You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I ran these command one by one: trivy config --tf-vars vars.tfvars --misconfig-scanners "terraform" s3.tf
Not any issues. (Because condition count validated to false)
Then I used this command to generate terraform plan as a snapshot terraform plan --var-file vars.tfvars --out tfplan
Then I ran trivy command against terraform snapshot: trivy config --misconfig-scanners "terraformplan-snapshot" tfplan
3 open issues.
Then I ran trivy command against terraform snapshot but this time with tfvars file.
trivy config --tf-vars vars.tfvars --misconfig-scanners "terraformplan-snapshot" tfplan
No open issues this time.
Important thing is I can run terraform apply command against tfplan without passing tfvars file and it is working as excepted But it is not the case with trivy. terraform apply tfplan
Desired Behavior
There should not be any open issues.
Actual Behavior
Inconsistent in the issue count between terraform and terraformplan-snapshot scanner
Reproduction Steps
Reproduction steps are in the descriptions.
Target
Filesystem
Scanner
Misconfiguration
Output Format
None
Mode
Standalone
Debug Output
trivy config --tf-vars vars.tfvars --misconfig-scanners "terraform" s3.tf --debug
2024-07-17T13:25:01+05:30 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-17T13:25:01+05:30 INFO Misconfiguration scanning is enabled
2024-07-17T13:25:01+05:30 DEBUG Policies successfully loaded from disk
2024-07-17T13:25:01+05:30 DEBUG Enabling misconfiguration scanners scanners=[terraform]
2024-07-17T13:25:01+05:30 DEBUG Initializing scan cache... type="memory"
2024-07-17T13:25:01+05:30 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled2024-07-17T13:25:01+05:30 DEBUG Scanning files for misconfigurations... scanner="Terraform"2024-07-17T13:25:01+05:30 DEBUG [misconf] 25:01.958515311 terraform.scanner Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13951584389820366646 449715111 0x794e200} <nil>} {{{0 0} {[] {} 0xc00222c730} map[s3.tf:0xc002876160] 0}}}) }] at '.'...2024-07-17T13:25:01+05:30 DEBUG [misconf] 25:01.961744044 terraform.scanner.rego Overriding filesystem for checks!2024-07-17T13:25:01+05:30 DEBUG [misconf] 25:01.962682374 terraform.scanner.rego Loaded 3 embedded libraries.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.015683300 terraform.scanner.rego Loaded 192 embedded policies.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.078636752 terraform.scanner.rego Loaded 195 checks from disk.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.079173674 terraform.scanner.rego Overriding filesystem for data!2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.411430132 terraform.parser.<root> Setting project/module root to '.'2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.411467069 terraform.parser.<root> Parsing FS from '.'2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.411488343 terraform.parser.<root> Parsing 's3.tf'...2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.411731693 terraform.parser.<root> Added file s3.tf.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.411942245 terraform.scanner Scanning root module '.'...2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.411954228 terraform.parser.<root> Setting project/module root to '.'2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.411959368 terraform.parser.<root> Parsing FS from '.'2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.411967952 terraform.parser.<root> Parsing 's3.tf'...2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412129070 terraform.parser.<root> Added file s3.tf.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412143822 terraform.parser.<root> Evaluating module...2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412298165 terraform.parser.<root> Read 5 block(s) and 0 ignore(s) for module 'root' (1 file[s])...2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412356122 terraform.parser.<root> Added 1 variables from tfvars.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412374139 terraform.parser.<root> Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp"2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412422902 terraform.parser.<root>.evaluator Filesystem key is '0a7e25e5e4735afc4368d2be0973e1efe7e7f6120962d2c3ed517ef7700ce8f6'2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412431293 terraform.parser.<root>.evaluator Starting module evaluation...2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412614002 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket.bucket' into 0 clones via 'count' attribute.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412634681 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_public_access_block.bucket' into 0 clones via 'count' attribute.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412652716 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.bucket' into 0 clones via 'count' attribute.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412659949 terraform.parser.<root>.evaluator Starting submodule evaluation...2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412667126 terraform.parser.<root>.evaluator All submodules are evaluated at i=02024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412672474 terraform.parser.<root>.evaluator Starting post-submodule evaluation...2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412702763 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412708757 terraform.parser.<root>.evaluator Module evaluation complete.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412714368 terraform.parser.<root> Finished parsing module 'root'.