Replies: 1 comment 2 replies
-
|
@candrews thanks for your question, to summarize you are looking at having an SBoM for IaC, in this case Terraform specifically? We've thought about it in the past but didn't get to a conclusion. @knqyf263 what do you think? |
Beta Was this translation helpful? Give feedback.
-
Yes, exactly 👍 |
Beta Was this translation helpful? Give feedback.
-
|
It sounds good, but I'm unsure if we can maintain it. Due to the lack of standardization, even regular SBOMs have compatibility problems, and we've been spending so much time on that. If something already has a strict specification and we just implement it accordingly, that might be fine. |
Beta Was this translation helpful? Give feedback.
-
Description
Terraform supports dependency discovery for many languages / build systems already as documented at https://aquasecurity.github.io/trivy/v0.40/docs/vulnerability/detection/language/
I'd like Trivy to be able to do the same for Terraform via Terraform's lock file,
.terraform.lock.hcl, documented at https://developer.hashicorp.com/terraform/language/files/dependency-lockMy goal is to run Trivy to generate an SBOM which includes dependencies expressed in
.terraform.lock.hcl.For example, from a directory containing
.terraform.lock.hcl, I'd like to run:docker run -it -v "$(pwd)":/app:Z aquasec/trivy:latest filesystem --format cyclonedx --output sbom.cdx.json /appAnd then open
sbom.cdx.jsonand see the terraform dependencies. Currently, Trivy doesn't discover those dependencies sosbom.cdx.jsondoesn't list any dependencies.Target
Filesystem
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions