Closed nikpivkin closed 1 year ago
By the way, Trivy says that he found 3 configuration files, but there are only 2 of them:
tree
.
├── main.tf
└── modules
└── s3
└── main.tf
By the way, Trivy says that he found 3 configuration files, but there are only 2 of them:
tree . ├── main.tf └── modules └── s3 └── main.tf
This is probably why
2023-08-14T16:47:42.303-0600 DEBUG Scanned config file: modules/s3
2023-08-14T16:47:42.303-0600 DEBUG Scanned config file: modules/s3/main.tf
2023-08-14T16:47:42.303-0600 DEBUG Scanned config file: .
tree -a
.
├── main.tf
└── modules
└── s3
└── main.tf
3 directories, 2 files
In such case, what output do you expect to see? Two cases can be made:
main.tf
issues, anything that main.tf
imports or is a reference outside of main.tf
, for instance in modules/s3/main.tf
, will be pointed to as a source from main.tf
. Doing this will make us lose visibility into modules/s3/main.tf
.modules/s3/main.tf
results and refer to them when showing misconfiguration scan results. In such a case it is easy to point to the user where the problem actually originated but it might not be the first place they would look in as that would be main.tf
and not modules/s3/main.tf
.Another option we can have is via
. Instead of showing 2 separate results for the 2 main.tf
files, we can show one result but refer to the chain. See example below
main.tf:3
via modules/s3/main.tf:12
@simar7 I expect to see the same result as when using remote modules, for example from the terraform registry. This rather refers to the via
option.
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
bucket = "my-s3-bucket"
acl = "private"
control_object_ownership = true
object_ownership = "ObjectWriter"
}
Output:
trivy config . -d
2023-08-15T09:37:35.684+0700 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-15T09:37:35.693+0700 DEBUG cache dir: /Users/tososomaru/Library/Caches/trivy
2023-08-15T09:37:35.693+0700 DEBUG Module dir: /Users/tososomaru/.trivy/modules
2023-08-15T09:37:35.693+0700 INFO Misconfiguration scanning is enabled
2023-08-15T09:37:35.693+0700 DEBUG Policies successfully loaded from disk
2023-08-15T09:37:35.714+0700 DEBUG Walk the file tree rooted at '.' in parallel
2023-08-15T09:37:35.715+0700 DEBUG Scanning Terraform files for misconfigurations...
2023-08-15T09:37:39.460+0700 DEBUG OS is not detected.
2023-08-15T09:37:39.460+0700 INFO Detected config files: 2
2023-08-15T09:37:39.460+0700 DEBUG Scanned config file: .
2023-08-15T09:37:39.460+0700 DEBUG Scanned config file: git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf
git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf (terraform)
Tests: 11 (SUCCESSES: 6, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
HIGH: Bucket does not have encryption enabled
═══════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
───────────────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
21 ┌ resource "aws_s3_bucket" "this" {
22 │ count = local.create_bucket ? 1 : 0
23 │
24 │ bucket = var.bucket
25 │ bucket_prefix = var.bucket_prefix
26 │
27 │ force_destroy = var.force_destroy
28 │ object_lock_enabled = var.object_lock_enabled
29 │ tags = var.tags
30 └ }
───────────────────────────────────────────────────────────────────────────────────────────
MEDIUM: Bucket does not have logging enabled
═══════════════════════════════════════════════════════════════════════════════════════════
Buckets should have logging enabled so that access can be audited.
See https://avd.aquasec.com/misconfig/avd-aws-0089
───────────────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
21 ┌ resource "aws_s3_bucket" "this" {
22 │ count = local.create_bucket ? 1 : 0
23 │
24 │ bucket = var.bucket
25 │ bucket_prefix = var.bucket_prefix
26 │
27 │ force_destroy = var.force_destroy
28 │ object_lock_enabled = var.object_lock_enabled
29 │ tags = var.tags
30 └ }
───────────────────────────────────────────────────────────────────────────────────────────
MEDIUM: Bucket does not have versioning enabled
═══════════════════════════════════════════════════════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.
With versioning you can recover more easily from both unintended user actions and application failures.