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412720946 terraform.executor Adapting modules...2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412802955 terraform.executor Adapted 1 module(s) into defsec state data.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412811490 terraform.executor Using max routines of 72024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412896550 terraform.executor Initialized 487 rule(s).2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.412904475 terraform.executor Created pool with 7 worker(s) to apply rules.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.413159165 terraform.scanner.rego Scanning 1 inputs...2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.415645442 terraform.executor Finished applying rules.2024-07-17T13:25:02+05:30 DEBUG [misconf] 25:02.415679151 terraform.executor Applying ignores...2024-07-17T13:25:02+05:30 DEBUG OS is not detected.2024-07-17T13:25:02+05:30 INFO Detected config files num=12024-07-17T13:25:02+05:30 DEBUG Scanned config file path="."--------trivy config --misconfig-scanners "terraformplan-snapshot" tfplan --debug2024-07-17T13:26:00+05:30 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]2024-07-17T13:26:00+05:30 INFO Misconfiguration scanning is enabled2024-07-17T13:26:00+05:30 DEBUG Policies successfully loaded from disk2024-07-17T13:26:00+05:30 DEBUG Enabling misconfiguration scanners scanners=[terraformplan-snapshot]2024-07-17T13:26:00+05:30 DEBUG Initializing scan cache... type="memory"2024-07-17T13:26:00+05:30 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-17T13:26:00+05:30 DEBUG Scanning files for misconfigurations... scanner="Terraform Plan Snapshot"
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.392926642 terraform.scanner Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13951584452605597109 508654165 0x794e200} 2147484096 <nil>} map[] map[s3.tf:0xc001298880]})}] at '.'...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.395630194 terraform.scanner.rego Overriding filesystem for checks!
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.396591784 terraform.scanner.rego Loaded 3 embedded libraries.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.448536894 terraform.scanner.rego Loaded 192 embedded policies.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.505785493 terraform.scanner.rego Loaded 195 checks from disk.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.506184181 terraform.scanner.rego Overriding filesystem for data!
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.849516557 terraform.parser.<root> Setting project/module root to '.'
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.849544337 terraform.parser.<root> Parsing FS from '.'
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.849555093 terraform.parser.<root> Parsing 's3.tf'...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.849729368 terraform.parser.<root> Added file s3.tf.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.849964997 terraform.scanner Scanning root module '.'...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.849978541 terraform.parser.<root> Setting project/module root to '.'
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.849983910 terraform.parser.<root> Parsing FS from '.'
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.849991049 terraform.parser.<root> Parsing 's3.tf'...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850140421 terraform.parser.<root> Added file s3.tf.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850149803 terraform.parser.<root> Evaluating module...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850312805 terraform.parser.<root> Read 5 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850329021 terraform.parser.<root> Added 0 variables from tfvars.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850349889 terraform.parser.<root> Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp"
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850394467 terraform.parser.<root>.evaluator Filesystem key is '633a94f89efe375a2800bb3a0aab1e18309dcb26132032eac7208a5f3bb3fe7d'
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850402388 terraform.parser.<root>.evaluator Starting module evaluation...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850622200 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket.bucket' into 1 clones via 'count' attribute.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850701527 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_public_access_block.bucket' into 1 clones via 'count' attribute.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850771823 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.bucket' into 1 clones via 'count' attribute.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850782054 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850789140 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850794626 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850954831 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850963304 terraform.parser.<root>.evaluator Module evaluation complete.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850970615 terraform.parser.<root> Finished parsing module 'root'.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.850977980 terraform.executor Adapting modules...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.851085558 terraform.executor Adapted 1 module(s) into defsec state data.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.851096021 terraform.executor Using max routines of 7
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.851180665 terraform.executor Initialized 487 rule(s).
