TFSec for terraform feature being deprecated/merged into Trivy

[Clockwork-Muse]

TFSec, which is listed as part of the terraform feature, is being deprecated/merged into their other tool, Trivy:

Going forward we want to encourage the tfsec community to transition over to Trivy. Moving to Trivy gives you the same excellent Terraform scanning engine, with some extra benefits:

... I'm not sure what we want the behavior here to be....

[samruddhikhandale]

Hi 👋

Thanks for pointing it out. After reading the TFsec to Trivy migration guide, I think we should update the Terraform Feature as follows:

• Add a New Feature Option: Add a new Feature option installTrivy (default: false) which installs Trivy (alongside TFsec).
• Deprecation Strategy: If we want to deprecate the existing installTFsec Feature option, we would need to bump the major version. However, I suggest keeping it as is for now and adding a warning that the tool is migrating, advising users to use installTrivy instead. This will also give users some time to transition if needed.
  • After some time, we can create a new major version and deprecate the installTFsec Feature option.

@Clockwork-Muse, let us know if you have any additional thoughts here. Thanks!

[Clockwork-Muse]

That seems reasonable, although I perhaps wonder if instead - since it's a separate tool with many things unrelated to terraform - Trivy should be a separate feature (and tfsec instead being eventually deprecated and removed).

Trivy is already available in the contrib repo (as is tfsec), so the repo here potentially doesn't need to add a new feature, just mark the deprecation.