Trivy lacks tfsec option --exclude-downloaded-modules

[bodgit]

Description

It has become apparent we should migrate from tfsec to Trivy.

We don't do much in the way of tfsec customisation but one option we do use is --exclude-downloaded-modules. The theory being there's little value in being notified about issues in third-party modules that we have no control over, and maintaining long lists of # tfsec:ignore:... magic comments could get annoying. This option succinctly restricted any issues to just the local codebase.

I can't see an analogous option in Trivy to achieve the same. I can do --skip-dirs=.terraform which stops Trivy scanning the downloaded module source, including any examples, etc., but it still flags issues with any module {} blocks and I don't really want to have to add long lists of # trivy:ignore:{this,that,something} comments that could require maintenance when the module is updated. We have Dependabot automatically raise PRs to update modules and it will break that workflow if someone has to manually add more magic comments to get the PR to pass the Trivy workflow that we would inevitably have, (we currently have a tfsec-based one).

Desired Behavior

Equivalent functionality to tfsec --exclude-downloaded-modules.

Actual Behavior

External modules are still scanned.

Reproduction Steps

1.
2.
3.
...

Target

Git Repository

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

n/a

Operating System

Ubuntu

Version

Version: 0.42.1
Policy Bundle:
  Digest: sha256:030345bff4845bae1c89450da85681bc25c0c40d2144a0d9db5254674d155298
  DownloadedAt: 2023-06-08 16:15:38.336264863 +0000 UTC

Checklist

• Run trivy --reset
• Read the troubleshooting

[simar7]

hi can you explain a little more on the following:

I can do --skip-dirs=.terraform which stops Trivy scanning the downloaded module source, including any examples, etc., but it still flags issues with any module {} blocks

[bodgit]

So in my repo, I have the following:

module "some_security_group" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "x.y.z"

  ...
}

Running trivy config --skip-dirs=.terraform . gives me this error:

2023-06-12T12:01:28.948+0100    INFO    Misconfiguration scanning is enabled
2023-06-12T12:01:40.495+0100    INFO    Detected config files: 8

terraform-aws-modules/security-group/aws/main.tf (terraform)

Tests: 5 (SUCCESSES: 4, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/security-group/aws/main.tf:634-641
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 
628   resource "aws_security_group_rule" "egress_with_cidr_blocks" {
 ...
 634 ┌   cidr_blocks = compact(split(
 635 │     ",",
 636 │     lookup(
 637 │       var.egress_with_cidr_blocks[count.index],
 638 │       "cidr_blocks",
 639 │       join(",", var.egress_cidr_blocks),
 640 └     ),
 ...
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

So Trivy isn't scanning every .tf file in the module source under .terraform, but still seems to be following the module {} blocks and warning me about a resource outside of my control.

(I think #4581 is related in that it's hard to work out which module {} block is responsible)

Running tfsec --exclude-downloaded-modules . doesn't flag that module block.

[simar7]

Got it. Thanks for the clarification. I'll convert this into a feature request so we can track it.

[simar7]

Tracking here #4618

[knqyf263]

So, can we close the discussion?

[bodgit]

I'm subscribed to the feature request so feel free to close this now.