lower filter level: #9004

matt-heery · 2024-12-06T17:02:14Z

No description provided.

github-actions · 2024-12-06T17:05:12Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-12-06T17:04:34Z INFO [vulndb] Need to update DB
2024-12-06T17:04:34Z INFO [vulndb] Downloading vulnerability DB...
2024-12-06T17:04:34Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-06T17:04:37Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-06T17:04:37Z INFO [vuln] Vulnerability scanning is enabled
2024-12-06T17:04:37Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-06T17:04:37Z INFO [misconfig] Need to update the built-in checks
2024-12-06T17:04:37Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-06T17:04:42Z INFO [secret] Secret scanning is enabled
2024-12-06T17:04:42Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-06T17:04:42Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-06T17:04:43Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-06T17:04:43Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00029d301?}}, {0x0?, 0x0?}})
/home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc004e15340, 0xc003278600)
/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc004e15340)
/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc002906140)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc002906140)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc002906140)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc002906140, {0x58f3078, 0xc000d9c210})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc005317220, {0x58f3078, 0xc000d9c210}, 0xc008f7e940)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc005317220, {0x58f3078, 0xc000d9c210}, 0xc0054101e0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc005317220, {0x58f3078, 0xc000d9c210})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc002ef48c0, {0x58f3078, 0xc000d9c210}, 0xc005a20880)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc002ef48c0, {0x58f3078, 0xc000d9c210}, 0xc00421fd10)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc002ef48c0, {0x58f3078, 0xc000d9c210})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc00401d560, {0x58f3078, 0xc000d9c210})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc000e899e0, {0x58f3078, 0xc000d9c210}, {0x58b12c0, 0xc0016148a0}, {0x58959e8, 0x1})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc000998bc0, {0x58f3120, 0xc0004081c0}, {0x58b12c0, 0xc0016143a8})
/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000d95a60, {0x58f3120?, 0xc0004081c0?}, {{0x58b12c0?, 0xc0016143a8?}, {0x9?, 0x0?}})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc000864f10, {0xc000b4f000, 0x1f, 0x20}, {0xc001672800, 0x16, 0x20}, 0xc000b98ba0, {0x47ad91d, 0x7}}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffeb340cb41, 0x43}, {0x7f5f1e6e3e18, 0xc000a36280}, {0x58b11e0, 0x827fc80}, {0xc000864f10, {0xc000b4f000, 0x1f, 0x20}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{, }, {, }}, {, }, {{0xc0010896e0, 0x2, 0x2}, {0xc001100800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(, {_, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc0007a4700, ...}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc000a50008, {0xc0012c1c20, 0x1, 0xa})
/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc000a50008, {0xc0012c1ae0, 0xa, 0xa})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc000731808)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041 +0x13
main.run()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-06 17:04:49,952 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required)
2024-12-06 17:04:49,952 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required)
2024-12-06 17:04:49,952 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.48.0 (for external modules, the --download-external-modules flag is required)
2024-12-06 17:04:49,952 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2024-12-06 17:04:49,952 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 2479, Failed checks: 58, Skipped checks: 90

