antonbabenko
terraform_trivy ignoring "trivy ignore" settings
Describe the bug
Describe the bug
We configured our precommit setting with pre-commit-terraform and the terraform_trivy hook is raising an issue with a k8s yaml The same yaml, in the same path, is present in the repo for some months but with the recent upgrade jumping from pre-commit-terraform from v1.96.3 to v1.97.4 the terraform_trivy started to raise the following alert:
AVD-KSV-0104 (MEDIUM): container "ubi-micro" of deployment "ubi-micro-deployment" in "ubimicro" namespace should specify a seccomp profile
ββββββββββββββββββββββββββββββββββββββββ
A program inside the container can bypass Seccomp protection policies.
See https://avd.aquasec.com/misconfig/ksv104
ββββββββββββββββββββββββββββββββββββββββ
scripts/ubi_micro.yaml:81-103
ββββββββββββββββββββββββββββββββββββββββ
81 β - image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
82 β imagePullPolicy: Always
83 β name: ubi-micro
84 β command:
85 β - "/bin/sh"
86 β - "-c"
87 β - "sleep infinity"
88 β securityContext:
89 β allowPrivilegeEscalation: false
The yaml path relative to the repo is
examples/deploy-proxy/scripts/ubi_micro.yaml
This is the pre-commit-setting we use, that seemed to work fine until the recent upgrade, as we expect the yaml to be ignored.
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.97.4
hooks:
- id: terraform_fmt
- id: terraform_validate
# only scan directories with provider config in them due to limitation https://github.com/hashicorp/terraform/issues/28490
files: ^examples/|^patterns/|^solutions/
args:
- --hook-config=--retry-once-with-cleanup=true
- id: terraform_tflint
args:
- --args=--enable-rule=terraform_unused_declarations
- --args=--enable-rule=terraform_deprecated_index
- --args=--enable-rule=terraform_comment_syntax
- --args=--enable-rule=terraform_documented_outputs
- --args=--enable-rule=terraform_documented_variables
- --args=--enable-rule=terraform_typed_variables
- --args=--enable-rule=terraform_naming_convention
- --args=--enable-rule=terraform_required_version
- --args=--enable-rule=terraform_required_providers
- --args=--enable-rule=terraform_unused_required_providers
- --args=--enable-rule=terraform_standard_module_structure
exclude: dynamic_values/
- id: terraform_trivy
args:
- --args=--skip-files="**/.terraform/**/*"
- --args=--skip-files="**/examples/**/*.yaml"
- --args=--skip-files="**/examples/**/*.yml"
- --args=--skip-files="**/helm-charts/**/*"
- --args=--skip-files="**/tests/**/*"
- --args=--skip-files="common-dev-assets/**/*"
# workaround for https://github.com/antonbabenko/pre-commit-terraform/issues/691
- --hook-config=--parallelism-limit=1
We tried to set the following trivy ignore tag as workaroud, but it seems to be ignored as well: # trivy:ignore:AVD-KSV-0104
containers:
- image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
imagePullPolicy: Always
name: ubi-micro
command:
- "/bin/sh"
- "-c"
- "sleep infinity"
# trivy:ignore:AVD-KSV-0104
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 10001
runAsGroup: 10001
capabilities:
drop:
- "ALL"
We tried also to use the same tag at the very start of the container section whose code makes trivy to complain but didn't help as well
containers:
# trivy:ignore:AVD-KSV-0104
- image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
imagePullPolicy: Always
name: ubi-micro
command:
- "/bin/sh"
- "-c"
- "sleep infinity"
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
readOnlyRootFilesystem: true
Also setting at the very start of the deployment yaml didn't help.
