Trivy terraform misconfiguration scan not picking up files one directory below another file.

[chejn]

Description

The trivy config scanner did not pick up .tf files which were a directory below another .tf file.

PoC files
https://github.com/chejn/trivy-bug-example

What did you expect to happen?

The scanner to pick up all files regardless of directory depth.

What happened instead?

The scanner did not identify any .tf files at all.

Output of run with -debug:

@chejn ➜ /workspaces/Codespace (main ✗) $ trivy config ./Bug2 -d
2022-09-29T00:35:30.806Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-29T00:35:30.819Z        DEBUG   cache dir:  /home/codespace/.cache/trivy
2022-09-29T00:35:30.819Z        INFO    Misconfiguration scanning is enabled
2022-09-29T00:35:30.993Z        DEBUG   OS is not detected.
2022-09-29T00:35:30.993Z        INFO    Detected config files: 0


@chejn ➜ /workspaces/Codespace (main ✗) $ trivy config ./Bug2/test -d
2022-09-29T00:45:47.773Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-29T00:45:47.786Z        DEBUG   cache dir:  /home/codespace/.cache/trivy
2022-09-29T00:45:47.786Z        INFO    Misconfiguration scanning is enabled
2022-09-29T00:45:47.961Z        DEBUG   OS is not detected.
2022-09-29T00:45:47.961Z        INFO    Detected config files: 1
2022-09-29T00:45:47.961Z        DEBUG   Scanned config file: main.tf

main.tf (terraform)

Tests: 10 (SUCCESSES: 1, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 6, CRITICAL: 0)

Output of trivy -v:

@chejn ➜ /workspaces/Codespace (main ✗) $ trivy -v
Version: 0.31.2

[sblask]

I am getting the same problem, even if there is no relevant file in the parent folder:

$ ls -lha
total 96
drwxr-xr-x  24 sebastianblask  staff   768B 19 Dec 15:38 .
drwxr-xr-x  11 sebastianblask  staff   352B 11 Nov 09:37 ..
-rw-r--r--   1 sebastianblask  staff    94B  7 Sep 16:04 .editorconfig
drwxr-xr-x  16 sebastianblask  staff   512B 19 Dec 16:20 .git
drwxr-xr-x   5 sebastianblask  staff   160B  1 Nov 22:30 .github
-rw-r--r--   1 sebastianblask  staff    65B 25 Nov 16:20 .gitignore
-rw-r--r--   1 sebastianblask  staff    56B  7 Nov 11:27 .markdownlint.yml
drwxr-xr-x   6 sebastianblask  staff   192B 19 Dec 15:04 .mypy_cache
-rw-r--r--   1 sebastianblask  staff   1.8K 12 Dec 16:41 .pre-commit-config.yaml
-rw-r--r--   1 sebastianblask  staff   513B 17 Oct 11:07 .pylintrc
-rw-r--r--   1 sebastianblask  staff   969B 18 Nov 15:50 .tflint.hcl
drwxr-xr-x   7 sebastianblask  staff   224B 20 Oct 14:19 .venv
-rw-r--r--   1 sebastianblask  staff   276B 20 Oct 15:40 .yamllint.yml
drwxr-xr-x   3 sebastianblask  staff    96B 12 Dec 14:50 Assets
-rw-r--r--   1 sebastianblask  staff   3.2K 14 Dec 14:48 README.md
drwxr-xr-x  26 sebastianblask  staff   832B 19 Dec 15:44 account-configs
drwxr-xr-x   7 sebastianblask  staff   224B 19 Dec 15:47 accounts-and-organisational-units
drwxr-xr-x   5 sebastianblask  staff   160B 19 Dec 15:47 management-account-config
drwxr-xr-x  31 sebastianblask  staff   992B 19 Dec 14:50 modules
-rw-r--r--   1 sebastianblask  staff    30B 17 Oct 11:07 pyproject.toml
-rwxr-xr-x   1 sebastianblask  staff   3.8K 14 Dec 17:07 render_templates.py
-rw-r--r--   1 sebastianblask  staff    12B  1 Nov 22:30 requirements-dev.txt
-rw-r--r--   1 sebastianblask  staff    13B 17 Oct 11:07 requirements.txt
drwxr-xr-x   7 sebastianblask  staff   224B 19 Dec 15:47 users-and-permissions

