MyTutor is a UK-based online platform dedicated to one-to-one learning. Through a curated community of tutors, they provide personalised learning experiences to their customers.
I took over a project from a previous DevOps engineer who had recently left MyTutor. The project involves scanning Terraform files for vulnerabilities using the tfsec utility. Initially, the scan results were uploaded as an HTML file to Slack, which required downloading to identify vulnerabilities.
I enhanced the scanner to process the report and post Slack messages indicating any vulnerabilities. The improvements included:
- Sorting vulnerabilities to show critical errors first.
- Grouping similar errors together to display as a single error.
- Each Slack message containing the error priority, error message, error code, link to the code, suitable Slack emoji, a code snippet, a link to error documentation, and the number of occurrences of the error.
- Reducing “alert fatigue” by only showing errors with a status of critical or high.
I also implemented a “tfsecignore” file, so that particular Terraform code could be excluded from checking.
The project was successful and helped keep our Terraform configurations free of vulnerabilities.