feat: add trivy scan to plan to staging (#7)

* feat: add trivy scan to plan to staging

* fix(networking): terraform aws vpc module should not allow using all ports

* fix: bump locations_api module from v1.0.1 to v1.0.2

* fix(networking): terraform aws vpc module should not allow nacls rules to allow using all ports

* fix: added trivy ignore

* fix: s3 bucket kms encrypted + adding logs

* fix: s3 bucket kms encrypted + adding logs

* fix(database): trivy finding rds should always be encrypted for all envs

* fix(dataabse): restrict outbound traffic to private subnets

* fix: encryption on s3_image_moderatora quarantine bucket

* fix: added trivyignore rule

* fix: added trivyignore rules to allow public ingress

* fix: tls policy version and drop invaid headers

* fix: added trivyignore rule

* feat: trivy image scan docker image used by ecs

* feat: trivy docker image scan to not fail but report in findings in comment

* chore: bump infra-s3-image-moderator to v1.1.1

* fix: provide cidr block in security group not subnet ids

* fix: aws kms alias for frontend layer

* fix: frontend s3 cmk static web app bucket github action for spa

* fix: s3 cmk policy frontend to allow cluodfront to decrypt objects

* fix: s3 bucket for access logs to be encrypted

Author: lrasata

.github/workflows/plan-pr-to-staging.yml

@@ -44,13 +44,13 @@ jobs:
             -backend-config="encrypt=true"
           terraform validate
 
-      - name: Run TFSec Security Check
-        uses: aquasecurity/tfsec-action@v1.0.0
+      - name: Trivy IaC Scan
+        uses: aquasecurity/trivy-action@0.20.0
         with:
-          working_directory: terraform/layers/security
-          soft_fail: 'true'
-          format: sarif
-          additional_args: --minimum-severity MEDIUM
+          scan-type: config
+          scan-ref: terraform/layers/security
+          severity: HIGH,CRITICAL
+          exit-code: '1'
 
       - name: Terraform Plan (staging)
         working-directory: terraform/layers/security
@@ -108,13 +108,13 @@ jobs:
             -backend-config="encrypt=true"
           terraform validate
 
-      - name: Run TFSec Security Check
-        uses: aquasecurity/tfsec-action@v1.0.0
+      - name: Trivy IaC Scan
+        uses: aquasecurity/trivy-action@0.20.0
         with:
-          working_directory: terraform/layers/networking
-          soft_fail: 'true'
-          format: sarif
-          additional_args: --minimum-severity MEDIUM
+          scan-type: config
+          scan-ref: terraform/layers/networking
+          severity: HIGH,CRITICAL
+          exit-code: '1'
 
       - name: Terraform Plan (staging)
         working-directory: terraform/layers/networking
@@ -169,13 +169,13 @@ jobs:
             -backend-config="encrypt=true"
           terraform validate
 
-      - name: Run TFSec Security Check
-        uses: aquasecurity/tfsec-action@v1.0.0
+      - name: Trivy IaC Scan
+        uses: aquasecurity/trivy-action@0.20.0
         with:
-          working_directory: terraform/layers/database
-          soft_fail: 'true'
-          format: sarif
-          additional_args: --minimum-severity MEDIUM
+          scan-type: config
+          scan-ref: terraform/layers/database
+          severity: HIGH,CRITICAL
+          exit-code: '1'
 
       - name: Terraform Plan (staging)
         working-directory: terraform/layers/database
@@ -230,6 +230,22 @@ jobs:
           role-to-assume: arn:aws:iam::387836084035:role/githubTripPlannerInfraManager
           aws-region: ${{ secrets.AWS_REGION }}
 
+      - name: Trivy Image Scan (ECS backend image)
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          scan-type: image
+          image-ref: ${{ env.TF_VAR_container_image }}
+          severity: HIGH,CRITICAL
+          exit-code: '0' # Do not fail the job on vulnerabilities
+          format: table
+          output: trivy-image-report.txt
+
+      - name: Upload Trivy image scan report
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-image-backend
+          path: trivy-image-report.txt
+
       - name: Terraform Validate
         working-directory: terraform/layers/backend
         run: |
@@ -242,13 +258,13 @@ jobs:
             -backend-config="encrypt=true"
           terraform validate
 
-      - name: Run TFSec Security Check
-        uses: aquasecurity/tfsec-action@v1.0.0
+      - name: Trivy IaC Scan
+        uses: aquasecurity/trivy-action@0.20.0
         with:
-          working_directory: terraform/layers/backend
-          soft_fail: 'true'
-          format: sarif
-          additional_args: --minimum-severity MEDIUM
+          scan-type: config
+          scan-ref: terraform/layers/backend
+          severity: HIGH,CRITICAL
+          exit-code: '1'
 
