Terrascan action reporting false positive and duplicate findings

[AnkitRao17]

Hi Team,

When using terrascan github action, it seems that some false positive findings are being reported.

One example is Cloudtrail multi-region flag policy. Even though the default value for this setting is set to true in my terraform code, this finding comes up.

Also, duplicate entries for the same finding come up.

Refer belowscreenshot:

Request you to provide some insights about this behaviour or if I'm missing anything here.

Regards,

[cesar-rodriguez]

Hi @AnkitRao17, would you mind sharing a snippet of the Terraform code that's causing the violation?

In terms of the "duplicate" finding, this is expected behavior as Terrascan recursively scans Terraform templates and module directories by default. If you see the "Module Name" on those findings is different as it was found on the "root" module of your Terraform and also on your "cloudtrail" module/directory.

You can use the non_recursive flag, if you would like to turn off the recursive scan behavior.

[AnkitRao17]

Hi @cesar-rodriguez ,

We are trying to deploy only a single Cloudtrail. Refer below snippet:

resource "aws_cloudtrail" "service" { count = 1 name = "${var.env}-cloudtrail" s3_key_prefix = "${var.env}-cloudtrail-logs" enable_logging = true s3_bucket_name = var.s3_bucket_name enable_log_file_validation = var.enable_log_file_validation is_multi_region_trail = var.is_multi_region_trail include_global_service_events = var.include_global_service_events cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.service.arn}:*" cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_role.arn tags = { Name = "${var.env}-cloudtrail" Environment = "${var.env}" Department = "CWP" }}

But it still displays duplicate findings, as shown in the screenshot above. Please let me know if I'm missing anything here.

Thanks,