Unexpected exit code of 4 when running a scan on an empty directory

[JonZeolla]

• terrascan version: v1.10.0
• Operating System: Ubuntu Ubuntu 20.04.3 (Docker)

Description

I am running a terrascan scan on an empty directory and it is failing with an exit code of 4. When I provide secure terraform, it provides the exact same output, but exits 0.

What I Did

Empty directory:

easy_infra@983eec90355e:/iac$ ls
easy_infra@983eec90355e:/iac$ terrascan scan -i terraform -t all -d .
2021-09-29T23:54:46.577Z        info    downloader/module-download.go:80        Error building terraform credentials /home/easy_infra/.terraformrc: error converting credential map to host map

Scan Summary -

        File/Folder         :   /iac
        IaC Type            :   terraform
        Scanned At          :   2021-09-29 23:54:47.8368166 +0000 UTC
        Policies Validated  :   783
        Violated Policies   :   0
        Low                 :   0
        Medium              :   0
        High                :   0
easy_infra@983eec90355e:/iac$ echo $?
4

Valid, secure .tf file

easy_infra@3b11d8ef3552:/iac$ ls
secure.tf
easy_infra@3b11d8ef3552:/iac$ terrascan scan -i terraform -t all -d .
2021-09-29T23:54:04.064Z        info    downloader/module-download.go:80        Error building terraform credentials /home/easy_infra/.terraformrc: error converting credential map to host map

Scan Summary -

        File/Folder         :   /iac
        IaC Type            :   terraform
        Scanned At          :   2021-09-29 23:54:05.4489646 +0000 UTC
        Policies Validated  :   0
        Violated Policies   :   0
        Low                 :   0
        Medium              :   0
        High                :   0
easy_infra@3b11d8ef3552:/iac$ echo $?
0

Valid, insecure .tf file:

easy_infra@e10573fd76b1:/iac$ ls
insecure.tf
easy_infra@e10573fd76b1:/iac$ terrascan scan -i terraform -t all -d .
2021-09-29T23:57:20.663Z        info    downloader/module-download.go:80        Error building terraform credentials /home/easy_infra/.terraformrc: err
or converting credential map to host map

Violation Details -

        Description    :        Ensure that detailed monitoring is enabled for EC2 instances.
        File           :        insecure.tf
        Module Name    :        root
        Plan Root      :        ./
        Line           :        17
        Severity       :        HIGH
        -----------------------------------------------------------------------

        Description    :        Ensure that your AWS application is not deployed within the default Virtual Private Cloud in order to follow security best practices
        File           :        insecure.tf
        Module Name    :        root
        Plan Root      :        ./
        Line           :        17
        Severity       :        MEDIUM
        -----------------------------------------------------------------------

        Description    :        EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain
        File           :        insecure.tf
        Module Name    :        root
        Plan Root      :        ./
        Line           :        17
        Severity       :        MEDIUM
        -----------------------------------------------------------------------

Scan Summary -

        File/Folder         :   /iac
        IaC Type            :   terraform
        Scanned At          :   2021-09-29 23:57:21.8560275 +0000 UTC
        Policies Validated  :   5
        Violated Policies   :   3
        Low                 :   0
        Medium              :   2
        High                :   1
easy_infra@e10573fd76b1:/iac$ echo $?
3

My ~/.terraformrc file is:

plugin_cache_dir   = "$HOME/.terraform.d/plugin-cache"

[AErmie]

I get this same exit code 4 when there are no violated policies (due to skip-rules configuration).

Note: I am using the Docker container method:

docker run --rm --volume $(System.DefaultWorkingDirectory):/code \
  accurics/terrascan scan --iac-dir /code/ --verbose --config-path code/terrascan.toml \

Scan Summary -

    File/Folder         :   /code
    IaC Type            :   all
    Scanned At          :   2021-10-03 17:46:25.094059433 +0000 UTC
    Policies Validated  :   60
    Violated Policies   :   0
    Low                 :   0
    Medium              :   0
    High                :   0

##[debug]Exit code 4 received from tool '/usr/bin/bash'
##[debug]STDIO streams have closed for tool '/usr/bin/bash'
##[error]Bash exited with code '4'.