       - name: Terraform Plan (staging)
         working-directory: terraform/layers/backend
@@ -312,13 +328,13 @@ jobs:
             -backend-config="encrypt=true"
           terraform validate
 
-      - name: Run TFSec Security Check
-        uses: aquasecurity/tfsec-action@v1.0.0
+      - name: Trivy IaC Scan
+        uses: aquasecurity/trivy-action@0.20.0
         with:
-          working_directory: terraform/layers/frontend
-          soft_fail: 'true'
-          format: sarif
-          additional_args: --minimum-severity MEDIUM
+          scan-type: config
+          scan-ref: terraform/layers/frontend
+          severity: HIGH,CRITICAL
+          exit-code: '1'
 
       - name: Terraform Plan (staging)
         working-directory: terraform/layers/frontend
@@ -346,28 +362,50 @@ jobs:
         with:
           path: plans/  # Download to plans/ directory
 
-      - name: Combine plans and post comment
+      - name: Combine plans and Trivy findings and post comment
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const fs = require('fs');
             const path = require('path');
+
+            let body = '### Terraform Plan (staging - All Layers)\n\n';
             const plansDir = 'plans';
-            let combinedBody = '### Terraform Plan (staging - All Layers)\n\n';
             const layers = ['security', 'networking', 'database', 'backend', 'frontend'];
+
             for (const layer of layers) {
               const planPath = path.join(plansDir, `terraform-plan-staging-${layer}`, 'tfplan.txt');
               if (fs.existsSync(planPath)) {
-                const body = fs.readFileSync(planPath, 'utf8');
-                const MAX_LEN = 15000;  // Shorter per layer to fit combined
-                const planPreview = body.length > MAX_LEN ? body.slice(0, MAX_LEN - 1000) + '\n\n...(truncated)' : body;
-                combinedBody += `#### ${layer}\n<details>\n<summary>Click to expand</summary>\n\n\`\`\`\n${planPreview}\n\`\`\`\n\n</details>\n\n`;
+                const content = fs.readFileSync(planPath, 'utf8');
+                const MAX_LEN = 15000;
+                const preview = content.length > MAX_LEN
+                  ? content.slice(0, MAX_LEN - 1000) + '\n\n...(truncated)'
+                  : content;
+
+                body += `#### ${layer}\n<details>\n<summary>Click to expand</summary>\n\n\`\`\`\n${preview}\n\`\`\`\n\n</details>\n\n`;
               }
             }
+
+            // ---- Trivy Image Scan Section ----
+            const trivyPath = path.join(plansDir, 'trivy-image-backend', 'trivy-image-report.txt');
+            if (fs.existsSync(trivyPath)) {
+              const trivyReport = fs.readFileSync(trivyPath, 'utf8').trim();
+              if (trivyReport) {
+                const MAX_LEN = 15000;
+                const preview = trivyReport.length > MAX_LEN
+                  ? trivyReport.slice(0, MAX_LEN) + '\n\n...(truncated)'
+                  : trivyReport;
+
+                body += '---\n\n';
+                body += '### 🔐 Trivy Image Scan (Backend ECS Image)\n\n';
+                body += `<details>\n<summary>Click to expand</summary>\n\n\`\`\`\n${preview}\n\`\`\`\n\n</details>\n\n`;
+              }
+            }
+
             await github.rest.issues.createComment({
               owner: context.repo.owner,
               repo: context.repo.repo,
               issue_number: context.issue.number,
-              body: combinedBody
-            });
+              body
+            });

.trivyignore

@@ -0,0 +1,13 @@
+# AVD-AWS-0105: Network ACL rule allows ingress from public internet. This is required for public-facing web applications to allow HTTP/HTTPS traffic from any IP. We acknowledge this as an accepted risk for our use case
+
+AVD-AWS-0105
+
+# ECS tasks require egress to 0.0.0.0/0 to reach the internet via NAT Gateway
+
+AVD-AWS-0104
+
+# ALB requires public ingress for HTTPS web access. This is an accepted risk for a public-facing web application.
+AVD-AWS-0107
+
+# ALB is intentionally public to serve internet traffic for the web application.
+AVD-AWS-0053

terraform/layers/backend/main.tf

@@ -83,10 +83,11 @@ module "file_uploader" {
 }
 
 module "image_moderator" {
-  source = "git::https://github.com/lrasata/infra-s3-image-moderator//modules/s3_image_moderator?ref=v1.1.0"
+  source = "git::https://github.com/lrasata/infra-s3-image-moderator//modules/s3_image_moderator?ref=v1.1.1"
 
