Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(terraform): Trivy scans local modules #4988

Closed
nikpivkin opened this issue Aug 14, 2023 · 12 comments · Fixed by #5348
Closed

fix(terraform): Trivy scans local modules #4988

nikpivkin opened this issue Aug 14, 2023 · 12 comments · Fixed by #5348
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone

Comments

@nikpivkin
Copy link
Contributor

nikpivkin commented Aug 14, 2023

I have the following files:

modules/s3/main.tf

variable "s3_object_versioning" {
  description = "Enable S3 Object Versioning [Enabled Suspended Disabled]"
  type        = string

  validation {
    condition     = contains(["Enabled", "Suspended", "Disabled"], var.s3_object_versioning)
    error_message = "The Variable s3_object_versioning can only contain [Enabled, Suspended, Disabled]"
  }
}

resource "aws_s3_bucket" "s3_bucket" {
  bucket = "test.bucket"
}

resource "aws_s3_bucket_versioning" "versioning" {
  bucket = aws_s3_bucket.s3_bucket.id
  versioning_configuration {
    status = var.s3_object_versioning
  }
}

main.tf

module "test" {
  source               = "./modules/s3"
  s3_object_versioning = "Disabled"
}

Output of Trivy:

trivy config . -f json | jq '.Results[] | .Misconfigurations | .[]?.Title'
2023-08-14T17:22:00.715+0700	INFO	Misconfiguration scanning is enabled
2023-08-14T17:22:01.089+0700	INFO	Detected config files: 3
"S3 Access block should block public ACL"
"S3 Access block should block public ACL"
"S3 Access block should block public policy"
"S3 Access block should block public policy"
"Unencrypted S3 bucket."
"Unencrypted S3 bucket."
"S3 Bucket does not have logging enabled."
"S3 Bucket does not have logging enabled."
"S3 Data should be versioned"
"S3 Data should be versioned"
"S3 Access Block should Ignore Public Acl"
"S3 Access Block should Ignore Public Acl"
"S3 Access block should restrict public bucket to limit access"
"S3 Access block should restrict public bucket to limit access"
"S3 buckets should each define an aws_s3_bucket_public_access_block"
"S3 buckets should each define an aws_s3_bucket_public_access_block"
"S3 encryption should use Customer Managed Keys"
"S3 encryption should use Customer Managed Keys"
"S3 DNS Compliant Bucket Names"
"S3 DNS Compliant Bucket Names"
"S3 Bucket Logging"
"S3 Bucket Logging"

Some misconfigs are duplicated, since Trivy also scans local modules.

@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Aug 14, 2023
@nikpivkin
Copy link
Contributor Author

By the way, Trivy says that he found 3 configuration files, but there are only 2 of them:

tree
.
├── main.tf
└── modules
    └── s3
        └── main.tf

@simar7
Copy link
Member

simar7 commented Aug 14, 2023

By the way, Trivy says that he found 3 configuration files, but there are only 2 of them:

tree
.
├── main.tf
└── modules
    └── s3
        └── main.tf

This is probably why

2023-08-14T16:47:42.303-0600    DEBUG   Scanned config file: modules/s3
2023-08-14T16:47:42.303-0600    DEBUG   Scanned config file: modules/s3/main.tf
2023-08-14T16:47:42.303-0600    DEBUG   Scanned config file: .
tree -a
.
├── main.tf
└── modules
    └── s3
        └── main.tf

3 directories, 2 files

@simar7
Copy link
Member

simar7 commented Aug 14, 2023

In such case, what output do you expect to see? Two cases can be made:

  1. We only show the main.tf issues, anything that main.tf imports or is a reference outside of main.tf, for instance in modules/s3/main.tf, will be pointed to as a source from main.tf. Doing this will make us lose visibility into modules/s3/main.tf.
  2. We only show the modules/s3/main.tf results and refer to them when showing misconfiguration scan results. In such a case it is easy to point to the user where the problem actually originated but it might not be the first place they would look in as that would be main.tf and not modules/s3/main.tf.

