Input in custom policy using trivy on terraform does not have complete attributes of resources

[rickythain]

Question

I tried to create a custom policy that checks if an aws ec2 volume has a count of 1. Upon running the check, the policy did not report it when an aws ec2 volume was created with a count of 1.

So, I checked for any mistakes in the policy file, mistakes on the command used but to no avail. Then, I try to check the input received via the custom policy and found that that may be the issue?

The input received via the custom policy does not contain the complete attributes of the resource (no count, tags, type, size, etc)
I've compiled the terraform, policy, and the extracted-input files in this repo - test-trivy-tf.

Following are the content:
main.tf

resource "aws_s3_bucket" "my-bucket" {
   bucket = "evil"
}

resource "aws_ebs_volume" "example02" {
  count             = 1
  size              = 14
  availability_zone = "us-east-1a"
  type              = "gp3"
  encrypted         = true
  tags = {
    Name = "HelloWorld 23"
  }
}

policy.rego

# METADATA
# title: Bad buckets are bad
# description: Bad buckets are bad because they are not good.
# scope: package
# custom:
#   avd_id: AVD-TEST-0123
#   severity: CRITICAL
#   short_code: very-bad-misconfig
#   recommended_action: "Fix the s3 bucket"

package user.foobar.ABC001

deny[cause] {
	bucket := input.aws.s3.buckets[_]
	bucket.name.value == "evil"
	cause := sprintf("%v", [bucket])
}

## below is the rule for volume

# deny[cause] {
# 	volume := input.aws.ec2.volumes[_]
# 	volume.count.value == 1
# 	cause := sprintf("%v", [volume])
# }

## below is to get the input received for volume

# deny[cause] {
# 	volume := input.aws.ec2.volumes[_]
# 	cause := sprintf("%v", [volume])
# }

## below is to get the input entirely

# deny[cause] {
# 	volume := input
# 	cause := sprintf("%v", [volume])
# }

Command used to run:

trivy  config  --config-policy=./policy.rego --severity=CRITICAL --namespaces=user main.tf

I extracted the input from policy evaluation into the following:

• input-volume.json (does not have count/size/tag/etc.)
• input-bucket.json

I would appreciate if you could point out what i'm missing or if this is a limitation from trivy? 🙏

Target

None

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Operating System

Ubuntu 22.04.3 LTS

Version

Version: 0.46.0
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2023-10-25 03:47:17.901425136 +0000 UTC

[simar7]

hi @rickythain - thank you for providing the debug output. You are looking for an attribute that we currently support for ec2 volumes. As you already saw, we only have support for encryption today. This can be seen in the code here https://github.com/aquasecurity/defsec/blob/v0.93.1/pkg/providers/aws/ec2/volume.go#L7-L10

[rickythain]

thank you for your prompt response and the link to the code. I hope it'll include all attributes of the resource/plan to allow wider policy customization in the future.

thanks again <3

[simar7]

No worries - I have created #5460 to track it.

[knqyf263]

@simar7 Can we close this discussion?