Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comment not relevant error when scanning specific folders #13

Open
williamfalconeruk opened this issue Jul 13, 2021 · 8 comments
Open

Comment not relevant error when scanning specific folders #13

williamfalconeruk opened this issue Jul 13, 2021 · 8 comments

Comments

@williamfalconeruk
Copy link

Hi,

I have a PR open here: ministryofjustice/opg-lpa#541
which has an action with multiple tfsec scans on different specific folders. the action is based on the example in the readme, but with a matrix for the terraform_path.

On a violation I am seeing errors similar to the following.

Comment not written [Resource aws_s3_bucket.mailbox has no associated aws_s3_bucket_public_access_block.], not part of the current PR

The commit to remove the ignore is also in this PR branch. can you advise why this might be happening?
Please see example here in a run:

https://github.com/ministryofjustice/opg-lpa/pull/541/checks?check_run_id=3056251557#step:4:13

Any advice will be greatly appreciated.
@owenrumney
Copy link
Contributor

Hey @williamfalconeruk - this is an odd one. The error is informational, it's telling you that you don't have logging on the bucket yes, but it is dropping it on the floor because this PR isn't to blame for it.

The odd bit is that it is even raising an AWS002 when the ignore is in place.

Let me take a proper look and come back to you.

@owenrumney
Copy link
Contributor

I was completely misreading this - the ignores are being removed not added 🤦

The pr-commenter is not as sophisticated as you maybe hope, it can't recognise that the resource block is now failing and should be stopped - it can only tell you issues with lines that are specifically changed in the PR.

One option you have, with this being a public repo, is to use the tfsec-sarif-action which will report all issues across the branch of the PR and put them in the security scan block https://github.com/ministryofjustice/opg-lpa/security. As they do different tasks, I think both together would work around this.

In the meantime, I'll look at if we can make it more intelligent under #14

@williamfalconeruk
Copy link
Author

williamfalconeruk commented Jul 19, 2021 via email

@heathsnow
Copy link

I too have run into this issue. I don't get the issue though with this tfsec action though so I'm continuing to use it (in private repos) until this gets sorted.

@grounded042
Copy link

I am having this issue as well. I've followed what @heathsnow mentioned, but I'd really like to be able to use the comment functionality that this action offers.

@grounded042
Copy link

Update on the above - I switched to https://github.com/reviewdog/action-tfsec and commenting works great.

@yicheung
Copy link

yicheung commented Jan 7, 2022

Hi,
I'm still running to these issues with violation errors & no comments even on the same PR. Any updates would be great, as I'm hoping to use aquasecurity official repos.
Thanks in advance.

@RafPe
Copy link

RafPe commented May 10, 2022

Is there any update on this issue ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@yicheung @grounded042 @heathsnow @owenrumney @williamfalconeruk @RafPe