Another option we can have is via. Instead of showing 2 separate results for the 2 main.tf files, we can show one result but refer to the chain. See example below

main.tf:3
  via modules/s3/main.tf:12

@nikpivkin
Copy link
Contributor Author

nikpivkin commented Aug 15, 2023

@simar7 I expect to see the same result as when using remote modules, for example from the terraform registry. This rather refers to the via option.

module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket"
  acl    = "private"

  control_object_ownership = true
  object_ownership         = "ObjectWriter"
}

Output:

trivy config . -d
2023-08-15T09:37:35.684+0700    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-15T09:37:35.693+0700    DEBUG   cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-08-15T09:37:35.693+0700    DEBUG   Module dir: /Users/tososomaru/.trivy/modules
2023-08-15T09:37:35.693+0700    INFO    Misconfiguration scanning is enabled
2023-08-15T09:37:35.693+0700    DEBUG   Policies successfully loaded from disk
2023-08-15T09:37:35.714+0700    DEBUG   Walk the file tree rooted at '.' in parallel
2023-08-15T09:37:35.715+0700    DEBUG   Scanning Terraform files for misconfigurations...
2023-08-15T09:37:39.460+0700    DEBUG   OS is not detected.
2023-08-15T09:37:39.460+0700    INFO    Detected config files: 2
2023-08-15T09:37:39.460+0700    DEBUG   Scanned config file: .
2023-08-15T09:37:39.460+0700    DEBUG   Scanned config file: git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf

git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf (terraform)

Tests: 11 (SUCCESSES: 6, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
═══════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
───────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
  21 ┌ resource "aws_s3_bucket" "this" {
  22 │   count = local.create_bucket ? 1 : 0
  23 │ 
  24 │   bucket        = var.bucket
  25 │   bucket_prefix = var.bucket_prefix
  26 │ 
  27 │   force_destroy       = var.force_destroy
  28 │   object_lock_enabled = var.object_lock_enabled
  29 │   tags                = var.tags
  30 └ }
───────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Bucket does not have logging enabled
═══════════════════════════════════════════════════════════════════════════════════════════
Buckets should have logging enabled so that access can be audited.

See https://avd.aquasec.com/misconfig/avd-aws-0089
───────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
  21 ┌ resource "aws_s3_bucket" "this" {
  22 │   count = local.create_bucket ? 1 : 0
  23 │ 
  24 │   bucket        = var.bucket
  25 │   bucket_prefix = var.bucket_prefix
  26 │ 
  27 │   force_destroy       = var.force_destroy
  28 │   object_lock_enabled = var.object_lock_enabled
  29 │   tags                = var.tags
  30 └ }
───────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Bucket does not have versioning enabled
═══════════════════════════════════════════════════════════════════════════════════════════

Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. 
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. 
With versioning you can recover more easily from both unintended user actions and application failures.


See https://avd.aquasec.com/misconfig/avd-aws-0090
───────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
  21 ┌ resource "aws_s3_bucket" "this" {
  22 │   count = local.create_bucket ? 1 : 0
  23 │ 
  24 │   bucket        = var.bucket
  25 │   bucket_prefix = var.bucket_prefix
  26 │ 
  27 │   force_destroy       = var.force_destroy
  28 │   object_lock_enabled = var.object_lock_enabled
  29 │   tags                = var.tags
  30 └ }
───────────────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
═══════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
───────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
  21 ┌ resource "aws_s3_bucket" "this" {
  22 │   count = local.create_bucket ? 1 : 0
  23 │ 
  24 │   bucket        = var.bucket
  25 │   bucket_prefix = var.bucket_prefix
  26 │ 
  27 │   force_destroy       = var.force_destroy
  28 │   object_lock_enabled = var.object_lock_enabled
  29 │   tags                = var.tags
  30 └ }
───────────────────────────────────────────────────────────────────────────────────────────


LOW: Bucket has logging disabled
═══════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets.

See https://avd.aquasec.com/misconfig/n/a
───────────────────────────────────────────────────────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v3.14.1/main.tf:21-30
───────────────────────────────────────────────────────────────────────────────────────────
  21 ┌ resource "aws_s3_bucket" "this" {
  22 │   count = local.create_bucket ? 1 : 0
  23 │ 
  24 │   bucket        = var.bucket
  25 │   bucket_prefix = var.bucket_prefix
  26 │ 
  27 │   force_destroy       = var.force_destroy
  28 │   object_lock_enabled = var.object_lock_enabled
  29 │   tags                = var.tags
  30 └ }
───────────────────────────────────────────────────────────────────────────────────────────

As you can see, there is no duplication.

@simar7 simar7 added this to the v0.46.0 milestone Sep 6, 2023
@simar7
Copy link
Member

simar7 commented Sep 26, 2023

It's unclear to me what needs to be done here. @nikpivkin can you elaborate?

@simar7 simar7 removed this from the v0.46.0 milestone Sep 26, 2023
@nikpivkin
Copy link
Contributor Author

@simar7 I expect Trivy to not scan child local modules as separate configurations (same behavior as with remote modules).