TerraScan TOML file:

[severity]
level = "high"
[rules]
    skip-rules = [
        "AC_AWS_0207",
        "AC_AWS_0214",
        "AC_AWS_0215",
        "AC_AWS_0366",
        "AC_DOCKER_0029"
    ]

[HorizonNet]

Running into the same problem (with the skip-rules configuration), which actually let's the terrascan-action for GitHub fail. It could probably be related to the changes in #994 where the exit code behavior was changed.

[HorizonNet]

I looked deeper into my problem. Essentially I got the exit code 4, because I had directories in my project, which did not contain any Terraform files. It was not due to the skip-rules configuration. After fixing my initial problem also the skip-rules return an exit code 0. I think the problem is that even in verbose mode there are not a lot of pointers on what is going wrong. I had to add some additional logging to run.go to see what's going on and then run it again with the customized binary. The fix was to add empty Terraform configuration files into these directories, which is probably not perfect.

As it was mentioned somewhere that we're simulating terraform plan with the exit codes: terraform plan returns an exit code 0 if a sub-directory does not have a Terraform configuration file in it.

[yane3628]

When running for all IaC types, I'm always getting an error exit code when there are no Docker files present in the directories.

... has no files named Dockerfile. Use -f flag if Dockerfiles follow a different naming convention.

The tool shouldn't exit with an error exit code if no Docker files are present.

[nvuillam]

Same here: terrascan scan d . -i terraform -t all -v returns code 4, whereas there are valid terraform files in the directory

[nvuillam]

Output log in MegaLinter:

[terrascan] command: ['terrascan', 'scan', 'd', '.', '-i', 'terraform', '-t', 'all', '-v']
[terrascan] CWD: /tmp/lint/.automation/test/terraform_terrascan/good
[terrascan] result: 4 

Scan Summary -

    File/Folder         :   /tmp/lint/.automation/test/terraform_terrascan/good
    IaC Type            :   terraform
    Scanned At          :   2022-01-23 10:36:52.053745916 +0000 UTC
    Policies Validated  :   785
    Violated Policies   :   0
    Low                 :   0
    Medium              :   0
    High                :   0

[Rchanger]

When running for all IaC types, I'm always getting an error exit code when there are no Docker files present in the directories.

... has no files named Dockerfile. Use -f flag if Dockerfiles follow a different naming convention.

The tool shouldn't exit with an error exit code if no Docker files are present.

Hi @yane3628 this is just a warning it is not being used in error code computation.

[Rchanger]

Same here: terrascan scan d . -i terraform -t all -v returns code 4, whereas there are valid terraform files in the directory

@nvuillam can you please try running the same command with output type as json -o json. With this, you can see what all errors are there during scanning. You can post the same if they are not relevant and we can try filtering them. Thank you.

[jb185555]

the -o json helped me debug. I forgot to have -i terraform

I know this doesn't solve most peoples problem in this issue, but I'll leave this note for anyone.

[wesleykirklandsg]

the -o json helped me debug. I forgot to have -i terraform

I know this doesn't solve most peoples problem in this issue, but I'll leave this note for anyone.

@jb185555 Thanks for this tip, setting the IaC to terraform made it produce exit code 0 for me. The only problem I have is the docs are broken for the config file references and I can't get the config file to auto set my iac type

[michaelglass]

dumbest of dumb suggestions but: I dropped an empty.tf in all the empty directories to quiet terrascan.

[NTitmus]

I have tried and I am still getting this. When I run the command: terrascan scan d . -i terraform -t all -v -o json

I get:

{ "results": { "scan_errors": [ { "iac_type": "terraform", "directory": "/Users/username/Desktop/Folder1/Folder2/Folder3/simple_module_ml/modules", "errMsg": "directory '/Users/username/Desktop/Folder1/Folder2/Folder3/simple_module_ml/modules' has no terraform config files" } ], "violations": null, "skipped_violations": null, "scan_summary": { "file/folder": "/Users/username/Desktop/Folder1/Folder2/Folder3/simple_module_ml", "iac_type": "terraform", "scanned_at": "2023-12-22 17:13:48.881986 +0000 UTC", "policies_validated": 148, "violated_policies": 0, "low": 0, "medium": 0, "high": 0 } } }

Why does it error when there is a directory with no .tf files? Is there a way of configuring Terrascan to ignore some directories?

[nvuillam]

Any change to have a fix someday about this issue ? :)

[MatthiasHuygelen]

any updates on this issue ?