search

Checkmarx / kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
https://kics.io
Apache License 2.0
2.11k stars 314 forks source link

bug(terraform): scan results differ between .tf and respective .tfplan file #7112

Open Tohar-orca opened 5 months ago

Tohar-orca commented 5 months ago

Expected Behavior

When scanning as .tf file and it's resulting .tfplan, KICS should return the same findings

Actual Behavior

Scanning the attached tf files directory produces 13 results Scanning the tfplan json, generated from the same tf files, produces only 1 result

Steps to Reproduce the Problem

  1. Extract the attached .zip
  2. Scan the file with KICS (i used go run cmd/console/main.go scan -p "/path/to/directory" -d "generated_json")
  3. Run terraform plan -out=out.tfplan
  4. Run terraform show -json out.tfplan > out.json
  5. Scan the tfplan (go run cmd/console/main.go scan -p "/path/to/out.json" -d "generated_json")

Specifications

N/A

Tohar-orca commented 1 month ago

Another example The tfplan triggers a detections for "CloudFront distributions don't have encryption in transit", but the tf file (added .txt extension for github's sake) does not tfplan.json sample.tf.txt

Tohar-orca commented 1 month ago

@anterosilva1985 can you take a look please?