See https://avd.aquasec.com/misconfig/avd-aws-0090
───────────────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
21 ┌ resource "aws_s3_bucket" "this" {
22 │ count = local.create_bucket ? 1 : 0
23 │
24 │ bucket = var.bucket
25 │ bucket_prefix = var.bucket_prefix
26 │
27 │ force_destroy = var.force_destroy
28 │ object_lock_enabled = var.object_lock_enabled
29 │ tags = var.tags
30 └ }
───────────────────────────────────────────────────────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
═══════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
───────────────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
21 ┌ resource "aws_s3_bucket" "this" {
22 │ count = local.create_bucket ? 1 : 0
23 │
24 │ bucket = var.bucket
25 │ bucket_prefix = var.bucket_prefix
26 │
27 │ force_destroy = var.force_destroy
28 │ object_lock_enabled = var.object_lock_enabled
29 │ tags = var.tags
30 └ }
───────────────────────────────────────────────────────────────────────────────────────────
LOW: Bucket has logging disabled
═══════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets.
See https://avd.aquasec.com/misconfig/n/a
───────────────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
21 ┌ resource "aws_s3_bucket" "this" {
22 │ count = local.create_bucket ? 1 : 0
23 │
24 │ bucket = var.bucket
25 │ bucket_prefix = var.bucket_prefix
26 │
27 │ force_destroy = var.force_destroy
28 │ object_lock_enabled = var.object_lock_enabled
29 │ tags = var.tags
30 └ }
───────────────────────────────────────────────────────────────────────────────────────────
As you can see, there is no duplication.
It's unclear to me what needs to be done here. @nikpivkin can you elaborate?
@simar7 I expect Trivy to not scan child local modules as separate configurations (same behavior as with remote modules).
I don't know why, but this change breaks subfolders in the most strange manner.
E.g., if you put the files in the original issue like this:
modules/s3/main.tf
-> testcase/modules/s3/main.tf
modules/main.tf
-> testcase/main.tf
Executing trivy config --debug . -f json | jq '.Results[] | .Misconfigurations | .[]?.Title'
in .
:
2023-11-02T23:48:26.380+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-02T23:48:26.404+0100 DEBUG cache dir: /home/bgerda/.cache/trivy
2023-11-02T23:48:26.404+0100 INFO Misconfiguration scanning is enabled
2023-11-02T23:48:26.404+0100 DEBUG Policies successfully loaded from disk
2023-11-02T23:48:26.414+0100 DEBUG The nuget packages directory couldn't be found. License search disabled
2023-11-02T23:48:26.428+0100 DEBUG Walk the file tree rooted at '.' in parallel
2023-11-02T23:48:26.428+0100 DEBUG Scanning Terraform files for misconfigurations...
2023-11-02T23:48:27.051+0100 DEBUG OS is not detected.
2023-11-02T23:48:27.051+0100 INFO Detected config files: 2
2023-11-02T23:48:27.051+0100 DEBUG Scanned config file: testcase
2023-11-02T23:48:27.051+0100 DEBUG Scanned config file: terraform-aws-modules/s3-bucket/aws/main.tf
"Unencrypted S3 bucket."
"S3 Bucket Logging"
"S3 Data should be versioned"
"S3 encryption should use Customer Managed Keys"
Executing trivy config --debug testcase -f json | jq '.Results[] | .Misconfigurations | .[]?.Title'
in .
:
2023-11-02T23:49:06.381+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-02T23:49:06.397+0100 DEBUG cache dir: /home/bgerda/.cache/trivy
2023-11-02T23:49:06.397+0100 INFO Misconfiguration scanning is enabled
2023-11-02T23:49:06.397+0100 DEBUG Policies successfully loaded from disk
2023-11-02T23:49:06.412+0100 DEBUG The nuget packages directory couldn't be found. License search disabled
2023-11-02T23:49:06.412+0100 DEBUG Walk the file tree rooted at 'testcase' in parallel
2023-11-02T23:49:06.412+0100 DEBUG Scanning Terraform files for misconfigurations...
2023-11-02T23:49:06.979+0100 DEBUG OS is not detected.
2023-11-02T23:49:06.979+0100 INFO Detected config files: 0
jq: error (at <stdin>:17): Cannot iterate over null (null)
Executing trivy config --debug testcase -f json | jq '.Results[] | .Misconfigurations | .[]?.Title'
in testcase
:
2023-11-02T23:49:49.739+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-02T23:49:49.761+0100 DEBUG cache dir: /home/bgerda/.cache/trivy
2023-11-02T23:49:49.761+0100 INFO Misconfiguration scanning is enabled
2023-11-02T23:49:49.761+0100 DEBUG Policies successfully loaded from disk
2023-11-02T23:49:49.774+0100 DEBUG The nuget packages directory couldn't be found. License search disabled
2023-11-02T23:49:49.786+0100 DEBUG Walk the file tree rooted at '.' in parallel
2023-11-02T23:49:49.786+0100 DEBUG Scanning Terraform files for misconfigurations...
