search

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.75k stars 499 forks source link

Exit status code incorrect when all violations are skipped #1088

Open mattburgess opened 2 years ago

mattburgess commented 2 years ago

Description

Describe what you were trying to get done.

Scanning Terraform code for github repository config

Tell us what happened, what went wrong, and what you expected to happen.

The scan completed with a violation reported for AC_GITHUB_0002 (private repo). As the repo is intentionally public then I added a skip marker for the repository resource: #ts:skip=AC_GITHUB_0002 repo is intentionally public. On re-scanning the violation is reported, but it's also reported as skipped as intended. But the exit status is non-zero. This is causing CI builds to fail when the code passes all applicable policies

What I Did

$ docker run --rm -it -v "$(pwd):/iac:Z" -w /iac accurics/terrascan scan -i terraform

Violation Details -

    Description    :    Repository is Not Private.
    File           :    github.tf
    Module Name    :    root
    Plan Root      :    ./
    Line           :    21
    Severity       :    MEDIUM
    -----------------------------------------------------------------------

Skipped Violations -

    Description    :    Repository is Not Private.
    File           :    github.tf
    Module Name    :    root
    Plan Root      :    ./
    Line           :    21
    Severity       :    MEDIUM
    Skip Comment   :    repo is intentionally public

    -----------------------------------------------------------------------

Scan Summary -

    File/Folder         :   /iac
    IaC Type            :   terraform
    Scanned At          :   2021-11-26 22:30:19.685939572 +0000 UTC
    Policies Validated  :   2
    Violated Policies   :   1
    Low                 :   0
    Medium              :   1
    High                :   0
$ echo $?
5

Interestingly, even in the case where the code conforms (with no policies skipped), the exit code is still non-zero:

$ docker run --rm -it -v "$(pwd):/iac:Z" -w /iac accurics/terrascan scan -i terraform

Scan Summary -

    File/Folder         :   /iac
    IaC Type            :   terraform
    Scanned At          :   2021-11-26 22:34:54.695278246 +0000 UTC
    Policies Validated  :   2
    Violated Policies   :   0
    Low                 :   0
    Medium              :   0
    High                :   0
$ echo $?
4
Abdelwaheb-Hnaien commented 2 years ago

any updates about this issue ?

Rchanger commented 2 years ago

@Abdelwaheb-Hnaien can you try to run the above command with -o json. You will see what all errors are found during the scan.