Skip to content

Latest commit

 

History

History
90 lines (62 loc) · 3.26 KB

tfsec-to-trivy-migration-guide.md

File metadata and controls

90 lines (62 loc) · 3.26 KB

Migrating from tfsec to Trivy

Overtime we've taken Trivy to be the go-to scanning tool for a vareity of things. This also includes terraform scanning. For further information, have a look at the announcement "tfsec is joining the Trivy family".

Main differences between Trivy and tfsec

Trivy's design keeps misconfiguration up to date automatically. New misconfiguration are updated in Trivy by pulling from the Container Registry. The embedded misconfiguration in Trivy are only used if Trivy cannot pull from the remote registry. See the following documentation for further details.

Comparison with examples

Simple scan

With Trivy

$ trivy config <dir>

With tfsec

$ tfsec <dir>

The documentation can be found in Trivy under the following link.

Passing tfvars

With Trivy

$ trivy --tf-vars <vars.tf> <dir>

With tfsec

$ tfsec <dir> --tf-vars-file <vars.tf>

The documentation can be found in Trivy under the following link.

Report formats

With Trivy

$ trivy config --format <format-type> <dir>

With tfsec

$ tfsec <dir> --format <format-type>

The documentation can be found in Trivy under the following link.

FAQs

Does Trivy support junit?

Yes, Trivy supports different report templates. These can either be set, loaded through a file or by providing a default template such as for JUnit.

For more information, please the documentation.

Does Trivy support multiple outputs?

Currently, the following outputs are supported by Trivy:

  • Table
  • JSON
  • SARIF
  • Template
  • SBOM

e.g.

trivy config --output report.json --format json ./bad_iac/docker

This will saver the json report into a report.json file.

Documentation

Note that one report can be generated per scan. However, if you require multiple different reports, the same scan would pull the information from the cache to generate a new report format.

Can Trivy skip files?

Yes, you can specify that Trivy should skip a directory, using the following flag --skip-dirs.

Documentation

Alternatively, it is possible to skip files, using this flag --skip-files.

Documentation

Feedback

We welcome any feedback if you find features that today are not available with Trivy misconfigration scanning that are available in tfsec.

For further information on scanning terraform with Trivy, do have a look at the Trivy Terraform Guide.