trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 weeks ago verified publisher icon aquasecurity

fix(misconf): Improve filtering of terraform JSON

Open simar7 opened this issue 1 year ago • 0 comments

Currently we detect by content but later on filter by name. We shouldn't double filter if the content is already valid.

Discussed in https://github.com/aquasecurity/trivy/discussions/7363

Originally posted by Molaire August 20, 2024

Description

Hello I planned a dummy terraform project using our boilerplate, turned it in a json and trivy does not seem to be able to scan it. I have no problem with Regula and Checkov.

I'm wondering what part of the plan is tripping up Trivy.

It shows no successful check using --include-non-failures, so it seems it's simply not able to scan it.

(venv) ➜  uswest1-devc git:(main) ✗ trivy clean -a
2024-08-20T09:31:17-07:00	INFO	Removing all caches...
(venv) ➜  uswest1-devc git:(main) ✗ trivy conf ./tf_plan.json  --include-non-failures -v
2024-08-20T09:31:20-07:00	INFO	Misconfiguration scanning is enabled
2024-08-20T09:31:20-07:00	INFO	Need to update the built-in policies
2024-08-20T09:31:20-07:00	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 0s
2024-08-20T09:31:20-07:00	INFO	Detected config files	num=0

pastebin of json plan: https://pastebin.com/zjb0xgti

Desired Behavior

It should trigger the IMDSv2 check

Actual Behavior

It scans no resource at all

Reproduction Steps

1. Use shared plan
2. Run `trivy conf ./tf_plan.json  --include-non-failures -v`
3. Be sad
...

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

(venv) ➜  uswest1-devc git:(main) ✗ trivy conf ./tf_plan.json  --include-non-failures -d
2024-08-20T09:37:24-07:00	DEBUG	Cache dir	dir="/nail/home/vit/.cache/trivy"
2024-08-20T09:37:24-07:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-20T09:37:24-07:00	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-20T09:37:24-07:00	DEBUG	[misconfig] Policies successfully loaded from disk
2024-08-20T09:37:24-07:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-20T09:37:24-07:00	DEBUG	Initializing scan cache...	type="memory"
2024-08-20T09:37:24-07:00	DEBUG	Scanning files for misconfigurations...	scanner="Terraform Plan JSON"
2024-08-20T09:37:24-07:00	DEBUG	OS is not detected.
2024-08-20T09:37:24-07:00	INFO	Detected config files	num=0
2024-08-20T09:37:24-07:00	DEBUG	[vex] VEX filtering is disabled

Operating System

Ubuntu Jammy

Version

Version: 0.54.1
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-20 16:31:20.785372254 +0000 UTC

Checklist

simar7 avatar Aug 26 '24 17:08 simar7