search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
789 stars 227 forks source link

Unable to exclude TF modules #352

Closed AnitaErnszt closed 4 months ago

AnitaErnszt commented 4 months ago

Hello,

I'm migrating from the tfsec Github Action to trivy but have been running into some issues. I'm using private terraform modules, and the trivy check is failing on modules which are not even used in that repo.

I have tried adding TRIVY_TF_EXCLUDE_DOWNLOADED_MODULES or TRIVY_TF_EXCLUDE_DOWNLOADED_MODULES, but no luck 😞

As per the GH Actions documentation, I should be able to add extra flags as environment variables.

I can't reproduce the same error locally, only happens in the CICD pipeline.

Current config:

    - name: Run Trivy vulnerability scanner in IaC mode
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'config'
        scan-ref: ${{ inputs.terraform-directory }}
        hide-progress: false
        exit-code: '1'
        ignore-unfixed: true
        output: trivy.txt
      env:
        TRIVY_TF_EXCLUDE_DOWNLOADED_MODULES: true

If possible I'd like to avoid having to add extra files to the repo as I have 30+ repos to update. Configuring this via input variable/flag would be ideal

simar7 commented 4 months ago

@afdesk could you take a look at it?

simar7 commented 4 months ago

Looks like it was solved offline.

Keralin commented 3 months ago

Hey folks I'm facing the same issue how did you solve it @AnitaErnszt ?