The only way to solve this issue started with recent upgrade is to add the following path --args=--skip-files="**/scripts/*.yaml" to the skip-file configuration, with the following final result
- id: terraform_trivy
args:
- --args=--skip-files="**/.terraform/**/*"
- --args=--skip-files="**/examples/**/*.yaml"
- --args=--skip-files="**/examples/**/*.yml"
- --args=--skip-files="**/helm-charts/**/*"
- --args=--skip-files="**/tests/**/*"
- --args=--skip-files="**/scripts/*.yaml"
- --args=--skip-files="common-dev-assets/**/*"
# workaround for https://github.com/antonbabenko/pre-commit-terraform/issues/691
- --hook-config=--parallelism-limit=1
Below the logs of the precommit hook failure
Terraform validate with trivy.............................................Failed
- hook id: terraform_trivy
- exit code: 1
2025-03-05T10:41:22+01:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-03-05T10:41:25+01:00 INFO [terraform scanner] Scanning root module file_path="examples/deploy-proxy"
2025-03-05T10:41:25+01:00 WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="ibmcloud_api_key"
2025-03-05T10:41:25+01:00 INFO [terraform scanner] Scanning root module file_path="examples/deploy-proxy-existing-cluster"
2025-03-05T10:41:25+01:00 WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="cluster_id, ibmcloud_api_key"
2025-03-05T10:41:25+01:00 INFO Detected config files num=13
2025-03-05T10:41:25+01:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-03-05T10:41:27+01:00 INFO [terraform scanner] Scanning root module file_path="."
2025-03-05T10:41:27+01:00 WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="ibmcloud_api_key"
2025-03-05T10:41:28+01:00 INFO Detected config files num=2
scripts/ubi_micro.yaml (kubernetes)
Tests: 110 (SUCCESSES: 108, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
AVD-KSV-0030 (LOW): Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
ββββββββββββββββββββββββββββββββββββββββ
According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.
See https://avd.aquasec.com/misconfig/ksv030
ββββββββββββββββββββββββββββββββββββββββ
scripts/ubi_micro.yaml:80-103
ββββββββββββββββββββββββββββββββββββββββ
80 β - image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
81 β imagePullPolicy: Always
82 β name: ubi-micro
83 β command:
84 β - "/bin/sh"
85 β - "-c"
86 β - "sleep infinity"
87 β # trivy:ignore:AVD-KSV-0104
88 β securityContext:
..
ββββββββββββββββββββββββββββββββββββββββ
AVD-KSV-0104 (MEDIUM): container "ubi-micro" of deployment "ubi-micro-deployment" in "ubimicro" namespace should specify a seccomp profile
ββββββββββββββββββββββββββββββββββββββββ
A program inside the container can bypass Seccomp protection policies.
See https://avd.aquasec.com/misconfig/ksv104
ββββββββββββββββββββββββββββββββββββββββ
scripts/ubi_micro.yaml:80-103
ββββββββββββββββββββββββββββββββββββββββ
80 β - image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
81 β imagePullPolicy: Always
82 β name: ubi-micro
83 β command:
84 β - "/bin/sh"
85 β - "-c"
86 β - "sleep infinity"
87 β # trivy:ignore:AVD-KSV-0104
88 β securityContext:
..
ββββββββββββββββββββββββββββββββββββββββ
2025-03-05T10:41:28+01:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-03-05T10:41:29+01:00 INFO [terraform scanner] Scanning root module file_path="."
2025-03-05T10:41:29+01:00 WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="cluster_id, ibmcloud_api_key"
2025-03-05T10:41:29+01:00 INFO Detected config files num=1
2025-03-05T10:41:29+01:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-03-05T10:41:30+01:00 INFO [terraform scanner] Scanning root module file_path="."
2025-03-05T10:41:30+01:00 WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="cluster_id"
2025-03-05T10:41:30+01:00 INFO Detected config files num=1
I mentioned the issue AVD-KSV-0104 as example, even if it raised also AVD-KSV-0030
How can we reproduce it?
