Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(terraform): do not scan local modules as root modules #1467

Merged
merged 3 commits into from
Oct 7, 2023

Conversation

nikpivkin
Copy link
Collaborator

@nikpivkin nikpivkin commented Oct 5, 2023

This PR fixes a bug when Trivy scans local modules as root modules. See aquasecurity/trivy#4988.

Configuration example:

main.tf

module "main" {
  source      = "./modules/s3"
  versioning = "Enabled"
}

modules/s3/main.tf

variable "versioning" {
  type = string
}

resource "aws_s3_bucket" "main" {
  bucket = "test"
}

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.main.id
  versioning_configuration {
    status = var.versioning
  }
}

Before:

trivy config . -f json | jq '.Results[] | .Misconfigurations | .[]?.Title'
2023-10-05T20:10:23.028+0700	INFO	Misconfiguration scanning is enabled
2023-10-05T20:10:24.956+0700	INFO	Detected config files: 3
"S3 Access block should block public ACL"
"S3 Access block should block public ACL"
"S3 Access block should block public policy"
"S3 Access block should block public policy"
"Unencrypted S3 bucket."
"Unencrypted S3 bucket."
"S3 Bucket Logging"
"S3 Bucket Logging"
"S3 Data should be versioned"
"S3 Access Block should Ignore Public Acl"
"S3 Access Block should Ignore Public Acl"
"S3 Access block should restrict public bucket to limit access"
"S3 Access block should restrict public bucket to limit access"
"S3 buckets should each define an aws_s3_bucket_public_access_block"
"S3 buckets should each define an aws_s3_bucket_public_access_block"
"S3 encryption should use Customer Managed Keys"
"S3 encryption should use Customer Managed Keys"

After:

2023-10-05T20:13:02.416+0700    INFO    Misconfiguration scanning is enabled
2023-10-05T20:13:02.839+0700    INFO    Detected config files: 2
"S3 Access block should block public ACL"
"S3 Access block should block public policy"
"Unencrypted S3 bucket."
"S3 Bucket Logging"
"S3 Access Block should Ignore Public Acl"
"S3 Access block should restrict public bucket to limit access"
"S3 buckets should each define an aws_s3_bucket_public_access_block"
"S3 encryption should use Customer Managed Keys"

@nikpivkin
Copy link
Collaborator Author

@simar7 The test failed due to a bug in go1.19 on windows. golang/go#51007

@simar7
Copy link
Member

simar7 commented Oct 5, 2023

I see. Should we update the version of Go in defsec prior to merging this PR or just ignore the error for now?

If upgrading the version isn't too time consuming let's do that. What do you think? Since Trivy already uses 1.20.

@nikpivkin
Copy link
Collaborator Author

@simar7 I'll do it.

@simar7 simar7 force-pushed the fix/local-modules branch from 24be81a to d9f3220 Compare October 6, 2023 06:08
@nikpivkin nikpivkin marked this pull request as ready for review October 6, 2023 06:59
@nikpivkin nikpivkin requested a review from simar7 as a code owner October 6, 2023 06:59
@simar7 simar7 added this pull request to the merge queue Oct 7, 2023
Merged via the queue into aquasecurity:master with commit 78aed65 Oct 7, 2023
8 checks passed
@nikpivkin nikpivkin deleted the fix/local-modules branch October 7, 2023 04:37
@nikpivkin nikpivkin restored the fix/local-modules branch October 20, 2023 16:13
@nikpivkin nikpivkin deleted the fix/local-modules branch October 20, 2023 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants