trivy does not report AVD-AZU-0011 where tfsec does

[tbutler-qontigo]

Description

Hi
Given that tfsec is deprecated in favour of trivy, I would expect that it will detect all the same issues.

Trivy does not seem to detect AVD-AZU-0011 - azure-storage-use-secure-tls-policy in terraform files.

Desired Behavior

Trivy should detect and report AVD-AZU-0011 issues

Actual Behavior

These issues are ignored

Reproduction Steps

Given a simple `main.tf` like this:

resource "azurerm_storage_account" "storage_account" {
  name                     = var.storage_account_name
}

and trivy and tflint installed in the bin folder

1. ./bin/trivy.exe fs --list-all-pkgs --scanners config,secret,vuln --format json --debug .\main.tf
2. ./bin/tfsec-windows-amd64.exe . --force-all-dirs --soft-fail --format json

You will observe that tfsec reports the issue but trivy reports no issues.

### Target

Filesystem

### Scanner

None

### Output Format

JSON

### Mode

Standalone

### Debug Output

```bash
2023-05-18T14:34:59.073+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-05-18T14:34:59.084+0100    DEBUG   cache dir:  C:\Users\tbutler\AppData\Local\trivy
2023-05-18T14:34:59.090+0100    DEBUG   DB update was skipped because the local DB is the latest
2023-05-18T14:34:59.091+0100    DEBUG   DB Schema: 2, UpdatedAt: 2023-05-18 12:08:10.489048316 +0000 UTC, NextUpdate: 2023-05-18 18:08:10.489047716 +0000 UTC, DownloadedAt: 2023-05-18 12:09:26.547086 +0000 UTC
2023-05-18T14:34:59.096+0100    INFO    Vulnerability scanning is enabled
2023-05-18T14:34:59.096+0100    DEBUG   Vulnerability type:  [os library]
2023-05-18T14:34:59.096+0100    INFO    Misconfiguration scanning is enabled
2023-05-18T14:34:59.106+0100    DEBUG   Policies successfully loaded from disk
2023-05-18T14:34:59.106+0100    INFO    Secret scanning is enabled
2023-05-18T14:34:59.106+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-18T14:34:59.106+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-18T14:34:59.106+0100    DEBUG   No secret config detected: trivy-secret.yaml
2023-05-18T14:34:59.160+0100    DEBUG   Walk the file tree rooted at 'main.tf' in parallel
2023-05-18T14:34:59.161+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-05-18T14:35:00.544+0100    DEBUG   OS is not detected.
2023-05-18T14:35:00.544+0100    DEBUG   Detected OS: unknown
2023-05-18T14:35:00.544+0100    INFO    Number of language-specific files: 0
2023-05-18T14:35:00.544+0100    INFO    Detected config files: 1
2023-05-18T14:35:00.544+0100    DEBUG   Scanned config file: main.tf
{
  "SchemaVersion": 2,
  "ArtifactName": "main.tf",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "main.tf",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 2,
        "Failures": 0,
        "Exceptions": 0
      }
    }
  ]
}

### Operating System

Windows

### Version

```bash
0.41.0

Checklist

• Run trivy --reset
• Read the troubleshooting

[AnaisUrlichs]

Hi there, shared this issue under defsec which provides the default policies for the Terraform scanning in Trivy https://github.com/aquasecurity/defsec/issues/1328

[tbutler-qontigo]

Thanks though my understanding is that tfsec uses defsec too...so it it works for that, it should work for trivy too right?
Unless the version of defsec used by the current version of trivy is different to that used by tfsec and perhaps this is a regression?

[simar7]

Thanks for reporting. I've opened #4461 to track it.