in version 1.85.0 🎉