@kernle32dll
Copy link

I don't know why, but this change breaks subfolders in the most strange manner.

E.g., if you put the files in the original issue like this:

modules/s3/main.tf -> testcase/modules/s3/main.tf
modules/main.tf -> testcase/main.tf

Executing trivy config --debug . -f json | jq '.Results[] | .Misconfigurations | .[]?.Title' in .:

2023-11-02T23:48:26.380+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-02T23:48:26.404+0100    DEBUG   cache dir:  /home/bgerda/.cache/trivy
2023-11-02T23:48:26.404+0100    INFO    Misconfiguration scanning is enabled
2023-11-02T23:48:26.404+0100    DEBUG   Policies successfully loaded from disk
2023-11-02T23:48:26.414+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-02T23:48:26.428+0100    DEBUG   Walk the file tree rooted at '.' in parallel
2023-11-02T23:48:26.428+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-02T23:48:27.051+0100    DEBUG   OS is not detected.
2023-11-02T23:48:27.051+0100    INFO    Detected config files: 2
2023-11-02T23:48:27.051+0100    DEBUG   Scanned config file: testcase
2023-11-02T23:48:27.051+0100    DEBUG   Scanned config file: terraform-aws-modules/s3-bucket/aws/main.tf
"Unencrypted S3 bucket."
"S3 Bucket Logging"
"S3 Data should be versioned"
"S3 encryption should use Customer Managed Keys"

Executing trivy config --debug testcase -f json | jq '.Results[] | .Misconfigurations | .[]?.Title' in .:

2023-11-02T23:49:06.381+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-02T23:49:06.397+0100    DEBUG   cache dir:  /home/bgerda/.cache/trivy
2023-11-02T23:49:06.397+0100    INFO    Misconfiguration scanning is enabled
2023-11-02T23:49:06.397+0100    DEBUG   Policies successfully loaded from disk
2023-11-02T23:49:06.412+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-02T23:49:06.412+0100    DEBUG   Walk the file tree rooted at 'testcase' in parallel
2023-11-02T23:49:06.412+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-02T23:49:06.979+0100    DEBUG   OS is not detected.
2023-11-02T23:49:06.979+0100    INFO    Detected config files: 0
jq: error (at <stdin>:17): Cannot iterate over null (null)

Executing trivy config --debug testcase -f json | jq '.Results[] | .Misconfigurations | .[]?.Title' in testcase:

2023-11-02T23:49:49.739+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-02T23:49:49.761+0100    DEBUG   cache dir:  /home/bgerda/.cache/trivy
2023-11-02T23:49:49.761+0100    INFO    Misconfiguration scanning is enabled
2023-11-02T23:49:49.761+0100    DEBUG   Policies successfully loaded from disk
2023-11-02T23:49:49.774+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-02T23:49:49.786+0100    DEBUG   Walk the file tree rooted at '.' in parallel
2023-11-02T23:49:49.786+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-11-02T23:49:50.361+0100    DEBUG   OS is not detected.
2023-11-02T23:49:50.361+0100    INFO    Detected config files: 0
jq: error (at <stdin>:17): Cannot iterate over null (null)

I would assume all 3 cases to yield the same result.

@nikpivkin
Copy link
Contributor Author

Hi @kernle32dll !

Could you please share the configuration files? I could not reproduce your problem with the sample files above.

@kernle32dll
Copy link

Hi @kernle32dll !

Could you please share the configuration files? I could not reproduce your problem with the sample files above.

Okay, I have no idea what I was doing yesterday, but I can't actually replicate the issue now. I do have the issue with my actual terraform project files, but I cannot share them at this point. I will try to condense a version that I can share.

@kernle32dll
Copy link

kernle32dll commented Nov 6, 2023

Okay, I have "something". The setup is a bit lengthy, and I am not entirely sure what I am seeing here. But the kicker is for the terraform files to be in a subfolder (terraform called here), and doing something with remote modules.

terraform/main.tf:

module "s3" {
  source = "./modules/s3"
}

module "backup" {
  source = "git::https://github.com/terraform-google-modules/terraform-google-vm.git?ref=v10.1.0"
}

terraform/modules/s3/main.tf:

variable "s3_object_versioning" {
  description = "Enable S3 Object Versioning [Enabled Suspended Disabled]"
  type        = string

  validation {
    condition     = contains(["Enabled", "Suspended", "Disabled"], var.s3_object_versioning)
    error_message = "The Variable s3_object_versioning can only contain [Enabled, Suspended, Disabled]"
  }
}

resource "aws_s3_bucket" "s3_bucket" {
  bucket = "test.bucket"
}

resource "aws_s3_bucket_versioning" "versioning" {
  bucket = aws_s3_bucket.s3_bucket.id
  versioning_configuration {
    status = var.s3_object_versioning
  }
}