2023-11-02T23:49:50.361+0100 DEBUG OS is not detected.
2023-11-02T23:49:50.361+0100 INFO Detected config files: 0
jq: error (at <stdin>:17): Cannot iterate over null (null)
I would assume all 3 cases to yield the same result.
Hi @kernle32dll !
Could you please share the configuration files? I could not reproduce your problem with the sample files above.
Hi @kernle32dll !
Could you please share the configuration files? I could not reproduce your problem with the sample files above.
Okay, I have no idea what I was doing yesterday, but I can't actually replicate the issue now. I do have the issue with my actual terraform project files, but I cannot share them at this point. I will try to condense a version that I can share.
Okay, I have "something". The setup is a bit lengthy, and I am not entirely sure what I am seeing here. But the kicker is for the terraform files to be in a subfolder (terraform
called here), and doing something with remote modules.
terraform/main.tf
:
module "s3" {
source = "./modules/s3"
}
module "backup" {
source = "git::https://github.com/terraform-google-modules/terraform-google-vm.git?ref=v10.1.0"
}
terraform/modules/s3/main.tf
:
variable "s3_object_versioning" {
description = "Enable S3 Object Versioning [Enabled Suspended Disabled]"
type = string
validation {
condition = contains(["Enabled", "Suspended", "Disabled"], var.s3_object_versioning)
error_message = "The Variable s3_object_versioning can only contain [Enabled, Suspended, Disabled]"
}
}
resource "aws_s3_bucket" "s3_bucket" {
bucket = "test.bucket"
}
resource "aws_s3_bucket_versioning" "versioning" {
bucket = aws_s3_bucket.s3_bucket.id
versioning_configuration {
status = var.s3_object_versioning
}
}
First, test with v0.46.1
. Everything works as expected:
worker@claystone-worker1 ~/tftest % curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./bin v0.46.1
aquasecurity/trivy info checking GitHub for tag 'v0.46.1'
aquasecurity/trivy info found version: 0.46.1 for v0.46.1/Linux/64bit
aquasecurity/trivy info installed ./bin/trivy
worker@claystone-worker1 ~/tftest % ./bin/trivy config . --debug > /dev/null
2023-11-06T03:28:53.790+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:28:53.792+0100 DEBUG cache dir: /home/worker/.cache/trivy
2023-11-06T03:28:53.792+0100 INFO Misconfiguration scanning is enabled
2023-11-06T03:28:53.792+0100 DEBUG Policies successfully loaded from disk
2023-11-06T03:28:53.807+0100 DEBUG The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:28:53.827+0100 DEBUG Walk the file tree rooted at '.' in parallel
2023-11-06T03:28:53.828+0100 DEBUG Scanning Terraform files for misconfigurations...
2023-11-06T03:28:55.055+0100 DEBUG OS is not detected.
2023-11-06T03:28:55.056+0100 INFO Detected config files: 2
2023-11-06T03:28:55.056+0100 DEBUG Scanned config file: terraform
2023-11-06T03:28:55.056+0100 DEBUG Scanned config file: terraform/modules/s3/main.tf
worker@claystone-worker1 ~/tftest % ./bin/trivy config terraform --debug > /dev/null
2023-11-06T03:29:00.061+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:29:00.064+0100 DEBUG cache dir: /home/worker/.cache/trivy
2023-11-06T03:29:00.064+0100 INFO Misconfiguration scanning is enabled
2023-11-06T03:29:00.065+0100 DEBUG Policies successfully loaded from disk
2023-11-06T03:29:00.093+0100 DEBUG The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:29:00.098+0100 DEBUG Walk the file tree rooted at 'terraform' in parallel
2023-11-06T03:29:00.098+0100 DEBUG Scanning Terraform files for misconfigurations...
2023-11-06T03:29:01.328+0100 DEBUG OS is not detected.
2023-11-06T03:29:01.328+0100 INFO Detected config files: 2
2023-11-06T03:29:01.328+0100 DEBUG Scanned config file: .
2023-11-06T03:29:01.328+0100 DEBUG Scanned config file: modules/s3/main.tf
But if we do an terraform init now...
worker@claystone-worker1 ~/tftest % terraform -chdir=terraform init
Initializing the backend...
Initializing modules...
Downloading git::https://github.com/terraform-google-modules/terraform-google-vm.git?ref=v10.1.0 for backup...
- backup in .terraform/modules/backup
- s3 in modules/s3
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/aws v5.24.0...
