Depends on #37

We should add checkov as a security tool prior to executing terraform commands

https://github.com/docker-library/official-images#init

Hi! I saw that you're using tfenv in this repository. It's a really good tool, but it does not support OpenTofu and Terragrunt. My team designed a successor of tenv that support Terraform, Terragrunt and OpenTofu. It will be a good idea to migrate into it in due to the growing popularity of OpenTofu.
url: https://github.com/tofuutils/tenv

https://github.com/docker-library/official-images#repeatability

https://github.com/docker-library/official-images#clarity

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#label

While testing #63 discovered that the --skip-checkov argument in the terraform function is ignored if it follows one of the other --skip arguments. Examples below were run against ./tests/terraform/terrascan/insecure.tf

docker run -v $(pwd):/iac seiso/easy_infra /bin/bash -c "terraform --skip-terrascan --skip-checkov validate" 3 ↵
INFO:  Passed terraform init initialization
INFO:  Passed terraform validate validation
ERROR:  Failed checkov directory scan

docker run -v $(pwd):/iac seiso/easy_infra /bin/bash -c "terraform --skip-tfsec --skip-checkov validate"    
INFO:  Passed terraform init initialization
INFO:  Passed terraform validate validation
ERROR:  Failed checkov directory scan

docker run -v $(pwd):/iac seiso/easy_infra /bin/bash -c "terraform --skip-checkov --skip-tfsec validate"     1 ↵
INFO:  Passed terraform init initialization
INFO:  Passed terraform validate validation
WARNING:  Skipping checkov due to --skip-checkov
ERROR:  Failed terrascan recursive scan

1. Define environment/input variables for logging with fluent-bit
2. Define config for logging with fluent-bit

Instead of making this a md file in the repo, can you put this in Wrike or a GitHub issue?

Originally posted by @JonZeolla in #138 (comment)

Move to jinja2 templates to support more complex logic like multiple security checks for a given command (such as running tfsec and checkov before terraform)

Summary of the feature

Currently there is no built-in capability to run a fan-out, parallel scan all of the terraform in a supported VCS. For instance, a company may have 5,000 repositories in GitLab, and 1,200 of them contain terraform. We should support a way to clone a provided list of repositories in parallel (potentially in multiple runtimes environments, like separate lambdas or EC2 instances), scan the repositories for matching file extensions, run the appropriate security tools against the correct folders in that repository, and centralize the results.

Out of scope is the discovery/enumeration logic of which repositories exist; that should be handled by other projects.

Allstar has detected that this repository’s Outside Collaborators security policy is out of compliance. Status:
Did not find any owners of this repository
This policy requires all repositories to have an organization member or team assigned as an administrator. Either there are no administrators, or all administrators are outside collaborators. A responsible party is required by organization policy to respond to security events and organization requests.

To add an administrator From the main page of the repository, go to Settings -> Manage Access.
(For more information, see https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories)

Alternately, if this repository does not have any maintainers, archive or delete it.

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

https://github.com/docker-library/official-images#cacheability

https://github.com/docker-library/official-images#consistency

• Avoid insecure build-time approaches.
• Limit the privileges of the container at runtime by running as a non-root user.
• Add required docker image scanning to PRs, and also run a security scan on merge.

Currently the docs/requirements.txt file is static which could allow the dependency versions to fall behind. This file is used by the readthedocs.io pipeline to start a virtual environment with the required dependencies to build the documentation out of this repo for hosting on that site. Any automation to check for and deploy the latest version of those dependencies should exist in that pipeline instead of the github pipeline.

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#dont-install-unnecessary-packages

• awscli example.
• az example.
• packer example.
• terraform example, including tfenv and caching.
• ansible example.

Add logging configuration options to the GitHub Action using Environment, Repository, and Organization secrets, and any other logging configuration options via fluent-bit.