terrascan
terrascan copied to clipboard
tenable
Unexpected exit code of 4 when running a scan on an empty directory
- terrascan version: v1.10.0
- Operating System: Ubuntu Ubuntu 20.04.3 (Docker)
Description
I am running a terrascan scan on an empty directory and it is failing with an exit code of 4. When I provide secure terraform, it provides the exact same output, but exits 0.
What I Did
Empty directory:
easy_infra@983eec90355e:/iac$ ls
easy_infra@983eec90355e:/iac$ terrascan scan -i terraform -t all -d .
2021-09-29T23:54:46.577Z info downloader/module-download.go:80 Error building terraform credentials /home/easy_infra/.terraformrc: error converting credential map to host map
Scan Summary -
File/Folder : /iac
IaC Type : terraform
Scanned At : 2021-09-29 23:54:47.8368166 +0000 UTC
Policies Validated : 783
Violated Policies : 0
Low : 0
Medium : 0
High : 0
easy_infra@983eec90355e:/iac$ echo $?
4
Valid, secure .tf file
easy_infra@3b11d8ef3552:/iac$ ls
secure.tf
easy_infra@3b11d8ef3552:/iac$ terrascan scan -i terraform -t all -d .
2021-09-29T23:54:04.064Z info downloader/module-download.go:80 Error building terraform credentials /home/easy_infra/.terraformrc: error converting credential map to host map
Scan Summary -
File/Folder : /iac
IaC Type : terraform
Scanned At : 2021-09-29 23:54:05.4489646 +0000 UTC
Policies Validated : 0
Violated Policies : 0
Low : 0
Medium : 0
High : 0
easy_infra@3b11d8ef3552:/iac$ echo $?
0
Valid, insecure .tf file:
easy_infra@e10573fd76b1:/iac$ ls
insecure.tf
easy_infra@e10573fd76b1:/iac$ terrascan scan -i terraform -t all -d .
2021-09-29T23:57:20.663Z info downloader/module-download.go:80 Error building terraform credentials /home/easy_infra/.terraformrc: err
or converting credential map to host map
Violation Details -
Description : Ensure that detailed monitoring is enabled for EC2 instances.
File : insecure.tf
Module Name : root
Plan Root : ./
Line : 17
Severity : HIGH
-----------------------------------------------------------------------
Description : Ensure that your AWS application is not deployed within the default Virtual Private Cloud in order to follow security best practices
File : insecure.tf
Module Name : root
Plan Root : ./
Line : 17
Severity : MEDIUM
-----------------------------------------------------------------------
Description : EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain
File : insecure.tf
Module Name : root
Plan Root : ./
Line : 17
Severity : MEDIUM
-----------------------------------------------------------------------
Scan Summary -
File/Folder : /iac
IaC Type : terraform
Scanned At : 2021-09-29 23:57:21.8560275 +0000 UTC
Policies Validated : 5
Violated Policies : 3
Low : 0
Medium : 2
High : 1
easy_infra@e10573fd76b1:/iac$ echo $?
3
My ~/.terraformrc file is:
plugin_cache_dir = "$HOME/.terraform.d/plugin-cache"
I get this same exit code 4 when there are no violated policies (due to skip-rules configuration).
Note: I am using the Docker container method:
docker run --rm --volume $(System.DefaultWorkingDirectory):/code \
accurics/terrascan scan --iac-dir /code/ --verbose --config-path code/terrascan.toml \
Scan Summary -
File/Folder : /code
IaC Type : all
Scanned At : 2021-10-03 17:46:25.094059433 +0000 UTC
Policies Validated : 60
Violated Policies : 0
Low : 0
Medium : 0
High : 0
##[debug]Exit code 4 received from tool '/usr/bin/bash'
##[debug]STDIO streams have closed for tool '/usr/bin/bash'
##[error]Bash exited with code '4'.
TerraScan TOML file:
[severity]
level = "high"
[rules]
skip-rules = [
"AC_AWS_0207",
"AC_AWS_0214",
"AC_AWS_0215",
"AC_AWS_0366",
"AC_DOCKER_0029"
]
Running into the same problem (with the skip-rules configuration), which actually let's the terrascan-action for GitHub fail. It could probably be related to the changes in #994 where the exit code behavior was changed.
I looked deeper into my problem. Essentially I got the exit code 4, because I had directories in my project, which did not contain any Terraform files. It was not due to the skip-rules configuration. After fixing my initial problem also the skip-rules return an exit code 0. I think the problem is that even in verbose mode there are not a lot of pointers on what is going wrong. I had to add some additional logging to run.go to see what's going on and then run it again with the customized binary. The fix was to add empty Terraform configuration files into these directories, which is probably not perfect.
As it was mentioned somewhere that we're simulating terraform plan with the exit codes: terraform plan returns an exit code 0 if a sub-directory does not have a Terraform configuration file in it.
When running for all IaC types, I'm always getting an error exit code when there are no Docker files present in the directories.
... has no files named Dockerfile. Use -f flag if Dockerfiles follow a different naming convention.
The tool shouldn't exit with an error exit code if no Docker files are present.
Same here: terrascan scan d . -i terraform -t all -v returns code 4, whereas there are valid terraform files in the directory
Output log in MegaLinter:
[terrascan] command: ['terrascan', 'scan', 'd', '.', '-i', 'terraform', '-t', 'all', '-v']
[terrascan] CWD: /tmp/lint/.automation/test/terraform_terrascan/good
[terrascan] result: 4
Scan Summary -
File/Folder : /tmp/lint/.automation/test/terraform_terrascan/good
IaC Type : terraform
Scanned At : 2022-01-23 10:36:52.053745916 +0000 UTC
Policies Validated : 785
Violated Policies : 0
Low : 0
Medium : 0
High : 0
When running for all IaC types, I'm always getting an error exit code when there are no Docker files present in the directories.
... has no files named Dockerfile. Use -f flag if Dockerfiles follow a different naming convention.
The tool shouldn't exit with an error exit code if no Docker files are present.
Hi @yane3628 this is just a warning it is not being used in error code computation.
Same here:
terrascan scan d . -i terraform -t all -vreturns code 4, whereas there are valid terraform files in the directory
@nvuillam can you please try running the same command with output type as json -o json. With this, you can see what all errors are there during scanning. You can post the same if they are not relevant and we can try filtering them. Thank you.
the -o json helped me debug. I forgot to have -i terraform
I know this doesn't solve most peoples problem in this issue, but I'll leave this note for anyone.
the
-o jsonhelped me debug. I forgot to have-i terraformI know this doesn't solve most peoples problem in this issue, but I'll leave this note for anyone.
@jb185555 Thanks for this tip, setting the IaC to terraform made it produce exit code 0 for me. The only problem I have is the docs are broken for the config file references and I can't get the config file to auto set my iac type
dumbest of dumb suggestions but: I dropped an empty.tf in all the empty directories to quiet terrascan.
I have tried and I am still getting this. When I run the command: terrascan scan d . -i terraform -t all -v -o json
I get:
{ "results": { "scan_errors": [ { "iac_type": "terraform", "directory": "/Users/username/Desktop/Folder1/Folder2/Folder3/simple_module_ml/modules", "errMsg": "directory '/Users/username/Desktop/Folder1/Folder2/Folder3/simple_module_ml/modules' has no terraform config files" } ], "violations": null, "skipped_violations": null, "scan_summary": { "file/folder": "/Users/username/Desktop/Folder1/Folder2/Folder3/simple_module_ml", "iac_type": "terraform", "scanned_at": "2023-12-22 17:13:48.881986 +0000 UTC", "policies_validated": 148, "violated_policies": 0, "low": 0, "medium": 0, "high": 0 } } }
Why does it error when there is a directory with no .tf files? Is there a way of configuring Terrascan to ignore some directories?