First, test with v0.46.1. Everything works as expected:

worker@claystone-worker1 ~/tftest % curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./bin v0.46.1
aquasecurity/trivy info checking GitHub for tag 'v0.46.1'
aquasecurity/trivy info found version: 0.46.1 for v0.46.1/Linux/64bit
aquasecurity/trivy info installed ./bin/trivy
worker@claystone-worker1 ~/tftest % ./bin/trivy config . --debug > /dev/null                                                                 
2023-11-06T03:28:53.790+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:28:53.792+0100	DEBUG	cache dir:  /home/worker/.cache/trivy
2023-11-06T03:28:53.792+0100	INFO	Misconfiguration scanning is enabled
2023-11-06T03:28:53.792+0100	DEBUG	Policies successfully loaded from disk
2023-11-06T03:28:53.807+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:28:53.827+0100	DEBUG	Walk the file tree rooted at '.' in parallel
2023-11-06T03:28:53.828+0100	DEBUG	Scanning Terraform files for misconfigurations...
2023-11-06T03:28:55.055+0100	DEBUG	OS is not detected.
2023-11-06T03:28:55.056+0100	INFO	Detected config files: 2
2023-11-06T03:28:55.056+0100	DEBUG	Scanned config file: terraform
2023-11-06T03:28:55.056+0100	DEBUG	Scanned config file: terraform/modules/s3/main.tf
worker@claystone-worker1 ~/tftest % ./bin/trivy config terraform --debug > /dev/null 
2023-11-06T03:29:00.061+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:29:00.064+0100	DEBUG	cache dir:  /home/worker/.cache/trivy
2023-11-06T03:29:00.064+0100	INFO	Misconfiguration scanning is enabled
2023-11-06T03:29:00.065+0100	DEBUG	Policies successfully loaded from disk
2023-11-06T03:29:00.093+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:29:00.098+0100	DEBUG	Walk the file tree rooted at 'terraform' in parallel
2023-11-06T03:29:00.098+0100	DEBUG	Scanning Terraform files for misconfigurations...
2023-11-06T03:29:01.328+0100	DEBUG	OS is not detected.
2023-11-06T03:29:01.328+0100	INFO	Detected config files: 2
2023-11-06T03:29:01.328+0100	DEBUG	Scanned config file: .
2023-11-06T03:29:01.328+0100	DEBUG	Scanned config file: modules/s3/main.tf

But if we do an terraform init now...

worker@claystone-worker1 ~/tftest % terraform -chdir=terraform init                 

Initializing the backend...
Initializing modules...
Downloading git::https://github.com/terraform-google-modules/terraform-google-vm.git?ref=v10.1.0 for backup...
- backup in .terraform/modules/backup
- s3 in modules/s3

Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/aws v5.24.0...
- Installed hashicorp/aws v5.24.0 (signed by HashiCorp)

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
terraform -chdir=terraform init  11.52s user 1.25s system 90% cpu 14.058 total

... The output changes. Note how it includes the .terraform files, but the terraform or . folder, as well as modules/s3/main.tf is missing from the second command.

