search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.29k stars 2.3k forks source link

fix(terraform): Trivy scans local modules #4988

Closed nikpivkin closed 1 year ago

nikpivkin commented 1 year ago

I have the following files:

modules/s3/main.tf

variable "s3_object_versioning" {
  description = "Enable S3 Object Versioning [Enabled Suspended Disabled]"
  type        = string

  validation {
    condition     = contains(["Enabled", "Suspended", "Disabled"], var.s3_object_versioning)
    error_message = "The Variable s3_object_versioning can only contain [Enabled, Suspended, Disabled]"
  }
}

resource "aws_s3_bucket" "s3_bucket" {
  bucket = "test.bucket"
}

resource "aws_s3_bucket_versioning" "versioning" {
  bucket = aws_s3_bucket.s3_bucket.id
  versioning_configuration {
    status = var.s3_object_versioning
  }
}

main.tf

module "test" {
  source               = "./modules/s3"
  s3_object_versioning = "Disabled"
}

Output of Trivy:

trivy config . -f json | jq '.Results[] | .Misconfigurations | .[]?.Title'
2023-08-14T17:22:00.715+0700    INFO    Misconfiguration scanning is enabled
2023-08-14T17:22:01.089+0700    INFO    Detected config files: 3
"S3 Access block should block public ACL"
"S3 Access block should block public ACL"
"S3 Access block should block public policy"
"S3 Access block should block public policy"
"Unencrypted S3 bucket."
"Unencrypted S3 bucket."
"S3 Bucket does not have logging enabled."
"S3 Bucket does not have logging enabled."
"S3 Data should be versioned"
"S3 Data should be versioned"
"S3 Access Block should Ignore Public Acl"
"S3 Access Block should Ignore Public Acl"
"S3 Access block should restrict public bucket to limit access"
"S3 Access block should restrict public bucket to limit access"
"S3 buckets should each define an aws_s3_bucket_public_access_block"
"S3 buckets should each define an aws_s3_bucket_public_access_block"
"S3 encryption should use Customer Managed Keys"
"S3 encryption should use Customer Managed Keys"
"S3 DNS Compliant Bucket Names"
"S3 DNS Compliant Bucket Names"
"S3 Bucket Logging"
"S3 Bucket Logging"

Some misconfigs are duplicated, since Trivy also scans local modules.

nikpivkin commented 1 year ago

By the way, Trivy says that he found 3 configuration files, but there are only 2 of them:

tree
.
├── main.tf
└── modules
    └── s3
        └── main.tf
simar7 commented 1 year ago

By the way, Trivy says that he found 3 configuration files, but there are only 2 of them:

tree
.
├── main.tf
└── modules
    └── s3
        └── main.tf

This is probably why

2023-08-14T16:47:42.303-0600    DEBUG   Scanned config file: modules/s3
2023-08-14T16:47:42.303-0600    DEBUG   Scanned config file: modules/s3/main.tf
2023-08-14T16:47:42.303-0600    DEBUG   Scanned config file: .
tree -a
.
├── main.tf
└── modules
    └── s3
        └── main.tf

3 directories, 2 files
simar7 commented 1 year ago

In such case, what output do you expect to see? Two cases can be made:

  1. We only show the main.tf issues, anything that main.tf imports or is a reference outside of main.tf, for instance in modules/s3/main.tf, will be pointed to as a source from main.tf. Doing this will make us lose visibility into modules/s3/main.tf.
  2. We only show the modules/s3/main.tf results and refer to them when showing misconfiguration scan results. In such a case it is easy to point to the user where the problem actually originated but it might not be the first place they would look in as that would be main.tf and not modules/s3/main.tf.

Another option we can have is via. Instead of showing 2 separate results for the 2 main.tf files, we can show one result but refer to the chain. See example below

main.tf:3
  via modules/s3/main.tf:12
nikpivkin commented 1 year ago

@simar7 I expect to see the same result as when using remote modules, for example from the terraform registry. This rather refers to the via option.

module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket"
  acl    = "private"

  control_object_ownership = true
  object_ownership         = "ObjectWriter"
}

Output:

trivy config . -d
2023-08-15T09:37:35.684+0700    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-15T09:37:35.693+0700    DEBUG   cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-08-15T09:37:35.693+0700    DEBUG   Module dir: /Users/tososomaru/.trivy/modules
2023-08-15T09:37:35.693+0700    INFO    Misconfiguration scanning is enabled
2023-08-15T09:37:35.693+0700    DEBUG   Policies successfully loaded from disk
2023-08-15T09:37:35.714+0700    DEBUG   Walk the file tree rooted at '.' in parallel
2023-08-15T09:37:35.715+0700    DEBUG   Scanning Terraform files for misconfigurations...
2023-08-15T09:37:39.460+0700    DEBUG   OS is not detected.
2023-08-15T09:37:39.460+0700    INFO    Detected config files: 2
2023-08-15T09:37:39.460+0700    DEBUG   Scanned config file: .
2023-08-15T09:37:39.460+0700    DEBUG   Scanned config file: git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf

git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf (terraform)

Tests: 11 (SUCCESSES: 6, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
═══════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
───────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
  21 ┌ resource "aws_s3_bucket" "this" {
  22 │   count = local.create_bucket ? 1 : 0
  23 │ 
  24 │   bucket        = var.bucket
  25 │   bucket_prefix = var.bucket_prefix
  26 │ 
  27 │   force_destroy       = var.force_destroy
  28 │   object_lock_enabled = var.object_lock_enabled
  29 │   tags                = var.tags
  30 └ }
───────────────────────────────────────────────────────────────────────────────────────────

MEDIUM: Bucket does not have logging enabled
═══════════════════════════════════════════════════════════════════════════════════════════
Buckets should have logging enabled so that access can be audited.

See https://avd.aquasec.com/misconfig/avd-aws-0089
───────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
  21 ┌ resource "aws_s3_bucket" "this" {
  22 │   count = local.create_bucket ? 1 : 0
  23 │ 
  24 │   bucket        = var.bucket
  25 │   bucket_prefix = var.bucket_prefix
  26 │ 
  27 │   force_destroy       = var.force_destroy
  28 │   object_lock_enabled = var.object_lock_enabled
  29 │   tags                = var.tags
  30 └ }
───────────────────────────────────────────────────────────────────────────────────────────

MEDIUM: Bucket does not have versioning enabled
═══════════════════════════════════════════════════════════════════════════════════════════

Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. 
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. 
With versioning you can recover more easily from both unintended user actions and application failures.

See https://avd.aquasec.com/misconfig/avd-aws-0090
───────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
  21 ┌ resource "aws_s3_bucket" "this" {
  22 │   count = local.create_bucket ? 1 : 0
  23 │ 
  24 │   bucket        = var.bucket
  25 │   bucket_prefix = var.bucket_prefix
  26 │ 
  27 │   force_destroy       = var.force_destroy
  28 │   object_lock_enabled = var.object_lock_enabled
  29 │   tags                = var.tags
  30 └ }
───────────────────────────────────────────────────────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
═══════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
───────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
  21 ┌ resource "aws_s3_bucket" "this" {
  22 │   count = local.create_bucket ? 1 : 0
  23 │ 
  24 │   bucket        = var.bucket
  25 │   bucket_prefix = var.bucket_prefix
  26 │ 
  27 │   force_destroy       = var.force_destroy
  28 │   object_lock_enabled = var.object_lock_enabled
  29 │   tags                = var.tags
  30 └ }
───────────────────────────────────────────────────────────────────────────────────────────

LOW: Bucket has logging disabled
═══════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets.

See https://avd.aquasec.com/misconfig/n/a
───────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
  21 ┌ resource "aws_s3_bucket" "this" {
  22 │   count = local.create_bucket ? 1 : 0
  23 │ 
  24 │   bucket        = var.bucket
  25 │   bucket_prefix = var.bucket_prefix
  26 │ 
  27 │   force_destroy       = var.force_destroy
  28 │   object_lock_enabled = var.object_lock_enabled
  29 │   tags                = var.tags
  30 └ }
───────────────────────────────────────────────────────────────────────────────────────────

As you can see, there is no duplication.

simar7 commented 1 year ago

It's unclear to me what needs to be done here. @nikpivkin can you elaborate?

nikpivkin commented 1 year ago

@simar7 I expect Trivy to not scan child local modules as separate configurations (same behavior as with remote modules).

kernle32dll commented 11 months ago

I don't know why, but this change breaks subfolders in the most strange manner.

E.g., if you put the files in the original issue like this:

modules/s3/main.tf -> testcase/modules/s3/main.tf modules/main.tf -> testcase/main.tf

Executing trivy config --debug . -f json | jq '.Results[] | .Misconfigurations | .[]?.Title' in .:

2023-11-02T23:48:26.380+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-02T23:48:26.404+0100    DEBUG   cache dir:  /home/bgerda/.cache/trivy
2023-11-02T23:48:26.404+0100    INFO    Misconfiguration scanning is enabled
2023-11-02T23:48:26.404+0100    DEBUG   Policies successfully loaded from disk
2023-11-02T23:48:26.414+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-02T23:48:26.428+0100    DEBUG   Walk the file tree rooted at '.' in parallel
2023-11-02T23:48:26.428+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-02T23:48:27.051+0100    DEBUG   OS is not detected.
2023-11-02T23:48:27.051+0100    INFO    Detected config files: 2
2023-11-02T23:48:27.051+0100    DEBUG   Scanned config file: testcase
2023-11-02T23:48:27.051+0100    DEBUG   Scanned config file: terraform-aws-modules/s3-bucket/aws/main.tf
"Unencrypted S3 bucket."
"S3 Bucket Logging"
"S3 Data should be versioned"
"S3 encryption should use Customer Managed Keys"

Executing trivy config --debug testcase -f json | jq '.Results[] | .Misconfigurations | .[]?.Title' in .:

2023-11-02T23:49:06.381+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-02T23:49:06.397+0100    DEBUG   cache dir:  /home/bgerda/.cache/trivy
2023-11-02T23:49:06.397+0100    INFO    Misconfiguration scanning is enabled
2023-11-02T23:49:06.397+0100    DEBUG   Policies successfully loaded from disk
2023-11-02T23:49:06.412+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-02T23:49:06.412+0100    DEBUG   Walk the file tree rooted at 'testcase' in parallel
2023-11-02T23:49:06.412+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-02T23:49:06.979+0100    DEBUG   OS is not detected.
2023-11-02T23:49:06.979+0100    INFO    Detected config files: 0
jq: error (at <stdin>:17): Cannot iterate over null (null)

Executing trivy config --debug testcase -f json | jq '.Results[] | .Misconfigurations | .[]?.Title' in testcase:

2023-11-02T23:49:49.739+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-02T23:49:49.761+0100    DEBUG   cache dir:  /home/bgerda/.cache/trivy
2023-11-02T23:49:49.761+0100    INFO    Misconfiguration scanning is enabled
2023-11-02T23:49:49.761+0100    DEBUG   Policies successfully loaded from disk
2023-11-02T23:49:49.774+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-02T23:49:49.786+0100    DEBUG   Walk the file tree rooted at '.' in parallel
2023-11-02T23:49:49.786+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-02T23:49:50.361+0100    DEBUG   OS is not detected.
2023-11-02T23:49:50.361+0100    INFO    Detected config files: 0
jq: error (at <stdin>:17): Cannot iterate over null (null)

I would assume all 3 cases to yield the same result.

nikpivkin commented 11 months ago

Hi @kernle32dll !

Could you please share the configuration files? I could not reproduce your problem with the sample files above.

kernle32dll commented 11 months ago

Hi @kernle32dll !

Could you please share the configuration files? I could not reproduce your problem with the sample files above.

Okay, I have no idea what I was doing yesterday, but I can't actually replicate the issue now. I do have the issue with my actual terraform project files, but I cannot share them at this point. I will try to condense a version that I can share.

kernle32dll commented 11 months ago

Okay, I have "something". The setup is a bit lengthy, and I am not entirely sure what I am seeing here. But the kicker is for the terraform files to be in a subfolder (terraform called here), and doing something with remote modules.

terraform/main.tf:

module "s3" {
  source = "./modules/s3"
}

module "backup" {
  source = "git::https://github.com/terraform-google-modules/terraform-google-vm.git?ref=v10.1.0"
}

terraform/modules/s3/main.tf:

variable "s3_object_versioning" {
  description = "Enable S3 Object Versioning [Enabled Suspended Disabled]"
  type        = string

  validation {
    condition     = contains(["Enabled", "Suspended", "Disabled"], var.s3_object_versioning)
    error_message = "The Variable s3_object_versioning can only contain [Enabled, Suspended, Disabled]"
  }
}

resource "aws_s3_bucket" "s3_bucket" {
  bucket = "test.bucket"
}

resource "aws_s3_bucket_versioning" "versioning" {
  bucket = aws_s3_bucket.s3_bucket.id
  versioning_configuration {
    status = var.s3_object_versioning
  }
}

First, test with v0.46.1. Everything works as expected:

worker@claystone-worker1 ~/tftest % curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./bin v0.46.1
aquasecurity/trivy info checking GitHub for tag 'v0.46.1'
aquasecurity/trivy info found version: 0.46.1 for v0.46.1/Linux/64bit
aquasecurity/trivy info installed ./bin/trivy
worker@claystone-worker1 ~/tftest % ./bin/trivy config . --debug > /dev/null                                                                 
2023-11-06T03:28:53.790+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:28:53.792+0100    DEBUG   cache dir:  /home/worker/.cache/trivy
2023-11-06T03:28:53.792+0100    INFO    Misconfiguration scanning is enabled
2023-11-06T03:28:53.792+0100    DEBUG   Policies successfully loaded from disk
2023-11-06T03:28:53.807+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:28:53.827+0100    DEBUG   Walk the file tree rooted at '.' in parallel
2023-11-06T03:28:53.828+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-06T03:28:55.055+0100    DEBUG   OS is not detected.
2023-11-06T03:28:55.056+0100    INFO    Detected config files: 2
2023-11-06T03:28:55.056+0100    DEBUG   Scanned config file: terraform
2023-11-06T03:28:55.056+0100    DEBUG   Scanned config file: terraform/modules/s3/main.tf
worker@claystone-worker1 ~/tftest % ./bin/trivy config terraform --debug > /dev/null 
2023-11-06T03:29:00.061+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:29:00.064+0100    DEBUG   cache dir:  /home/worker/.cache/trivy
2023-11-06T03:29:00.064+0100    INFO    Misconfiguration scanning is enabled
2023-11-06T03:29:00.065+0100    DEBUG   Policies successfully loaded from disk
2023-11-06T03:29:00.093+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:29:00.098+0100    DEBUG   Walk the file tree rooted at 'terraform' in parallel
2023-11-06T03:29:00.098+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-06T03:29:01.328+0100    DEBUG   OS is not detected.
2023-11-06T03:29:01.328+0100    INFO    Detected config files: 2
2023-11-06T03:29:01.328+0100    DEBUG   Scanned config file: .
2023-11-06T03:29:01.328+0100    DEBUG   Scanned config file: modules/s3/main.tf

But if we do an terraform init now...

worker@claystone-worker1 ~/tftest % terraform -chdir=terraform init                 

Initializing the backend...
Initializing modules...
Downloading git::https://github.com/terraform-google-modules/terraform-google-vm.git?ref=v10.1.0 for backup...
- backup in .terraform/modules/backup
- s3 in modules/s3

Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/aws v5.24.0...
- Installed hashicorp/aws v5.24.0 (signed by HashiCorp)

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
terraform -chdir=terraform init  11.52s user 1.25s system 90% cpu 14.058 total

... The output changes. Note how it includes the .terraform files, but the terraform or . folder, as well as modules/s3/main.tf is missing from the second command.

worker@claystone-worker1 ~/tftest % ./bin/trivy config . --debug > /dev/null        
2023-11-06T03:34:07.459+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:34:07.462+0100    DEBUG   cache dir:  /home/worker/.cache/trivy
2023-11-06T03:34:07.462+0100    INFO    Misconfiguration scanning is enabled
2023-11-06T03:34:07.462+0100    DEBUG   Policies successfully loaded from disk
2023-11-06T03:34:07.471+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:34:07.495+0100    DEBUG   Walk the file tree rooted at '.' in parallel
2023-11-06T03:34:07.501+0100    DEBUG   Scanning Helm files for misconfigurations...
2023-11-06T03:34:07.571+0100    DEBUG   Scanning Kubernetes files for misconfigurations...
2023-11-06T03:34:15.121+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-06T03:34:18.174+0100    DEBUG   OS is not detected.
2023-11-06T03:34:18.174+0100    INFO    Detected config files: 41
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/setup
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/setup/iam.tf
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig/full
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/umig/full
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:34:18.174+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/metadata.yaml
2023-11-06T03:34:18.175+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:34:18.176+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:34:18.177+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:34:18.178+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:34:18.179+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:34:18.180+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:34:18.181+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:34:18.182+0100    DEBUG   Scanned config file: terraform/modules/s3/main.tf
2023-11-06T03:34:18.182+0100    DEBUG   Scanned config file: terraform
worker@claystone-worker1 ~/tftest % ./bin/trivy config terraform --debug > /dev/null
2023-11-06T03:34:28.998+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:34:28.999+0100    DEBUG   cache dir:  /home/worker/.cache/trivy
2023-11-06T03:34:28.999+0100    INFO    Misconfiguration scanning is enabled
2023-11-06T03:34:29.000+0100    DEBUG   Policies successfully loaded from disk
2023-11-06T03:34:29.014+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:34:29.033+0100    DEBUG   Walk the file tree rooted at 'terraform' in parallel
2023-11-06T03:34:29.122+0100    DEBUG   Scanning Kubernetes files for misconfigurations...
2023-11-06T03:34:36.733+0100    DEBUG   Scanning Helm files for misconfigurations...
2023-11-06T03:34:36.739+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-06T03:34:39.810+0100    DEBUG   OS is not detected.
2023-11-06T03:34:39.810+0100    INFO    Detected config files: 39
2023-11-06T03:34:39.810+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/umig/full
2023-11-06T03:34:39.810+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:34:39.810+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:34:39.810+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:34:39.810+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig/full
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/metadata.yaml
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:34:39.811+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/shared
2023-11-06T03:34:39.812+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:34:39.813+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:34:39.813+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:34:39.813+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:34:39.813+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:34:39.813+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:34:39.813+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:34:39.813+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/setup
2023-11-06T03:34:39.813+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/setup/iam.tf

When using v0.45.1, there is no difference bewteen the two command variants.

worker@claystone-worker1 ~/tftest % curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./bin v0.45.1
aquasecurity/trivy info checking GitHub for tag 'v0.45.1'
aquasecurity/trivy info found version: 0.45.1 for v0.45.1/Linux/64bit
aquasecurity/trivy info installed ./bin/trivy
worker@claystone-worker1 ~/tftest % ./bin/trivy config . --debug > /dev/null                                                                  
2023-11-06T03:37:14.861+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:37:14.864+0100    DEBUG   cache dir:  /home/worker/.cache/trivy
2023-11-06T03:37:14.864+0100    INFO    Misconfiguration scanning is enabled
2023-11-06T03:37:14.864+0100    DEBUG   Policies successfully loaded from disk
2023-11-06T03:37:14.898+0100    DEBUG   Walk the file tree rooted at '.' in parallel
2023-11-06T03:37:14.914+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-06T03:37:18.983+0100    DEBUG   Scanning Helm files for misconfigurations...
2023-11-06T03:37:18.985+0100    DEBUG   GOPATH (/home/worker/go/pkg/mod) not found. Need 'go mod download' to fill licenses and dependency relationships
2023-11-06T03:37:19.017+0100    DEBUG   Scanning Kubernetes files for misconfigurations...
2023-11-06T03:37:26.905+0100    DEBUG   OS is not detected.
2023-11-06T03:37:26.906+0100    INFO    Detected config files: 63
2023-11-06T03:37:26.906+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/metadata.yaml
2023-11-06T03:37:26.906+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/mig_with_percent
2023-11-06T03:37:26.906+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:37:26.906+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/preemptible_and_regular_instance_templates
2023-11-06T03:37:26.906+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:37:26.906+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/umig
2023-11-06T03:37:26.906+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:37:26.906+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/compute_disk_snapshot
2023-11-06T03:37:26.906+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/compute_instance
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/instance_template
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/mig
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/setup
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/test/setup/iam.tf
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/disk_snapshot
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/simple
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/additional_disks
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/alias_ip_range
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:37:26.907+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/simple
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig/autoscaler
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig/full
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig/healthcheck
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig/simple
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig_stateful
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/mig_with_percent/simple
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/umig/full
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/umig/named_ports
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/umig/simple
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/.terraform/modules/backup/examples/umig/static_ips
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/modules/s3
2023-11-06T03:37:26.908+0100    DEBUG   Scanned config file: terraform/modules/s3/main.tf
worker@claystone-worker1 ~/tftest % ./bin/trivy config terraform --debug > /dev/null                                                                
2023-11-06T03:37:35.195+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:37:35.197+0100    DEBUG   cache dir:  /home/worker/.cache/trivy
2023-11-06T03:37:35.197+0100    INFO    Misconfiguration scanning is enabled
2023-11-06T03:37:35.198+0100    DEBUG   Policies successfully loaded from disk
2023-11-06T03:37:35.232+0100    DEBUG   Walk the file tree rooted at 'terraform' in parallel
2023-11-06T03:37:35.294+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-06T03:37:39.205+0100    DEBUG   GOPATH (/home/worker/go/pkg/mod) not found. Need 'go mod download' to fill licenses and dependency relationships
2023-11-06T03:37:39.207+0100    DEBUG   Scanning Helm files for misconfigurations...
2023-11-06T03:37:39.233+0100    DEBUG   Scanning Kubernetes files for misconfigurations...
2023-11-06T03:37:47.230+0100    DEBUG   OS is not detected.
2023-11-06T03:37:47.230+0100    INFO    Detected config files: 63
2023-11-06T03:37:47.230+0100    DEBUG   Scanned config file: .terraform/modules/backup/metadata.yaml
2023-11-06T03:37:47.230+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/compute_disk_snapshot
2023-11-06T03:37:47.230+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:37:47.230+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/compute_instance
2023-11-06T03:37:47.230+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:37:47.230+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/instance_template
2023-11-06T03:37:47.230+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:37:47.230+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/mig
2023-11-06T03:37:47.230+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/mig_with_percent
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/preemptible_and_regular_instance_templates
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/umig
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/shared
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/setup
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/test/setup/iam.tf
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig_with_percent/simple
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/umig/simple
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/umig/static_ips
2023-11-06T03:37:47.231+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/umig/full
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/umig/named_ports
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/simple
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/compute_instance/disk_snapshot
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/instance_template/additional_disks
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/instance_template/alias_ip_range
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/instance_template/simple
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig/simple
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig/autoscaler
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig/full
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig/healthcheck
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig_stateful
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: .
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: modules/s3
2023-11-06T03:37:47.232+0100    DEBUG   Scanned config file: modules/s3/main.tf

I hope someone can make some sense of this.

kernle32dll commented 11 months ago

Okay, a little addendum. I poked around a bit a defsec, and I know now why this code change triggers the problem but I have no idea about the root cause. So its probably a good idea to move this discussion to a defsec issue, if anyone knows how to formulate an issue from my observation.

So, with the above example, what essentially happens is that we end up with a rouge module here, which has a child module with a modulePath of .. Which in the above case is actually the root module.

image

My hunch is that this module is somehow referencing itself or something. I spent not enough time with defsec to make sense of this, so this needs to be resolved by someone more clever then me.

nikpivkin commented 11 months ago

Hi @kernle32dll !

This will be fixed after the merger https://github.com/aquasecurity/trivy/pull/5245

In the screenshot everything is ok. RootModule is a kind of module container, which has no references from other modules, i.e. it is a self-sufficient application. The childs field contains all the modules in flat form that are declared in this application.