search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.25k stars 2.2k forks source link

feat(misconf): Improve support for scanning Terraform plan JSON input #5907

Closed simar7 closed 4 months ago

simar7 commented 6 months ago

Motivation

We've run into several occasions (see linked issues below) where we incorrectly flag (false positive) misconfigurations in Terraform scanning when the input is the Terraform plan in JSON. This issue takes place as we're unable to parse nested blocks and attributes past the first stage as currently there's no way to "walk" the JSON input. See the more on this here

Action items

~Drop support for Terraform JSON until we have a proper way to walk the input. Flagging false positives creates misinformation.~

Update Feb 2024

We've found a better approach to keep and improve the terraform plan scanning functionality. As it turns out, we can unzip the plan contents (it is a zip file) and parse the HCL directly from it. This allows us to have a functionally complete HCL input which we can scan and flag for misconfigurations.

Affected issues

itaysk commented 6 months ago

a couple of questions:

  1. If this removing an existing advertised feature? should we mark it as break or feat?
  2. is this also affecting tf plan scanning? if so, also need to properly communicate.
simar7 commented 6 months ago

a couple of questions:

  1. If this removing an existing advertised feature? should we mark it as break or feat?

Yes we're planning to drop scanning of Terraform JSON for the reasons above. I can change that.

  1. is this also affecting tf plan scanning? if so, also need to properly communicate.

Yes this is just a placeholder issue to triage any future issues that are related. I'll open a discussion to field any questions or concerns and give enough time before we actually start working on it.

simar7 commented 6 months ago

Discuss here https://github.com/aquasecurity/trivy/discussions/5950

knqyf263 commented 6 months ago

This is a breaking change.

It is described above In #5950, so should we change the title prefix from "feat(misconf)" to "BREAKING CHANGE(miscong)"? e.g. https://github.com/aquasecurity/trivy/discussions/1571

simar7 commented 6 months ago

This is a breaking change.

It is described above In #5950, so should we change the title prefix from "feat(misconf)" to "BREAKING CHANGE(miscong)"? e.g. #1571

thanks, I updated it.

simar7 commented 4 months ago

Update Feb 2024: We've found a better approach to keep and improve the terraform plan scanning functionality. As it turns out, we can unzip the plan contents (it is a zip file) and parse the HCL directly from it. This allows us to have a functionally complete HCL input which we can scan and flag for misconfigurations.

I've updated this issue's description and title to reflect the above. The PR to improve this functionality is here: https://github.com/aquasecurity/trivy/pull/6176