worker@claystone-worker1 ~/tftest % ./bin/trivy config . --debug > /dev/null        
2023-11-06T03:34:07.459+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:34:07.462+0100	DEBUG	cache dir:  /home/worker/.cache/trivy
2023-11-06T03:34:07.462+0100	INFO	Misconfiguration scanning is enabled
2023-11-06T03:34:07.462+0100	DEBUG	Policies successfully loaded from disk
2023-11-06T03:34:07.471+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:34:07.495+0100	DEBUG	Walk the file tree rooted at '.' in parallel
2023-11-06T03:34:07.501+0100	DEBUG	Scanning Helm files for misconfigurations...
2023-11-06T03:34:07.571+0100	DEBUG	Scanning Kubernetes files for misconfigurations...
2023-11-06T03:34:15.121+0100	DEBUG	Scanning Terraform files for misconfigurations...
2023-11-06T03:34:18.174+0100	DEBUG	OS is not detected.
2023-11-06T03:34:18.174+0100	INFO	Detected config files: 41
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/setup
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/setup/iam.tf
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig/full
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/umig/full
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:34:18.174+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/metadata.yaml
2023-11-06T03:34:18.175+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:34:18.176+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:34:18.177+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:34:18.178+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:34:18.179+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:34:18.180+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:34:18.181+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:34:18.182+0100	DEBUG	Scanned config file: terraform/modules/s3/main.tf
2023-11-06T03:34:18.182+0100	DEBUG	Scanned config file: terraform
worker@claystone-worker1 ~/tftest % ./bin/trivy config terraform --debug > /dev/null
2023-11-06T03:34:28.998+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:34:28.999+0100	DEBUG	cache dir:  /home/worker/.cache/trivy
2023-11-06T03:34:28.999+0100	INFO	Misconfiguration scanning is enabled
2023-11-06T03:34:29.000+0100	DEBUG	Policies successfully loaded from disk
2023-11-06T03:34:29.014+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-11-06T03:34:29.033+0100	DEBUG	Walk the file tree rooted at 'terraform' in parallel
2023-11-06T03:34:29.122+0100	DEBUG	Scanning Kubernetes files for misconfigurations...
2023-11-06T03:34:36.733+0100	DEBUG	Scanning Helm files for misconfigurations...
2023-11-06T03:34:36.739+0100	DEBUG	Scanning Terraform files for misconfigurations...
2023-11-06T03:34:39.810+0100	DEBUG	OS is not detected.
2023-11-06T03:34:39.810+0100	INFO	Detected config files: 39
2023-11-06T03:34:39.810+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/umig/full
2023-11-06T03:34:39.810+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:34:39.810+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:34:39.810+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:34:39.810+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig/full
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/metadata.yaml
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:34:39.811+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/shared
2023-11-06T03:34:39.812+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:34:39.813+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:34:39.813+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:34:39.813+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:34:39.813+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:34:39.813+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:34:39.813+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:34:39.813+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/setup
2023-11-06T03:34:39.813+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/setup/iam.tf

When using v0.45.1, there is no difference bewteen the two command variants.