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.851188365 terraform.executor Created pool with 7 worker(s) to apply rules.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.851736168 terraform.scanner.rego Scanning 1 inputs...
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.854815591 terraform.executor Finished applying rules.
2024-07-17T13:26:00+05:30 DEBUG [misconf] 26:00.854839154 terraform.executor Applying ignores...
2024-07-17T13:26:00+05:30 DEBUG OS is not detected.
2024-07-17T13:26:00+05:30 INFO Detected config files num=2
2024-07-17T13:26:00+05:30 DEBUG Scanned config file path="."
2024-07-17T13:26:00+05:30 DEBUG Scanned config file path="s3.tf"
s3.tf (terraformplan-snapshot)
Tests: 10 (SUCCESSES: 7, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
LOW: Bucket has logging disabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets
See https://avd.aquasec.com/misconfig/s3-bucket-logging
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
s3.tf:18-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
18 ┌ resource "aws_s3_bucket""bucket" {
19 │ count = var.env == "test"? 1 : 0
20 │
21 │ bucket = "test-env"
22 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
MEDIUM: Bucket does not have versioning enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.
With versioning you can recover more easily from both unintended user actions and application failures.
See https://avd.aquasec.com/misconfig/avd-aws-0090
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
s3.tf:18-22
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
18 ┌ resource "aws_s3_bucket""bucket" {
19 │ count = var.env == "test"? 1 : 0
20 │
21 │ bucket = "test-env"
22 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
s3.tf:24-34
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
24 ┌ resource "aws_s3_bucket_server_side_encryption_configuration""bucket" {
25 │ count = var.env == "test"? 1 : 0
26 │
27 │ bucket = aws_s3_bucket.bucket[0].bucket
28 │
29 │ rule {
30 │ apply_server_side_encryption_by_default {
31 │ sse_algorithm = "aws:kms"
32 └ }
..
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
----
----
trivy config --tf-vars vars.tfvars --misconfig-scanners "terraformplan-snapshot" tfplan --debug
2024-07-17T13:25:50+05:30 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-17T13:25:50+05:30 INFO Misconfiguration scanning is enabled
2024-07-17T13:25:50+05:30 DEBUG Policies successfully loaded from disk
2024-07-17T13:25:50+05:30 DEBUG Enabling misconfiguration scanners scanners=[terraformplan-snapshot]
2024-07-17T13:25:50+05:30 DEBUG Initializing scan cache... type="memory"
2024-07-17T13:25:50+05:30 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled2024-07-17T13:25:50+05:30 DEBUG Scanning files for misconfigurations... scanner="Terraform Plan Snapshot"2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.319811872 terraform.scanner Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13951584441795061130 497516540 0x794e200} 2147484096 <nil>} map[] map[s3.tf:0xc002b23c00]})}] at '.'...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.322588615 terraform.scanner.rego Overriding filesystem for checks!2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.323639105 terraform.scanner.rego Loaded 3 embedded libraries.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.373769353 terraform.scanner.rego Loaded 192 embedded policies.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.429047570 terraform.scanner.rego Loaded 195 checks from disk.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.429453125 terraform.scanner.rego Overriding filesystem for data!2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747232011 terraform.parser.<root> Setting project/module root to '.'2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747275749 terraform.parser.<root> Parsing FS from '.'2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747287680 terraform.parser.<root> Parsing 's3.tf'...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747470173 terraform.parser.<root> Added file s3.tf.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747660875 terraform.scanner Scanning root module '.'...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747670939 terraform.parser.<root> Setting project/module root to '.'2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747676072 terraform.parser.<root> Parsing FS from '.'2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747682739 terraform.parser.<root> Parsing 's3.tf'...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747815722 terraform.parser.<root> Added file s3.tf.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747823362 terraform.parser.<root> Evaluating module...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.747975141 terraform.parser.