🤖 ci: add terraform lint and security scanning#33
Merged
Conversation
Add Terraform-specific CI coverage gated by changed paths: - terraform fmt and validate - tflint with AWS ruleset plugin - trivy config scanning at HIGH/CRITICAL severity Also add local scanner configuration files under terraform/. --- _Generated with `mux` • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh` • Cost: `$0.27`_ <!-- mux-attribution: model=openai:gpt-5.3-codex thinking=xhigh costs=0.27 -->
Member
Author
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 889dc84267
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Require the terraform CI job for publish-main so GHCR image publishes on main are blocked whenever Terraform validation/scanning fails. --- _Generated with `mux` • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh` • Cost: `$0.27`_ <!-- mux-attribution: model=openai:gpt-5.3-codex thinking=xhigh costs=0.27 -->
Member
Author
|
@codex review |
|
Codex Review: Didn't find any major issues. Keep them coming! ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Member
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add Terraform quality and security checks to CI using path-based gating and SHA-pinned actions.
Background
The repository has a Terraform root module under
terraform/, but CI previously did not run Terraform validation or IaC security scanning. This change ensures Terraform-specific regressions are caught during PR validation.Implementation
changesjob in.github/workflows/ci.yamlwith aterraformoutput and path filter.terraformCI job that runs:terraform fmt -check -diff -recursiveterraform init -backend=false -lockfile=readonly -input=falseterraform validate -no-colortflint --initandtflint --recursiveHIGH,CRITICALseveritiesterraform/.tflint.hclto enable the AWS ruleset plugin.terraform/.trivyignorewith documented, intentional sandbox-risk exceptions used by CI.Validation
make verify-vendormake testmake buildmake lintgo tool actionlintterraform -chdir=terraform fmt -check -diff -recursiveterraform -chdir=terraform init -backend=false -lockfile=readonly -input=falseterraform -chdir=terraform validate -no-colorcd terraform && tflint --init && tflint --recursivedocker run --rm -v "$(pwd):/work" -w /work aquasec/trivy:0.65.0 config terraform/ --severity HIGH,CRITICAL --ignorefile terraform/.trivyignore --exit-code 1Risks
.trivyignoresuppresses selected findings for sandbox-intended settings; future production-hardening should revisit these ignores.📋 Implementation Plan
Plan: Add Terraform linting + security scanning to CI
Context / Why
This repo contains a Terraform root module under
terraform/(AWS VPC + EKS + IAM). Today, CI does not run any Terraform checks, so formatting drift, config errors, or obvious security misconfigurations can land unnoticed.Goal: integrate three tools into
.github/workflows/ci.yamlin a way that matches the repo’s existing CI conventions (path-based job gating and SHA-pinned actions):terraform fmt -check+terraform validateEvidence (what was checked)
.github/workflows/ci.yaml: CI uses achangesjob withdorny/paths-filteroutputs (go,workflows,publish) to gate expensive jobs; actions are SHA-pinned.terraform/versions.tf: Terraformrequired_version = ">= 1.11"and uses ans3backend (bucket/key provided at init time), so CI must runterraform init -backend=false.terraform/variables.tf: defaults exist for variables (e.g.aws_region), soterraform validatecan run in CI without extra inputs.terraform/.terraform.lock.hcl: provider lockfile exists; CI should keep it immutable.Implementation details
1) Extend the
changesjob to detect Terraform/IaC changesFile:
.github/workflows/ci.yamlEdits:
terraformoutput alongsidego/workflows/publish.terraform:filter that matches Terraform code and Terraform-scanner config files.Shape of change (illustrative snippet):
Why include
.github/workflows/ci.yamlin the terraform filter?If the Terraform job is gated strictly on
terraform/**, then PRs that only modify the CI job definition could skip the Terraform job entirely. Includingci.yamlmakes Terraform checks run when their own CI wiring changes, which catches breakage early.2) Add a dedicated Terraform CI job
File:
.github/workflows/ci.yamlAdd a new job (e.g.
terraform) that:needs.changes.outputs.terraform == 'true'(or merge-group)depot-ubuntu-24.04Recommended steps (in order):
terraform fmt -check -diff -recursiveterraform init -backend=false -lockfile=readonly(avoid S3 and ensure lockfile isn’t modified)terraform validate -no-colortflint --initthentflint --recursiveterraform/Job skeleton (illustrative; actions must be SHA-pinned like the rest of the repo):
Notes / defensive choices:
-lockfile=readonlyso CI fails if a PR changes provider constraints but forgets to updateterraform/.terraform.lock.hcl.HIGH,CRITICALinitially to avoid blocking on low-signal findings.3) Add minimal TFLint configuration for the AWS ruleset
File:
terraform/.tflint.hclAdd a small config enabling the AWS ruleset plugin.
Starting point:
Version pinning guidance
uses: org/action@<commit-sha> # vX.Y.Z.4) Handle initial Trivy findings without blocking development
Trivy is likely to flag common EKS/VPC issues (e.g., public API endpoint enabled, missing encryption, permissive IAM). Decide per-finding:
.trivyignore(only for justified false positives / accepted risk)If needed: add a
terraform/.trivyignoreand reference it explicitly in the Trivy step.5) Validation (local + CI)
Before merging the CI integration, run the same commands locally to confirm behavior:
terraform -chdir=terraform fmt -check -diff -recursiveterraform -chdir=terraform init -backend=false -lockfile=readonly -input=falseterraform -chdir=terraform validate -no-colortflintfrom withinterraform/(ensure plugin init succeeds)trivy config terraform/ --severity HIGH,CRITICAL --exit-code 1Acceptance criteria
terraform/**(or the Terraform CI wiring) changes.terraform fmt -check)terraform validate)HIGH/CRITICALseverityGenerated with
mux• Model:openai:gpt-5.3-codex• Thinking:xhigh• Cost:$0.27