kics icon indicating copy to clipboard operation
kics copied to clipboard
verified publisher icon Checkmarx

bug(terraform): scan results differ between .tf and respective .tfplan file

Open Tohar-orca opened this issue 1 year ago • 4 comments

Expected Behavior

When scanning as .tf file and it's resulting .tfplan, KICS should return the same findings

Actual Behavior

Scanning the attached tf files directory produces 13 results Scanning the tfplan json, generated from the same tf files, produces only 1 result

Steps to Reproduce the Problem

  1. Extract the attached .zip
  2. Scan the file with KICS (i used go run cmd/console/main.go scan -p "/path/to/directory" -d "generated_json")
  3. Run terraform plan -out=out.tfplan
  4. Run terraform show -json out.tfplan > out.json
  5. Scan the tfplan (go run cmd/console/main.go scan -p "/path/to/out.json" -d "generated_json")

Specifications

N/A

  • Version: 2.0.1
  • Platform: MacOS
  • Subsystem: Sonoma 14.4.1 tf_files.zip

Tohar-orca avatar Jun 06 '24 18:06 Tohar-orca

Another example The tfplan triggers a detections for "CloudFront distributions don't have encryption in transit", but the tf file (added .txt extension for github's sake) does not tfplan.json sample.tf.txt

Tohar-orca avatar Oct 10 '24 13:10 Tohar-orca

@anterosilva1985 can you take a look please?

Tohar-orca avatar Oct 30 '24 12:10 Tohar-orca

Hi @Tohar-orca ,

I'm currently evaluating the ability to expand our coverage for terraform plans. I'll make sure to consider this example for our future roadmap items.

cx-antero-silva avatar Jan 20 '25 11:01 cx-antero-silva