search

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.69k stars 496 forks source link

#ts:skip=<rule> not skipping violations inside modules with --non-recursive #1202

Open awiesner4 opened 2 years ago

awiesner4 commented 2 years ago

Description

We're using an older third-party version of an EKS module that is throwing a valid policy violation (terraform-aws-modules/eks/aws). However, we're looking to skip that violation for the module while we work on upgrading to the newer version.

Unfortunately, I'm having a difficult time getting terrascan to skip violations that occur within modules.

What I Did

I added the following to the Terraform code:

module "eks" {
  #ts:skip=AC_AWS_0487 skip rule as this is in the module
  source                      = "terraform-aws-modules/eks/aws"

I'm then attempted to run terrascan with --non-recursive and I still get the error:

❯ terrascan scan --non-recursive --verbose

Violation Details -

    Description    :    Launch configuration uses IMDSv1 which vulnerable to SSRF
    File           :    git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=v17.23.0/workers.tf
    Module Name    :    eks
    Plan Root      :    ./
    Line           :    204
    Severity       :    HIGH
    Rule Name      :    imdsv1LaunchConfig
    Rule ID        :    AC_AWS_0487
    Resource Name  :    workers
    Resource Type  :    aws_launch_configuration
    Category       :    Configuration and Vulnerability Analysis

    -----------------------------------------------------------------------

I can run terrascan with --skip-rules="AC_AWS_0487", but we run terrascan within our GitHub Action checks, where we have a lot of internal Terraform modules we've written, that are independent of each other. Due to this, I would prefer we didn't have to disable this violation for the whole repo, just this particular resource.

Is there a way I can skip a violation that occurs within a module? I thought --non-recursive would do this, but that doesn't appear to be the case.

0ni0nrings commented 1 year ago

Have to use workaround described here https://github.com/tenable/terrascan/issues/983#issuecomment-898790816