pre-commit run --all-files
Environment information
Environment information
-
OS: MacOS and GitHub Action using golang:1.24 as base image
-
Tools availability and versions:
GNU bash, version 5.2.37(1)-release (x86_64-apple-darwin23.4.0)
pre-commit 4.1.0
OpenTofu v1.6.2
Terraform v1.9.2
python SKIPPED
Python 3.12.6
checkov SKIPPED
infracost SKIPPED
terraform-docs version v0.19.0 af31cc6 darwin/amd64
terragrunt version v0.55.1
terrascan SKIPPED
TFLint version 0.55.1
+ ruleset.terraform (0.10.0-bundled)
tfsec v1.28.5
trivy Version: 0.59.1
Check Bundle:
Digest: sha256:2bc834fc222789e26b85dc3e92e3333b488e16a9bfa192aa971cca25db884837
DownloadedAt: 2025-03-04 11:03:29.487846 +0000 UTC
tfupdate SKIPPED
hcledit SKIPPED
pre-commit-config.yaml
-
.pre-commit-config.yaml:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.97.4
hooks:
- id: terraform_fmt
- id: terraform_validate
# only scan directories which has provider config in them due to limitation https://github.com/hashicorp/terraform/issues/28490
files: ^examples/|^patterns/|^solutions/
args:
- --hook-config=--retry-once-with-cleanup=true
- id: terraform_tflint
args:
- --args=--enable-rule=terraform_unused_declarations
- --args=--enable-rule=terraform_deprecated_index
- --args=--enable-rule=terraform_comment_syntax
- --args=--enable-rule=terraform_documented_outputs
- --args=--enable-rule=terraform_documented_variables
- --args=--enable-rule=terraform_typed_variables
- --args=--enable-rule=terraform_naming_convention
- --args=--enable-rule=terraform_required_version
- --args=--enable-rule=terraform_required_providers
- --args=--enable-rule=terraform_unused_required_providers
- --args=--enable-rule=terraform_standard_module_structure
exclude: dynamic_values/
- id: terraform_trivy
args:
- --args=--skip-files="**/.terraform/**/*"
- --args=--skip-files="**/examples/**/*.yaml"
- --args=--skip-files="**/examples/**/*.yml"
- --args=--skip-files="**/helm-charts/**/*"
- --args=--skip-files="**/tests/**/*"
- --args=--skip-files="common-dev-assets/**/*"
# workaround for https://github.com/antonbabenko/pre-commit-terraform/issues/691
- --hook-config=--parallelism-limit=1
@vbontempi Thanks for providing details, it indeed helps to compose test env to try and reproduce an issue. Unfortunately I can't seem to reproduce it using provided data though π€
Details
> cat .pre-commit-config.yaml
repos:
# https://pre-commit.com/#meta-hooks
- repo: meta
hooks:
- id: check-hooks-apply
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.97.4
hooks:
- id: terraform_trivy
files: .+
verbose: true
args:
- --args=--skip-files="**/.terraform/**/*"
- --args=--skip-files="**/examples/**/*.yaml"
- --args=--skip-files="**/examples/**/*.yml"
- --args=--skip-files="**/helm-charts/**/*"
- --args=--skip-files="**/tests/**/*"
- --args=--skip-files="common-dev-assets/**/*"
# workaround for https://github.com/antonbabenko/pre-commit-terraform/issues/691
- --hook-config=--parallelism-limit=1
> tree -a -I .git/
.
βββ .pre-commit-config.yaml
βββ examples
βββ deploy-proxy
βββ scripts
βββ ubi_micro.yaml
3 directories, 2 files
> cat examples/deploy-proxy/scripts/ubi_micro.yaml
containers:
- image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
imagePullPolicy: Always
name: ubi-micro
command:
- "/bin/sh"
- "-c"
- "sleep infinity"
# trivy:ignore:AVD-KSV-0104
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 10001
runAsGroup: 10001
capabilities:
drop:
> pre-commit run -a
Check hooks apply to the repository......................................Passed
Terraform validate with trivy............................................Passed
- hook id: terraform_trivy
- duration: 1.33s
2025-03-05T15:02:00+02:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-03-05T15:02:01+02:00 INFO Detected config files num=0
2025-03-05T15:02:01+02:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-03-05T15:02:02+02:00 INFO Detected config files num=0
> trivy conf examples/deploy-proxy/scripts --exit-code=1
2025-03-05T15:02:29+02:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-03-05T15:02:29+02:00 INFO Detected config files num=0
> trivy conf examples/deploy-proxy/scripts --exit-code=1 --debug
2025-03-05T15:06:43+02:00 DEBUG No plugins loaded
2025-03-05T15:06:43+02:00 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2025-03-05T15:06:43+02:00 DEBUG Cache dir dir="/home/georgii/.cache/trivy"
2025-03-05T15:06:43+02:00 DEBUG Cache dir dir="/home/georgii/.cache/trivy"
2025-03-05T15:06:43+02:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-03-05T15:06:43+02:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-03-05T15:06:43+02:00 DEBUG [misconfig] Checks successfully loaded from disk
2025-03-05T15:06:43+02:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-03-05T15:06:43+02:00 DEBUG Initializing scan cache... type="memory"
2025-03-05T15:06:43+02:00 DEBUG [fs] Analyzing... root="examples/deploy-proxy/scripts"
2025-03-05T15:06:43+02:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="Helm"
2025-03-05T15:06:43+02:00 DEBUG [rego] Overriding filesystem for checks
2025-03-05T15:06:43+02:00 DEBUG [rego] Embedded libraries are loaded count=17
2025-03-05T15:06:43+02:00 DEBUG [rego] Embedded checks are loaded count=517
2025-03-05T15:06:43+02:00 DEBUG [rego] Checks from disk are loaded count=534
2025-03-05T15:06:43+02:00 DEBUG [rego] Overriding filesystem for data
2025-03-05T15:06:43+02:00 DEBUG OS is not detected.
2025-03-05T15:06:43+02:00 INFO Detected config files num=0
2025-03-05T15:06:43+02:00 DEBUG Specified ignore file does not exist file=".trvyignore"
Could you please provide a reproducible data set?
You may also set up a public repo with minimal reproducible data set so that we can clone and see failure in action.
@vbontempi I can't reproduce, it always Passed for me.
Reproduction repo from what I saw in this issue: https://github.com/pre-commit-terraform/GH-834-repoduce
I actually can't get any violations not only via hook, but also via trivy conf examples/deploy-proxy/scripts --exit-code=1 including situation when # trivy:ignore:AVD-KSV-0104 is removed
I used for tests same trivy version as reported by you
β trivy --version
Version: 0.59.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-11-08 18:17:34.106494638 +0000 UTC
NextUpdate: 2024-11-09 18:17:34.106494247 +0000 UTC
DownloadedAt: 2024-11-08 19:49:02.285946591 +0000 UTC
Check Bundle:
Digest: sha256:38e239e5ab2bc9e914e69131537e92f429c4b53c108ec0ac1d7f6f91b752b9bc
DownloadedAt: 2025-03-20 18:04:13.832395781 +0000 UTC
Anyway, that's what passed to trivy from hook in v1.97.4
trace: per_dir_hook_unique_part common::per_dir_hook main main
terraform_trivy.sh:51: trivy conf /tmp/trivy_834/examples/deploy-proxy/scripts --exit-code=1
'--skip-files=**/.terraform/**/*' '--skip-files=**/examples/**/*.yaml' '--skip-files=**/examples/**/*.yml'
'--skip-files=**/helm-charts/**/*' '--skip-files=**/tests/**/*' '--skip-files=common-dev-assets/**/*'
That's what passed to trivy from hook in v1.96.3
trace: per_dir_hook_unique_part common::per_dir_hook main main
terraform_trivy.sh:51: trivy conf /tmp/trivy_834/examples/deploy-proxy/scripts --exit-code=1
'--skip-files=**/.terraform/**/*' '--skip-files=**/examples/**/*.yaml' '--skip-files=**/examples/**/*.yml'
'--skip-files=**/helm-charts/**/*' '--skip-files=**/tests/**/*' '--skip-files=common-dev-assets/**/*'
They are identical.
Please create our own or enhance ours repo for reproducing your issue. Otherwise, I'll not be able to help you.
I can't reproduce, it always
Passedfor me.
Yeah, I struggled with that too to no avail and it seems like topicstarter has abandoned this issue π€·π»
sorry for the late in getting back to you, I am trying to provide you a way to replicate the issue, by reducing the repo where we experience this problem to the only content impacted by the error seems to solve the problem itself. Working on this
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I'm somehow facing the same issue. .trivyignore file in the repository's root as well as # trivy:ignore:XYZ in the corresponding terraform file both have no effect.
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
This issue was automatically closed because of stale in 10 days