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:22-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:99-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:169-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:238-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:319-373
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:388-438
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:454-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:521-576
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:590-644
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.create_or_refresh_dv_table
	File: /dms_data_validation_glue_job_v2.tf:662-665
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		662 | resource "aws_cloudwatch_log_group" "create_or_refresh_dv_table" {
		663 |   name              = "create-or-refresh-dv-table"
		664 |   retention_in_days = 14
		665 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.create_or_refresh_dv_table
	File: /dms_data_validation_glue_job_v2.tf:662-665
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		662 | resource "aws_cloudwatch_log_group" "create_or_refresh_dv_table" {
		663 |   name              = "create-or-refresh-dv-table"
		664 |   retention_in_days = 14
		665 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.create_or_refresh_dv_table
	File: /dms_data_validation_glue_job_v2.tf:675-705
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		675 | resource "aws_glue_job" "create_or_refresh_dv_table" {
		676 |   count = local.gluejob_count
		677 | 
		678 |   name              = "create-or-refresh-dv-table"
		679 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		680 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		681 |   glue_version      = "4.0"
		682 |   worker_type       = "G.1X"
		683 |   number_of_workers = 2
		684 |   default_arguments = {
		685 |     "--parquet_output_bucket_name"       = module.s3-dms-data-validation-bucket.bucket.id
		686 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		687 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		688 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.create_or_refresh_dv_table.name
		689 |     "--enable-continuous-cloudwatch-log" = "true"
		690 |     "--enable-continuous-log-filter"     = "true"
		691 |     "--enable-metrics"                   = ""
		692 |   }
		693 |   command {
		694 |     python_version  = "3"
		695 |     script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_refresh_dv_table.py"
		696 |   }
		697 | 
		698 |   tags = merge(
		699 |     local.tags,
		700 |     {
		701 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		702 |     }
		703 |   )
		704 | 
		705 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.get_zipped_file_api.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:5-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:81-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		81 | resource "aws_security_group" "glue_rds_conn_security_group" {
		82 |   name        = "glue-rds-sqlserver-connection-tf"
		83 |   description = "Secuity Group for Glue-RDS-Connection"
		84 |   vpc_id      = data.aws_vpc.shared.id
		85 | 
		86 |   tags = merge(
		87 |     local.tags,
		88 |     {
		89 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		90 |     }
		91 |   )
		92 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/glue_data.tf line 1:
   1: data "archive_file" "archive_file_zip_py_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: `s3_pylib_dir_path` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/glue_variables.tf line 1:
   1: variable "s3_pylib_dir_path" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-12-06T17:04:34Z	INFO	[vulndb] Need to update DB
2024-12-06T17:04:34Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-06T17:04:34Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-06T17:04:37Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-06T17:04:37Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-06T17:04:37Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-06T17:04:37Z	INFO	[misconfig] Need to update the built-in checks
2024-12-06T17:04:37Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-06T17:04:42Z	INFO	[secret] Secret scanning is enabled
2024-12-06T17:04:42Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-06T17:04:42Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-06T17:04:43Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-06T17:04:43Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00029d301?}}, {0x0?, 0x0?}})
	/home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.15.0/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc004e15340, 0xc003278600)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc004e15340)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc002906140)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc002906140)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc002906140)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc002906140, {0x58f3078, 0xc000d9c210})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc005317220, {0x58f3078, 0xc000d9c210}, 0xc008f7e940)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc005317220, {0x58f3078, 0xc000d9c210}, 0xc0054101e0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc005317220, {0x58f3078, 0xc000d9c210})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc002ef48c0, {0x58f3078, 0xc000d9c210}, 0xc005a20880)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc002ef48c0, {0x58f3078, 0xc000d9c210}, 0xc00421fd10)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc002ef48c0, {0x58f3078, 0xc000d9c210})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc00401d560, {0x58f3078, 0xc000d9c210})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc000e899e0, {0x58f3078, 0xc000d9c210}, {0x58b12c0, 0xc0016148a0}, {0x58959e8, 0x1})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc000998bc0, {0x58f3120, 0xc0004081c0}, {0x58b12c0, 0xc0016143a8})
	/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000d95a60, {0x58f3120?, 0xc0004081c0?}, {{0x58b12c0?, 0xc0016143a8?}, {0x9?, 0x0?}})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc000864f10, {0xc000b4f000, 0x1f, 0x20}, {0xc001672800, 0x16, 0x20}, 0xc000b98ba0, {0x47ad91d, 0x7}}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffeb340cb41, 0x43}, {0x7f5f1e6e3e18, 0xc000a36280}, {0x58b11e0, 0x827fc80}, {0xc000864f10, {0xc000b4f000, 0x1f, 0x20}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc0010896e0, 0x2, 0x2}, {0xc001100800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc0007a4700, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc000a50008, {0xc0012c1c20, 0x1, 0xa})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc000a50008, {0xc0012c1ae0, 0xa, 0xa})
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc000731808)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1041 +0x13
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

lower filter level:

2d22ac2

matt-heery requested review from a team as code owners December 6, 2024 17:02

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 6, 2024

matt-heery had a problem deploying to electronic-monitoring-data-development December 6, 2024 17:04 — with GitHub Actions Error

matt-heery had a problem deploying to electronic-monitoring-data-test December 6, 2024 17:05 — with GitHub Actions Error

pricemg approved these changes Dec 6, 2024

View reviewed changes

pricemg merged commit 6d5fb99 into main Dec 6, 2024
13 of 16 checks passed

pricemg deleted the edit-filter branch December 6, 2024 20:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

lower filter level: #9004

lower filter level: #9004

matt-heery commented Dec 6, 2024

github-actions bot commented Dec 6, 2024

lower filter level: #9004

lower filter level: #9004

Conversation

matt-heery commented Dec 6, 2024

github-actions bot commented Dec 6, 2024

Trivy Scan Failed

CTFLint Scan Failed

Trivy Scan Failed

`Trivy Scan` Failed

`CTFLint Scan` Failed

`Trivy Scan` Failed