Add trivy scan to replace tfsec (#78)

* Add trivy scan for testing

* update output format

* Use 0.13.0

* use version

* version lock trivy action

* use 0.12.0

* upload results

* Test with sed

* Update terraform.yaml

* Update terraform.yaml

---------

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>

Author: thepoppingone

.github/workflows/terraform.yaml

@@ -321,13 +321,28 @@ jobs:
           fetch-depth: 1
           submodules: ${{ inputs.enable_submodules }}
 
-      - name: Run tfsec with reviewdog output on the PR
-        uses: reviewdog/action-tfsec@master
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@0.12.0
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          reporter: github-pr-review
-          flags: -tee
-        if: inputs.upload_sarif != true
+          scan-type: 'config'
+          hide-progress: false
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+
+      # https://github.com/aquasecurity/trivy/issues/5003
+      - name: Remove git from url for sarif uploading
+        shell: bash
+        run: | 
+          sed -i 's#git::https:/##g' trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+        # if: inputs.upload_sarif == true
 
       - name: Run Checkov action
         id: checkov