worker@claystone-worker1 ~/tftest % curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./bin v0.45.1
aquasecurity/trivy info checking GitHub for tag 'v0.45.1'
aquasecurity/trivy info found version: 0.45.1 for v0.45.1/Linux/64bit
aquasecurity/trivy info installed ./bin/trivy
worker@claystone-worker1 ~/tftest % ./bin/trivy config . --debug > /dev/null                                                                  
2023-11-06T03:37:14.861+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:37:14.864+0100	DEBUG	cache dir:  /home/worker/.cache/trivy
2023-11-06T03:37:14.864+0100	INFO	Misconfiguration scanning is enabled
2023-11-06T03:37:14.864+0100	DEBUG	Policies successfully loaded from disk
2023-11-06T03:37:14.898+0100	DEBUG	Walk the file tree rooted at '.' in parallel
2023-11-06T03:37:14.914+0100	DEBUG	Scanning Terraform files for misconfigurations...
2023-11-06T03:37:18.983+0100	DEBUG	Scanning Helm files for misconfigurations...
2023-11-06T03:37:18.985+0100	DEBUG	GOPATH (/home/worker/go/pkg/mod) not found. Need 'go mod download' to fill licenses and dependency relationships
2023-11-06T03:37:19.017+0100	DEBUG	Scanning Kubernetes files for misconfigurations...
2023-11-06T03:37:26.905+0100	DEBUG	OS is not detected.
2023-11-06T03:37:26.906+0100	INFO	Detected config files: 63
2023-11-06T03:37:26.906+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/metadata.yaml
2023-11-06T03:37:26.906+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/mig_with_percent
2023-11-06T03:37:26.906+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:37:26.906+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/preemptible_and_regular_instance_templates
2023-11-06T03:37:26.906+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:37:26.906+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/umig
2023-11-06T03:37:26.906+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:37:26.906+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/compute_disk_snapshot
2023-11-06T03:37:26.906+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/compute_instance
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/instance_template
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/mig
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/setup
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/test/setup/iam.tf
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/disk_snapshot
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/simple
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/additional_disks
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/alias_ip_range
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:37:26.907+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/instance_template/simple
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig/autoscaler
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig/full
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig/healthcheck
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig/simple
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig_stateful
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/mig_with_percent/simple
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/umig/full
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/umig/named_ports
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/umig/simple
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/.terraform/modules/backup/examples/umig/static_ips
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/modules/s3
2023-11-06T03:37:26.908+0100	DEBUG	Scanned config file: terraform/modules/s3/main.tf
worker@claystone-worker1 ~/tftest % ./bin/trivy config terraform --debug > /dev/null                                                                
2023-11-06T03:37:35.195+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T03:37:35.197+0100	DEBUG	cache dir:  /home/worker/.cache/trivy
2023-11-06T03:37:35.197+0100	INFO	Misconfiguration scanning is enabled
2023-11-06T03:37:35.198+0100	DEBUG	Policies successfully loaded from disk
2023-11-06T03:37:35.232+0100	DEBUG	Walk the file tree rooted at 'terraform' in parallel
2023-11-06T03:37:35.294+0100	DEBUG	Scanning Terraform files for misconfigurations...
2023-11-06T03:37:39.205+0100	DEBUG	GOPATH (/home/worker/go/pkg/mod) not found. Need 'go mod download' to fill licenses and dependency relationships
2023-11-06T03:37:39.207+0100	DEBUG	Scanning Helm files for misconfigurations...
2023-11-06T03:37:39.233+0100	DEBUG	Scanning Kubernetes files for misconfigurations...
2023-11-06T03:37:47.230+0100	DEBUG	OS is not detected.
2023-11-06T03:37:47.230+0100	INFO	Detected config files: 63
2023-11-06T03:37:47.230+0100	DEBUG	Scanned config file: .terraform/modules/backup/metadata.yaml
2023-11-06T03:37:47.230+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/compute_disk_snapshot
2023-11-06T03:37:47.230+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/compute_disk_snapshot/metadata.yaml
2023-11-06T03:37:47.230+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/compute_instance
2023-11-06T03:37:47.230+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/compute_instance/metadata.yaml
2023-11-06T03:37:47.230+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/instance_template
2023-11-06T03:37:47.230+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/instance_template/metadata.yaml
2023-11-06T03:37:47.230+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/mig
2023-11-06T03:37:47.230+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/mig/metadata.yaml
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/mig_with_percent
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/mig_with_percent/metadata.yaml
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/preemptible_and_regular_instance_templates/metadata.yaml
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/preemptible_and_regular_instance_templates
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/umig
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/modules/umig/metadata.yaml
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/instance_simple
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/additional_disks
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/alias_ip_range
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/instance_template/simple
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/mig_with_percent/simple
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/umig/static_ips
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/umig/named_ports
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/umig/simple
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/disk_snapshot
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/compute_instance/simple_zone
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/mig/autoscaler
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/mig/healthcheck
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/mig/simple
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/mig_stateful
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/shared
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/fixtures/shared/network.tf
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/setup
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/test/setup/iam.tf
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig_with_percent/simple
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/preemptible_and_regular_instance_templates/simple
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/umig/simple
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/umig/static_ips
2023-11-06T03:37:47.231+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/umig/full
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/umig/named_ports
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/multiple_interfaces/main.tf
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/next_hop/main.tf
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/simple
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/tags
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/tags/main.tf
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/compute_instance/disk_snapshot
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/instance_template/additional_disks
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/instance_template/alias_ip_range
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/instance_template/encrypted_disks/main.tf
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/instance_template/simple
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig/simple
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig/autoscaler
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig/full
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig/healthcheck
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig/healthcheck/main.tf
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig_stateful
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .terraform/modules/backup/examples/mig_stateful/main.tf
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: .
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: modules/s3
2023-11-06T03:37:47.232+0100	DEBUG	Scanned config file: modules/s3/main.tf

I hope someone can make some sense of this.

@kernle32dll
Copy link

Okay, a little addendum. I poked around a bit a defsec, and I know now why this code change triggers the problem but I have no idea about the root cause. So its probably a good idea to move this discussion to a defsec issue, if anyone knows how to formulate an issue from my observation.

So, with the above example, what essentially happens is that we end up with a rouge module here, which has a child module with a modulePath of .. Which in the above case is actually the root module.

image

My hunch is that this module is somehow referencing itself or something. I spent not enough time with defsec to make sense of this, so this needs to be resolved by someone more clever then me.

@nikpivkin
Copy link
Contributor Author

nikpivkin commented Nov 7, 2023

Hi @kernle32dll !

This will be fixed after the merger #5245

In the screenshot everything is ok. RootModule is a kind of module container, which has no references from other modules, i.e. it is a self-sufficient application. The childs field contains all the modules in flat form that are declared in this application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

3 participants