- Installed hashicorp/aws v5.24.0 (signed by HashiCorp)
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
terraform -chdir=terraform init 11.52s user 1.25s system 90% cpu 14.058 total
... The output changes. Note how it includes the .terraform
files, but the terraform
or .
folder, as well as modules/s3/main.tf
is missing from the second command.
worker@claystone-worker1 ~/tftest % ./bin/trivy config . --debug > /dev/null
2023-11-06T03:34:07.459+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:34:07.462+0100 DEBUG cache dir: /home/worker/.cache/trivy
2023-11-06T03:34:07.462+0100 INFO Misconfiguration scanning is enabled
2023-11-06T03:34:07.462+0100 DEBUG Policies successfully loaded from disk
2023-11-06T03:34:07.471+0100 DEBUG The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:34:07.495+0100 DEBUG Walk the file tree rooted at '.' in parallel
2023-11-06T03:34:07.501+0100 DEBUG Scanning Helm files for misconfigurations...
2023-11-06T03:34:07.571+0100 DEBUG Scanning Kubernetes files for misconfigurations...
2023-11-06T03:34:15.121+0100 DEBUG Scanning Terraform files for misconfigurations...
2023-11-06T03:34:18.174+0100 DEBUG OS is not detected.
2023-11-06T03:34:18.174+0100 INFO Detected config files: 41
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/setup
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/setup/iam.tf
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig/full
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/umig/full
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:34:18.174+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/metadata.yaml
2023-11-06T03:34:18.175+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:34:18.176+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:34:18.177+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:34:18.178+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:34:18.179+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:34:18.180+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:34:18.181+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:34:18.182+0100 DEBUG Scanned config file: terraform/modules/s3/main.tf
2023-11-06T03:34:18.182+0100 DEBUG Scanned config file: terraform
worker@claystone-worker1 ~/tftest % ./bin/trivy config terraform --debug > /dev/null
2023-11-06T03:34:28.998+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:34:28.999+0100 DEBUG cache dir: /home/worker/.cache/trivy
2023-11-06T03:34:28.999+0100 INFO Misconfiguration scanning is enabled
2023-11-06T03:34:29.000+0100 DEBUG Policies successfully loaded from disk
2023-11-06T03:34:29.014+0100 DEBUG The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:34:29.033+0100 DEBUG Walk the file tree rooted at 'terraform' in parallel
2023-11-06T03:34:29.122+0100 DEBUG Scanning Kubernetes files for misconfigurations...
2023-11-06T03:34:36.733+0100 DEBUG Scanning Helm files for misconfigurations...
2023-11-06T03:34:36.739+0100 DEBUG Scanning Terraform files for misconfigurations...
2023-11-06T03:34:39.810+0100 DEBUG OS is not detected.
2023-11-06T03:34:39.810+0100 INFO Detected config files: 39
2023-11-06T03:34:39.810+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/umig/full
2023-11-06T03:34:39.810+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:34:39.810+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:34:39.810+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:34:39.810+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig/full
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/metadata.yaml
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:34:39.811+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/shared
2023-11-06T03:34:39.812+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:34:39.813+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:34:39.813+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:34:39.813+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:34:39.813+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:34:39.813+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:34:39.813+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:34:39.813+0100 DEBUG Scanned config file: .terraform/modules/backup/test/setup
2023-11-06T03:34:39.813+0100 DEBUG Scanned config file: .terraform/modules/backup/test/setup/iam.tf
When using v0.45.1
, there is no difference bewteen the two command variants.
worker@claystone-worker1 ~/tftest % curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./bin v0.45.1
aquasecurity/trivy info checking GitHub for tag 'v0.45.1'
aquasecurity/trivy info found version: 0.45.1 for v0.45.1/Linux/64bit
aquasecurity/trivy info installed ./bin/trivy
worker@claystone-worker1 ~/tftest % ./bin/trivy config . --debug > /dev/null
2023-11-06T03:37:14.861+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:37:14.864+0100 DEBUG cache dir: /home/worker/.cache/trivy
2023-11-06T03:37:14.864+0100 INFO Misconfiguration scanning is enabled
2023-11-06T03:37:14.864+0100 DEBUG Policies successfully loaded from disk
2023-11-06T03:37:14.898+0100 DEBUG Walk the file tree rooted at '.' in parallel
2023-11-06T03:37:14.914+0100 DEBUG Scanning Terraform files for misconfigurations...
2023-11-06T03:37:18.983+0100 DEBUG Scanning Helm files for misconfigurations...
2023-11-06T03:37:18.985+0100 DEBUG GOPATH (/home/worker/go/pkg/mod) not found. Need 'go mod download' to fill licenses and dependency relationships
2023-11-06T03:37:19.017+0100 DEBUG Scanning Kubernetes files for misconfigurations...
2023-11-06T03:37:26.905+0100 DEBUG OS is not detected.
2023-11-06T03:37:26.906+0100 INFO Detected config files: 63
2023-11-06T03:37:26.906+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/metadata.yaml
2023-11-06T03:37:26.906+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/mig_with_percent
2023-11-06T03:37:26.906+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:37:26.906+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/preemptible_and_regular_instance_templates
2023-11-06T03:37:26.906+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:37:26.906+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/umig
2023-11-06T03:37:26.906+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:37:26.906+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/compute_disk_snapshot
2023-11-06T03:37:26.906+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/compute_instance
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/instance_template
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/mig
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/setup
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/test/setup/iam.tf
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/disk_snapshot
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/simple
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/additional_disks
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/alias_ip_range
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:37:26.907+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/simple
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig/autoscaler
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig/full
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig/healthcheck
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig/simple
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig_stateful
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/mig_with_percent/simple
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/umig/full
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/umig/named_ports
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/umig/simple
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/.terraform/modules/backup/examples/umig/static_ips
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/modules/s3
2023-11-06T03:37:26.908+0100 DEBUG Scanned config file: terraform/modules/s3/main.tf
worker@claystone-worker1 ~/tftest % ./bin/trivy config terraform --debug > /dev/null
2023-11-06T03:37:35.195+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:37:35.197+0100 DEBUG cache dir: /home/worker/.cache/trivy
2023-11-06T03:37:35.197+0100 INFO Misconfiguration scanning is enabled
2023-11-06T03:37:35.198+0100 DEBUG Policies successfully loaded from disk
2023-11-06T03:37:35.232+0100 DEBUG Walk the file tree rooted at 'terraform' in parallel
2023-11-06T03:37:35.294+0100 DEBUG Scanning Terraform files for misconfigurations...
2023-11-06T03:37:39.205+0100 DEBUG GOPATH (/home/worker/go/pkg/mod) not found. Need 'go mod download' to fill licenses and dependency relationships
2023-11-06T03:37:39.207+0100 DEBUG Scanning Helm files for misconfigurations...
2023-11-06T03:37:39.233+0100 DEBUG Scanning Kubernetes files for misconfigurations...
2023-11-06T03:37:47.230+0100 DEBUG OS is not detected.
2023-11-06T03:37:47.230+0100 INFO Detected config files: 63
2023-11-06T03:37:47.230+0100 DEBUG Scanned config file: .terraform/modules/backup/metadata.yaml
2023-11-06T03:37:47.230+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/compute_disk_snapshot
2023-11-06T03:37:47.230+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:37:47.230+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/compute_instance
2023-11-06T03:37:47.230+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:37:47.230+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/instance_template
2023-11-06T03:37:47.230+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:37:47.230+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/mig
2023-11-06T03:37:47.230+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/mig_with_percent
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/preemptible_and_regular_instance_templates
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/umig
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/shared
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/setup
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/test/setup/iam.tf
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig_with_percent/simple
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/umig/simple
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/umig/static_ips
2023-11-06T03:37:47.231+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/umig/full
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/umig/named_ports
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/simple
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/compute_instance/disk_snapshot
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/instance_template/additional_disks
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/instance_template/alias_ip_range
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/instance_template/simple
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig/simple
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig/autoscaler
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig/full
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig/healthcheck
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig_stateful
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: .
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: modules/s3
2023-11-06T03:37:47.232+0100 DEBUG Scanned config file: modules/s3/main.tf
I hope someone can make some sense of this.
Okay, a little addendum. I poked around a bit a defsec, and I know now why this code change triggers the problem but I have no idea about the root cause. So its probably a good idea to move this discussion to a defsec issue, if anyone knows how to formulate an issue from my observation.
So, with the above example, what essentially happens is that we end up with a rouge module here, which has a child module with a modulePath
of .
. Which in the above case is actually the root module.
My hunch is that this module is somehow referencing itself or something. I spent not enough time with defsec to make sense of this, so this needs to be resolved by someone more clever then me.
Hi @kernle32dll !
This will be fixed after the merger https://github.com/aquasecurity/trivy/pull/5245
In the screenshot everything is ok. RootModule is a kind of module container, which has no references from other modules, i.e. it is a self-sufficient application. The childs field contains all the modules in flat form that are declared in this application.
I have the following files:
modules/s3/main.tf
main.tf
Output of Trivy:
Some misconfigs are duplicated, since Trivy also scans local modules.