<root> Read 5 block(s) and 0 ignore(s) for module 'root' (1 file[s])...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748066405 terraform.parser.<root> Added 1 variables from tfvars.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748087432 terraform.parser.<root> Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp"2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748128097 terraform.parser.<root>.evaluator Filesystem key is '9b8314b591fc9ac86c4ef3341908d9076453b7725329932452e7adedb3ced100'2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748134791 terraform.parser.<root>.evaluator Starting module evaluation...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748320757 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket.bucket' into 0 clones via 'count' attribute.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748342046 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_public_access_block.bucket' into 0 clones via 'count' attribute.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748358802 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.bucket' into 0 clones via 'count' attribute.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748365385 terraform.parser.<root>.evaluator Starting submodule evaluation...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748372905 terraform.parser.<root>.evaluator All submodules are evaluated at i=02024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748377755 terraform.parser.<root>.evaluator Starting post-submodule evaluation...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748407774 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748413403 terraform.parser.<root>.evaluator Module evaluation complete.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748418314 terraform.parser.<root> Finished parsing module 'root'.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748423902 terraform.executor Adapting modules...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748503605 terraform.executor Adapted 1 module(s) into defsec state data.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748511621 terraform.executor Using max routines of 72024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748595595 terraform.executor Initialized 487 rule(s).2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748602346 terraform.executor Created pool with 7 worker(s) to apply rules.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.748875413 terraform.scanner.rego Scanning 1 inputs...2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.750849882 terraform.executor Finished applying rules.2024-07-17T13:25:50+05:30 DEBUG [misconf] 25:50.750876224 terraform.executor Applying ignores...2024-07-17T13:25:50+05:30 DEBUG OS is not detected.2024-07-17T13:25:50+05:30 INFO Detected config files num=12024-07-17T13:25:50+05:30 DEBUG Scanned config file path="."
Operating System
Ubuntu 20.04
Version
Version: 0.53.0
Vulnerability DB:
Version: 2
UpdatedAt: 2023-09-11 06:16:57.742189926 +0000 UTC
NextUpdate: 2023-09-11 12:16:57.742189326 +0000 UTC
DownloadedAt: 2023-09-11 07:08:10.751619881 +0000 UTC
Check Bundle:
Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
DownloadedAt: 2024-07-17 03:55:39.691656479 +0000 UTC
Currently, Trivy does not handle variables that are stored in Terraform Plan in any way.
Discussed in #7178
Originally posted by cybersa July 17, 2024
Description
Consider this terraform file and terraform vars file:
s3.tf:
vars.tf
I ran these command one by one:
trivy config --tf-vars vars.tfvars --misconfig-scanners "terraform" s3.tf
Not any issues. (Because condition count validated to false)
Then I used this command to generate terraform plan as a snapshot
terraform plan --var-file vars.tfvars --out tfplan
Then I ran trivy command against terraform snapshot:
trivy config --misconfig-scanners "terraformplan-snapshot" tfplan
3 open issues.
Then I ran trivy command against terraform snapshot but this time with tfvars file.
trivy config --tf-vars vars.tfvars --misconfig-scanners "terraformplan-snapshot" tfplan
No open issues this time.
Important thing is I can run terraform apply command against tfplan without passing tfvars file and it is working as excepted But it is not the case with trivy.
terraform apply tfplan
Desired Behavior
There should not be any open issues.
Actual Behavior
Inconsistent in the issue count between terraform and terraformplan-snapshot scanner
Reproduction Steps
Reproduction steps are in the descriptions.
Target
Filesystem
Scanner
Misconfiguration
Output Format
None
Mode
Standalone
Debug Output
Operating System
Ubuntu 20.04
Version
Checklist
trivy clean --all
The text was updated successfully, but these errors were encountered: