Closed simar7 closed 4 months ago
a couple of questions:
a couple of questions:
- If this removing an existing advertised feature? should we mark it as break or feat?
Yes we're planning to drop scanning of Terraform JSON for the reasons above. I can change that.
- is this also affecting tf plan scanning? if so, also need to properly communicate.
Yes this is just a placeholder issue to triage any future issues that are related. I'll open a discussion to field any questions or concerns and give enough time before we actually start working on it.
This is a breaking change.
It is described above In #5950, so should we change the title prefix from "feat(misconf)" to "BREAKING CHANGE(miscong)"? e.g. https://github.com/aquasecurity/trivy/discussions/1571
This is a breaking change.
It is described above In #5950, so should we change the title prefix from "feat(misconf)" to "BREAKING CHANGE(miscong)"? e.g. #1571
thanks, I updated it.
Update Feb 2024: We've found a better approach to keep and improve the terraform plan scanning functionality. As it turns out, we can unzip the plan contents (it is a zip file) and parse the HCL directly from it. This allows us to have a functionally complete HCL input which we can scan and flag for misconfigurations.
I've updated this issue's description and title to reflect the above. The PR to improve this functionality is here: https://github.com/aquasecurity/trivy/pull/6176
Motivation
We've run into several occasions (see linked issues below) where we incorrectly flag (false positive) misconfigurations in Terraform scanning when the input is the Terraform plan in JSON. This issue takes place as we're unable to parse nested blocks and attributes past the first stage as currently there's no way to "walk" the JSON input. See the more on this here
Action items
~Drop support for Terraform JSON until we have a proper way to walk the input. Flagging false positives creates misinformation.~
Update Feb 2024
We've found a better approach to keep and improve the terraform plan scanning functionality. As it turns out, we can unzip the plan contents (it is a zip file) and parse the HCL directly from it. This allows us to have a functionally complete HCL input which we can scan and flag for misconfigurations.
Affected issues