sourcefuse · vijay-stephen · Jul 30, 2025 · Jun 19, 2025 · Jul 21, 2025 · Jul 25, 2025
diff --git a/.DS_Store b/.DS_Store
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
diff --git a/.github/workflows/terraform-test.yaml b/.github/workflows/terraform-test.yaml
@@ -0,0 +1,84 @@
+---
+name: Terratest
+on:        # yamllint disable-line rule:truthy
+  pull_request:
+    types: [opened]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'Pull Request Number'
+        required: true
+
+permissions:
+  id-token: write
+  contents: read
+  statuses: write  # Required for setting commit status
+
+jobs:
+  terratest:
+    runs-on: ubuntu-latest
+    name: Terratest Checks
+
+    env:
+      PR_NUMBER: >-
+        ${{ github.event_name == 'workflow_dispatch' &&
+        github.event.inputs.pr_number || github.event.pull_request.number }}
+    steps:
+      - name: Checkout PR code
+        uses: actions/checkout@v4
+        with:
+          ref: refs/pull/${{ env.PR_NUMBER }}/head
+
+      - name: Configure AWS credentials via OIDC
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.ARC_IAC_TERRATEST_ROLE }}
+          aws-region: us-east-1
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.24'
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.7.5
+          terraform_wrapper: false
+
+      - name: Create test directory and download go from S3
+        run: |
+          mkdir -p terra-test
+          aws s3 cp ${{ secrets.ARC_TERRATEST_GO_FILE }} terra-test/terra_test.go
+      - name: Initialize Go module and install dependencies
+        run: |
+          cd terra-test
+          ls
+          go mod init terraform-test || true
+          go get github.com/gruntwork-io/terratest/modules/terraform
+          go get github.com/stretchr/testify/assert
+          go mod tidy
+          go test -v -timeout 100m
+      - name: Report check status manually
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const pr_number = parseInt(process.env.PR_NUMBER);
+            const pr = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: pr_number,
+            });
+            const sha = pr.data.head.sha;
+            await github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: sha,
+              state: 'success',
+              context: 'terratest',
+              description: 'Manual terratest completed successfully',
+              target_url:
+                `https://github.com/${context.repo.owner}/${context.repo.repo}` +
+                `/actions/runs/${process.env.GITHUB_RUN_ID}`,
+            });
diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml
@@ -12,8 +12,7 @@ on:                 # yamllint disable-line rule:truthy
 
 jobs:
   tflint:
-    runs-on:
-      - arc
+    runs-on: ubuntu-latest
     name: tflint
     steps:
       - uses: actions/checkout@master

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,163 @@
+---
+name: Trivy Security Scan with Security Hub Integration
+
+'on':
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+permissions:
+  security-events: write
+  contents: read
+  id-token: write
+  actions: read
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: ${{ secrets.AWS_REGION }}
+      AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+      ECR_REPO: ${{ secrets.ECR_REPO }}
+      IMAGE_TAG: ${{ github.sha }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: GitHubActions
+
+      - name: Verify AWS credentials
+        run: |
+          aws sts get-caller-identity
+          echo "AWS credentials configured successfully"
+
+      - name: Build Docker image
+        run: docker build -t test-image:latest .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.30.0
+        continue-on-error: true
+        with:
+          image-ref: test-image:latest
+          severity: HIGH,CRITICAL
+          exit-code: 1
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Generate Security Hub findings
+        if: always()
+        run: |
+          # Scan with JSON format first to get structured data
+          trivy image \
+            --severity LOW,MEDIUM,HIGH,CRITICAL \
+            --exit-code 0 \
+            --format json \
+            -o scan-results.json \
+            test-image:latest
+
+          # Create ASFF findings using jq
+          cat scan-results.json | jq -r --arg account "$AWS_ACCOUNT_ID" --arg region "$AWS_REGION" '
+          [
+            .Results[]? | select(.Vulnerabilities) | .Vulnerabilities[] | {
+              "SchemaVersion": "2018-10-08",
+              "Id": ("trivy-" + .VulnerabilityID + "-" + (.PkgName // "unknown")),
+              "ProductArn": ("arn:aws:securityhub:" + $region + "::product/aquasecurity/aquasecurity"),
+              "GeneratorId": "Trivy",
+              "AwsAccountId": $account,
+              "Types": ["Software and Configuration Checks/Vulnerabilities/CVE"],
+              "CreatedAt": (now | strftime("%Y-%m-%dT%H:%M:%SZ")),
+              "UpdatedAt": (now | strftime("%Y-%m-%dT%H:%M:%SZ")),
+              "Severity": {
+                "Label": .Severity
+              },
+              "Title": ("Trivy found " + .VulnerabilityID + " in " + (.PkgName // "unknown package")),
+              "Description": (.Description // "No description available"),
+              "Remediation": {
+                "Recommendation": {
+                  "Text": "Update the package to fix the vulnerability",
+                  "Url": ("https://avd.aquasec.com/nvd/" + .VulnerabilityID)
+                }
+              },
+              "ProductFields": {
+                "Product Name": "Trivy"
+              },
+              "Resources": [{
+                "Type": "Container",
+                "Id": "test-image:latest",
+                "Partition": "aws",
+                "Region": $region,
+                "Details": {
+                  "Container": {
+                    "ImageName": "test-image:latest"
+                  },
+                  "Other": {
+                    "CVE ID": .VulnerabilityID,
+                    "Package Name": (.PkgName // "unknown"),
+                    "Installed Version": (.InstalledVersion // "unknown"),
+                    "Fixed Version": (.FixedVersion // "Not available")
+                  }
+                }
+              }],
+              "RecordState": "ACTIVE"
+            }
+          ]
+          ' > findings.json
+        env:
+          AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+
+      - name: Push findings to Security Hub
+        if: always()
+        continue-on-error: true
+        run: |
+          # Check if Security Hub is enabled
+          if ! aws securityhub describe-hub --region ${{ secrets.AWS_REGION }} >/dev/null 2>&1; then
+            echo "⚠️ Security Hub is not enabled in region ${{ secrets.AWS_REGION }}"
+            echo "Enable it with: aws securityhub enable-security-hub --region ${{ secrets.AWS_REGION }}"
+            exit 0
+          fi
+
+          # Check if findings file exists and has content
+          if [ -s findings.json ]; then
+            echo "✅ Findings file generated successfully"
+
+            # Debug: Show findings count
+            FINDINGS_COUNT=$(jq length findings.json)
+            echo "📊 Found $FINDINGS_COUNT findings to import"
+
+            if [ "$FINDINGS_COUNT" -gt 0 ]; then
+              # Import findings to Security Hub
+              aws securityhub batch-import-findings \
+                --region ${{ secrets.AWS_REGION }} \
+                --findings file://findings.json
+
+              echo "✅ $FINDINGS_COUNT findings imported to Security Hub successfully"
+            else
+              echo "ℹ️ No findings to import"
+            fi
+          else
+            echo "❌ Findings file is empty or does not exist"
+          fi
+
+      - name: Display Security Hub findings summary
+        if: always()
+        run: |
+          echo "📊 Security Hub Integration Summary:"
+          echo "Region: ${{ secrets.AWS_REGION }}"
+          echo "Account ID: ${{ secrets.AWS_ACCOUNT_ID }}"
+          echo "Image scanned: test-image:latest"
+
+          if [ -f findings.json ]; then
+            FINDINGS_COUNT=$(jq length findings.json 2>/dev/null || echo "0")
+            echo "✅ Findings file generated successfully"
+            echo "📄 Total findings: $FINDINGS_COUNT"
+            echo "📄 File size: $(wc -c < findings.json) bytes"
+          else
+            echo "❌ Findings file not found"
+          fi