   region                    = var.region
   environment               = var.environment
+  app_id                    = var.app_id
   s3_src_bucket_name        = module.file_uploader.uploads_bucket_id
   s3_src_bucket_arn         = module.file_uploader.uploads_bucket_arn
   s3_quarantine_bucket_name = "${var.quarantine_bucket_name}-${data.aws_caller_identity.current.account_id}"

terraform/layers/backend/modules/alb/main.tf

@@ -35,7 +35,7 @@ module "terraform_aws_alb" {
     {
       port            = 443
       protocol        = "HTTPS"
-      ssl_policy      = "ELBSecurityPolicy-2016-08"
+      ssl_policy      = "ELBSecurityPolicy-TLS-1-2-2017-01"
       certificate_arn = var.backend_certificate_arn
 
       default_action = {
@@ -45,6 +45,8 @@ module "terraform_aws_alb" {
     }
   ]
 
+  drop_invalid_header_fields = true
+
 }
 
 resource "aws_lb_listener" "http_redirect" {
@@ -71,7 +73,9 @@ resource "aws_security_group" "sg_alb" {
     App         = var.app_id
   }
 
+
   ingress {
+    description = "Allow public HTTPS access for web app"
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
@@ -82,7 +86,7 @@ resource "aws_security_group" "sg_alb" {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["0.0.0.0/0"] # ECS tasks require egress to 0.0.0.0/0 to reach the internet via NAT Gateway
   }
 }
 

terraform/layers/database/main.tf

@@ -15,7 +15,7 @@ module "db" {
   engine_version          = "15"
   instance_class          = var.environment == "prod" ? "db.t3.medium" : "db.t3.micro"
   allocated_storage       = var.environment == "prod" ? 50 : 20 # GB
-  storage_encrypted       = var.environment == "prod" ? true : false
+  storage_encrypted       = true
   multi_az                = var.environment == "ephemeral" ? false : true
   backup_retention_period = var.environment == "prod" ? 7 : 0 # number of days
 
@@ -62,6 +62,6 @@ resource "aws_security_group" "sg_rds" {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = try(data.terraform_remote_state.networking.outputs.private_subnet_cidrs, ["10.0.0.0/16"])
   }
 }

terraform/layers/frontend/main.tf

@@ -62,7 +62,7 @@ module "route53" {
 }
 
 module "locations_api" {
-  source = "git::https://github.com/lrasata/locations-api.git//modules/locations_api?ref=v1.0.1"
+  source = "git::https://github.com/lrasata/locations-api.git//modules/locations_api?ref=v1.0.2"
 
   region                    = var.region
   environment               = var.environment

terraform/layers/frontend/modules/s3/main.tf

@@ -4,6 +4,19 @@ resource "aws_s3_bucket" "s3_bucket" {
     Environment = var.environment
     App         = var.app_id
   }
+
+}
+
+# Enable server-side encryption with KMS
+resource "aws_s3_bucket_server_side_encryption_configuration" "uploads_encryption" {
+  bucket = aws_s3_bucket.s3_bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.s3_cmk.arn
+    }
+  }
 }
 
 #  Block public access to the S3 bucket

terraform/layers/frontend/modules/s3/s3_access_logs.tf

@@ -0,0 +1,69 @@
+# ============================================================================
+# Logging target bucket - S3 access logs
+# ============================================================================
+resource "aws_s3_bucket" "log_target" {
+  bucket = "${var.environment}-${var.app_id}-s3-access-logs"
+}
+
+resource "aws_s3_bucket_ownership_controls" "log_target_ownership" {
+  bucket = aws_s3_bucket.log_target.id
+
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+
+resource "aws_s3_bucket_versioning" "log_target_versioning" {
+  bucket = aws_s3_bucket.log_target.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "log_target_block" {
+  bucket = aws_s3_bucket.log_target.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "log_target_policy" {
+  bucket = aws_s3_bucket.log_target.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = { Service = "logging.s3.amazonaws.com" }
+        Action    = "s3:PutObject"
+        Resource  = "${aws_s3_bucket.log_target.arn}/*"
+      }
+    ]
+  })
+}
+
+resource "aws_s3_bucket_logging" "s3_bucket_logging" {
+  bucket        = aws_s3_bucket.s3_bucket.id
+  target_bucket = aws_s3_bucket.log_target.id
+  target_prefix = "${var.environment}-${var.app_id}-s3-bucket-access-logs/"
+
+  depends_on = [
+    aws_s3_bucket_policy.log_target_policy,
+    aws_s3_bucket_ownership_controls.log_target_ownership
+  ]
+}
+
+# Enable server-side encryption with customer-managed KMS key for access logs bucket
+resource "aws_s3_bucket_server_side_encryption_configuration" "log_target_encryption" {
+  bucket = aws_s3_bucket.log_target.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.s3_cmk.arn
+    }
+  }
+}