Gives me:

 $ trivy filesystem --security-checks config --skip-dirs .venv --debug . | head -n 10
2022-12-19T16:17:42.781+1300    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-12-19T16:17:42.795+1300    DEBUG   cache dir:  /Users/sebastianblask/Library/Caches/trivy
2022-12-19T16:17:42.795+1300    INFO    Misconfiguration scanning is enabled
2022-12-19T16:17:42.796+1300    DEBUG   Walk the file tree rooted at '.' in parallel
2022-12-19T16:17:47.466+1300    DEBUG   OS is not detected.
2022-12-19T16:17:47.466+1300    INFO    Detected config files: 7
2022-12-19T16:17:47.466+1300    DEBUG   Scanned config file: modules/terraform_resources/main.tf
...

Trivy finds something in modules/ (among others), but not everything. But when I scan on modules/:

$ trivy filesystem --security-checks config --skip-dirs .venv --debug modules | head -n 10
2022-12-19T16:22:32.132+1300    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-12-19T16:22:32.146+1300    DEBUG   cache dir:  /Users/sebastianblask/Library/Caches/trivy
2022-12-19T16:22:32.146+1300    INFO    Misconfiguration scanning is enabled
2022-12-19T16:22:32.146+1300    DEBUG   Walk the file tree rooted at 'modules' in parallel
2022-12-19T16:22:32.579+1300    DEBUG   OS is not detected.
2022-12-19T16:22:32.579+1300    INFO    Detected config files: 40
2022-12-19T16:22:32.579+1300    DEBUG   Scanned config file: aws_config
2022-12-19T16:22:32.579+1300    DEBUG   Scanned config file: central_logging_archiver
2022-12-19T16:22:32.579+1300    DEBUG   Scanned config file: central_logging_archiver/main.tf
...

Trivy finds way more. But for some reason also directories and the main.tf in them. However, there are 29 folders under modules, so Trivy finds more, but still no everything.

This is with the latest trivy:

$ trivy -v
Version: 0.35.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-12-19 00:11:10.021158045 +0000 UTC
  NextUpdate: 2022-12-19 06:11:10.021157645 +0000 UTC
  DownloadedAt: 2022-12-19 02:53:57.233329 +0000 UTC

[sblask]

When running on modules I also get duplicate findings, see #2962

[tm03068]

I am having a similar issue on my CI runner, the DOCKERFILE config is detected but no terraform files in the child directories are detected. I have tried appending a cd into the directory with a set of the terraform files, these do not get picked up either. The runner is on Alpine Linux . Testing locally on my mac in the same repo directory works ok

[jof]

I'm also running into this today, and realizing that we've been missing a bunch of Trivy-based scanning coverage.

This situation is really misleading, as Trivy is detecting some Terraform files, but seemingly silently ignoring others.

After spending a bunch of time with trivy in a debugger, I realized that this is limited to Terraform files being scanned via defsec. defsec's Terraform scanner appears to try and recursively detect Terraform root modules from the scan target. However, once it finds any Terraform root modules at one level of hierarchy, by default, it stops descending into deeper child directories. If any root modules have been found and the forceAllDirs option isn't set on the scanner, defsec stops the recursive searching.

Trivy, when asked to scan a directory for misconfigurations should (either by default or with a CLI option) actually recursively scan all of the Terraform Root Modules in the directory.

I am locally working around this by adding the ScannerWithAllDirectories options in Trivy's construction of the scanner options. With this set, forceAllDirs gets set on the scanner, and it appears to recursively detect all of the Terraform root modules as expected.
Since I'm not sure why this isn't a default or an exposed option, I'll pop out a PR: #4457

[simar7]

Opened an issue to track this #4463