From dc07d2583382e31162334173181fad4fbd233b94 Mon Sep 17 00:00:00 2001
From: Emmanuel Nwakire <100969358+nuel247@users.noreply.github.com>
Date: Fri, 1 May 2026 15:38:32 -0400
Subject: [PATCH 1/4] add Trivy IaC security scanning workflow

---
 .github/workflows/trivy.yaml | 60 ++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 .github/workflows/trivy.yaml

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
new file mode 100644
index 00000000..e6477d8c
--- /dev/null
+++ b/.github/workflows/trivy.yaml
@@ -0,0 +1,60 @@
+name: Trivy Security Scan
+on:
+  pull_request:
+    paths:
+      - 'terraform/**'
+      - '.github/workflows/trivy.yaml'
+  push:
+    branches:
+      - main
+    paths:
+      - 'terraform/**'
+      - '.github/workflows/trivy.yaml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy-scan:
+    name: Trivy IaC Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Table output for readable PR logs
+      - name: Run Trivy scanner (table output)
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: 'fs'
+          scan-ref: 'terraform/'
+          scanners: 'vuln,secret,misconfig'
+          ignore-unfixed: false
+          exit-code: '0'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+
+      # SARIF output for GitHub Security tab
+      - name: Run Trivy scanner (SARIF output)
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: 'fs'
+          scan-ref: 'terraform/'
+          scanners: 'vuln,secret,misconfig'
+          ignore-unfixed: false
+          exit-code: '0'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'trivy-iac'
\ No newline at end of file

From 5918087116f3b985042414d453708e97435f0f68 Mon Sep 17 00:00:00 2001
From: Emmanuel Nwakire <100969358+nuel247@users.noreply.github.com>
Date: Mon, 4 May 2026 16:05:18 -0400
Subject: [PATCH 2/4] add Trivy IaC security scanning workflow

---
 .github/workflows/trivy.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index e6477d8c..bcbce1d2 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -38,6 +38,7 @@ jobs:
           exit-code: '0'
           format: 'table'
           severity: 'CRITICAL,HIGH'
+          skip-dirs: '.terraform'
 
       # SARIF output for GitHub Security tab
       - name: Run Trivy scanner (SARIF output)
@@ -51,6 +52,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+          skip-dirs: '.terraform'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3

From 3435da36a149ebf1b8836434e32ca9c827cb986b Mon Sep 17 00:00:00 2001
From: Emmanuel Nwakire <100969358+nuel247@users.noreply.github.com>
Date: Mon, 4 May 2026 22:58:02 -0400
Subject: [PATCH 3/4] add Trivy IaC security scanning workflow

---
 .github/workflows/trivy.yaml | 57 ++++++++++++++++++++++++++++--------
 1 file changed, 45 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index bcbce1d2..90ae7ed1 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -20,43 +20,76 @@ permissions:
   security-events: write
 
 jobs:
-  trivy-scan:
-    name: Trivy IaC Scan
+  trivy-aws:
+    name: Trivy IaC Scan (AWS)
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      # Table output for readable PR logs
       - name: Run Trivy scanner (table output)
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           scan-type: 'fs'
-          scan-ref: 'terraform/'
+          scan-ref: 'terraform/aws/modules/'
           scanners: 'vuln,secret,misconfig'
           ignore-unfixed: false
           exit-code: '0'
           format: 'table'
           severity: 'CRITICAL,HIGH'
-          skip-dirs: '.terraform'
 
-      # SARIF output for GitHub Security tab
       - name: Run Trivy scanner (SARIF output)
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           scan-type: 'fs'
-          scan-ref: 'terraform/'
+          scan-ref: 'terraform/aws/modules/'
           scanners: 'vuln,secret,misconfig'
           ignore-unfixed: false
           exit-code: '0'
           format: 'sarif'
-          output: 'trivy-results.sarif'
+          output: 'trivy-aws-results.sarif'
           severity: 'CRITICAL,HIGH'
-          skip-dirs: '.terraform'
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload AWS scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
-          sarif_file: 'trivy-results.sarif'
-          category: 'trivy-iac'
\ No newline at end of file
+          sarif_file: 'trivy-aws-results.sarif'
+          category: 'trivy-iac-aws'
+
+  trivy-azure:
+    name: Trivy IaC Scan (Azure)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy scanner (table output)
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: 'fs'
+          scan-ref: 'terraform/azure/modules/'
+          scanners: 'vuln,secret,misconfig'
+          ignore-unfixed: false
+          exit-code: '0'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Run Trivy scanner (SARIF output)
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: 'fs'
+          scan-ref: 'terraform/azure/modules/'
+          scanners: 'vuln,secret,misconfig'
+          ignore-unfixed: false
+          exit-code: '0'
+          format: 'sarif'
+          output: 'trivy-azure-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Azure scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-azure-results.sarif'
+          category: 'trivy-iac-azure'
\ No newline at end of file

From 0f8ff05ce7b4f114a6208267e007065f0352d537 Mon Sep 17 00:00:00 2001
From: Emmanuel Nwakire <100969358+nuel247@users.noreply.github.com>
Date: Mon, 4 May 2026 23:09:24 -0400
Subject: [PATCH 4/4] add Trivy IaC security scanning workflow

---
 .github/workflows/trivy.yaml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index 90ae7ed1..28cf3a9a 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -15,14 +15,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
-  security-events: write
-
 jobs:
   trivy-aws:
     name: Trivy IaC Scan (AWS)
     runs-on: ubuntu-latest
+    permissions:
+       contents: read
+       security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -60,6 +59,9 @@ jobs:
   trivy-azure:
     name: Trivy IaC Scan (Azure)
     runs-on: ubuntu-latest
+    permissions:
+       contents: read
+       security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4