trivy config terraform should show the resource name

[felipeng]

Description

Currently, we use tfsec and we are in the migration process to use trivy; however, we noticed an important information that trivy is lacking which is provided on tfsec:

For example we have a local.aws-security-groups which has all the information about each Security Group rule, in this example: db1 allows from 0.0.0.0/0 and db2 doesn't

local-vars.tf

locals {
  aws-security-groups = {
    db1 = {
      description = "Allow requests to AWS RedShift 1"
      vpc_id      = module.aws-vpc.vpc_id
      ingress_with_cidr_blocks = [
        {
          description = "Allow requests to AWS RedShift from any IP addresses"
          from_port   = 5439
          to_port     = 5439
          protocol    = "tcp"
          cidr_blocks = "0.0.0.0/0"
        }
      ]
    }
    db2 = {
      description = "Allow requests to AWS RedShift 2"
      vpc_id      = module.aws-vpc.vpc_id
      ingress_with_cidr_blocks = [
        {
          description = "Allow requests to AWS RedShift from any IP addresses"
          from_port   = 5439
          to_port     = 5439
          protocol    = "tcp"
          cidr_blocks = "123.123.123.123"
        }
      ]
    }
  }
}

sg.tf

module "aws-security-groups" {
  source   = "terraform-aws-modules/security-group/aws"
  version  = "~> 4.16.2"
  for_each = local.aws-security-groups

  name                          = "${local.cluster}-${each.key}"
  description                   = each.value.description
  vpc_id                        = each.value.vpc_id
  ingress_with_cidr_blocks      = try(each.value.ingress_with_cidr_blocks, null)
  egress_with_cidr_blocks       = try(each.value.egress_with_cidr_blocks, [])
  ingress_with_ipv6_cidr_blocks = try(each.value.ingress_with_ipv6_cidr_blocks, [])
  use_name_prefix               = false
}

The tfsec finds an issue with the db1 and shows the resource name (module.aws-security-groups["db1"]), example:

tfsec .workdir-global/ --concise-output 

Result #1 CRITICAL Security group rule allows ingress from public internet. 
  terraform-aws-modules/security-group/aws/main.tf:197-204
   via aws-security-groups.tf:1-13 (module.aws-security-groups["db1"])
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks

  7 passed, 1 potential problem(s) detected.

And running trivy

trivy config .workdir-global/
2023-06-06T16:24:07.908-0400    INFO    Misconfiguration scanning is enabled
2023-06-06T16:24:08.307-0400    INFO    Detected config files: 1

terraform-aws-modules/security-group/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows ingress from public internet.
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
 terraform-aws-modules/security-group/aws/main.tf:197-204
 191   resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
 ...   
 197 ┌   cidr_blocks = split(
 198 │     ",",
 199 │     lookup(
 200 │       var.ingress_with_cidr_blocks[count.index],
 201 │       "cidr_blocks",
 202 │       join(",", var.ingress_cidr_blocks),
 203 └     ),
 ...   

As you can see trivy doesn't provide the resource name which is tricky to troubleshoot since we have several entries on local-vars.tf

Target

None

Scanner

Misconfiguration

[simar7]

Thanks for the detailed info - it makes sense. I'll create an issue (feature request) to track this.

[simar7]

Opened #4581

[felipeng]

thank you!