trivy config --severity LOW,MEDIUM,HIGH <dir> -f table did not display table format #5133
Replies: 5 comments
-
|
I assume you're looking to see a table in the output? It's hard to see from the GitHub formatting what the desired result is. If so, how did you output it? Do you have a PR with a change that you'd like us to review? Sorry if I didn't understand your ask. |
Beta Was this translation helpful? Give feedback.
-
|
@simar7 Yes, I am looking for a table format in the output, But the output I am getting is NOT a table format, I am just wondering if is that a bug. This is output I am getting LOW: EBS volume does not use a customer-managed KMS key. See https://avd.aquasec.com/misconfig/avd-aws-0027 vpc/.terragrunt-cache/3518G5f4Aho35HO7CVuZ9JgSXWw/dKHwDCqEBF9X6-07S_xJnXKSKgU/application/aws/modules/vpc/main.tf (terraform) Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) MEDIUM: VPC Flow Logs is not enabled for VPC See https://avd.aquasec.com/misconfig/avd-aws-0178 MEDIUM: VPC Flow Logs is not enabled for VPC See https://avd.aquasec.com/misconfig/avd-aws-0178 |
Beta Was this translation helpful? Give feedback.
-
|
hi @zhihao-infstones ! Apparently you expect to see tables in the literal sense, but this is the correct output for the table format. https://github.com/aquasecurity/trivy/tree/v0.36.1/examples/misconf/mixed this is a link to an outdated example (now version 0.45). Example output: trivy conf . --severity LOW,MEDIUM,HIGH
2023-09-07T13:19:55.785+0700 INFO Misconfiguration scanning is enabled
2023-09-07T13:19:56.132+0700 INFO Detected config files: 2
main.tf (terraform)
Tests: 10 (SUCCESSES: 1, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (LOW: 2, MEDIUM: 1, HIGH: 6)
HIGH: No public access block so not blocking public acls
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
See https://avd.aquasec.com/misconfig/avd-aws-0086
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: No public access block so not blocking public policies
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: Bucket does not have encryption enabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
LOW: Bucket has logging disabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets
See https://avd.aquasec.com/misconfig/avd-aws-0089
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
MEDIUM: Bucket does not have versioning enabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.
With versioning you can recover more easily from both unintended user actions and application failures.
See https://avd.aquasec.com/misconfig/avd-aws-0090
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: No public access block so not ignoring public acls
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: No public access block so not restricting public buckets
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
LOW: Bucket does not have a corresponding public access block.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The "block public access" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.
See https://avd.aquasec.com/misconfig/avd-aws-0094
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
❯ trivy conf . --severity LOW,MEDIUM,HIGH -f table
2023-09-07T13:20:00.891+0700 INFO Misconfiguration scanning is enabled
2023-09-07T13:20:01.228+0700 INFO Detected config files: 2
main.tf (terraform)
Tests: 10 (SUCCESSES: 1, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (LOW: 2, MEDIUM: 1, HIGH: 6)
HIGH: No public access block so not blocking public acls
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
See https://avd.aquasec.com/misconfig/avd-aws-0086
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: No public access block so not blocking public policies
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: Bucket does not have encryption enabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
LOW: Bucket has logging disabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets
See https://avd.aquasec.com/misconfig/avd-aws-0089
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
MEDIUM: Bucket does not have versioning enabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.
With versioning you can recover more easily from both unintended user actions and application failures.
See https://avd.aquasec.com/misconfig/avd-aws-0090
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: No public access block so not ignoring public acls
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: No public access block so not restricting public buckets
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
LOW: Bucket does not have a corresponding public access block.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The "block public access" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.
See https://avd.aquasec.com/misconfig/avd-aws-0094
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
main.tf:1-3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "this" {
2 │ bucket = "test"
3 └ }
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── |
Beta Was this translation helpful? Give feedback.
-
|
got it, so that is the correct table format,thanks for the update. I am closing this issue |
Beta Was this translation helpful? Give feedback.
-
Description
When I use this command trivy config --severity LOW,MEDIUM,HIGH
-f table to scan the terraform module, the output was not showing as the table format.The below is the some of the output
================================
modules/volume/main.tf (terraform)
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (LOW: 2, MEDIUM: 0, HIGH: 2)
HIGH: EBS volume is not encrypted.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
By enabling encryption on EBS volumes you protect the volume, the disk I/O and any derived snapshots from compromise if intercepted.
See https://avd.aquasec.com/misconfig/avd-aws-0026
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
modules/volume/main.tf:4-22
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
4 ┌ resource "aws_ebs_volume" "CreateVolume" {
5 │ count = var.volumeCount
6 │ availability_zone = data.aws_availability_zones.azs.names[count.index]
7 │ iops = var.dataDiskIops
8 │ size = var.dataDiskSize
9 │ type = var.dataDiskType
10 │ snapshot_id = var.snapshotId
11 │
12 └ tags = merge(
..
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
==========================
But I expected the output should look like this
main.tf (terraform)
Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)
Failures: 8 (HIGH: 6, CRITICAL: 1)
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
| Terraform Security Check powered by | AWS003 | AWS Classic resource usage. | HIGH | Resource |
| tfsec | | | | 'aws_db_security_group.my-group' |
| | | | | uses EC2 Classic. Use a VPC instead. |
| | | | | -->tfsec.dev/docs/aws/AWS003/ |
| | AWS004 | Use of plain HTTP. | CRITICAL | Resource |
| | | | | 'aws_alb_listener.my-alb-listener' |
| | | | | uses plain HTTP instead of HTTPS. |
| | | | | -->tfsec.dev/docs/aws/AWS004/ |
| | AWS018 | Missing description for security | HIGH | Resource |
| | | group/security group rule. | | 'aws_security_group_rule.my-rule' should |
| | | | | include a description for auditing |
| | | | | purposes. -->tfsec.dev/docs/aws/AWS018/ |
| | AWS025 | API Gateway domain name uses outdated | | Resource |
| | | SSL/TLS protocols. | | 'aws_api_gateway_domain_name.empty_security_policy' |
| | | | | defines outdated SSL/TLS policies (not using |
| | | | | TLS_1_2). -->tfsec.dev/docs/aws/AWS025/ |
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.missing_security_policy' |
| | | | | should include security_policy (defaults to outdated |
| | | | | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/ |
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.outdated_security_policy' |
| | | | | defines outdated SSL/TLS policies (not using TLS_1_2). |
| | | | | -->tfsec.dev/docs/aws/AWS025/ |
| | AZU003 | Unencrypted managed disk. | | Resource 'azurerm_managed_disk.source' |
| | | | | defines an unencrypted managed disk. |
| | | | | -->tfsec.dev/docs/azure/AZU003/ |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
Below
Desired Behavior
I expected the output should look like this
main.tf (terraform)
Tests: 19 (SUCCESSES: 11, FAILURES: 8, EXCEPTIONS: 0)
Failures: 8 (HIGH: 6, CRITICAL: 1)
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
| TYPE | MISCONF ID | CHECK | SEVERITY | MESSAGE |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
| Terraform Security Check powered by | AWS003 | AWS Classic resource usage. | HIGH | Resource |
| tfsec | | | | 'aws_db_security_group.my-group' |
| | | | | uses EC2 Classic. Use a VPC instead. |
| | | | | -->tfsec.dev/docs/aws/AWS003/ |
| | AWS004 | Use of plain HTTP. | CRITICAL | Resource |
| | | | | 'aws_alb_listener.my-alb-listener' |
| | | | | uses plain HTTP instead of HTTPS. |
| | | | | -->tfsec.dev/docs/aws/AWS004/ |
| | AWS018 | Missing description for security | HIGH | Resource |
| | | group/security group rule. | | 'aws_security_group_rule.my-rule' should |
| | | | | include a description for auditing |
| | | | | purposes. -->tfsec.dev/docs/aws/AWS018/ |
| | AWS025 | API Gateway domain name uses outdated | | Resource |
| | | SSL/TLS protocols. | | 'aws_api_gateway_domain_name.empty_security_policy' |
| | | | | defines outdated SSL/TLS policies (not using |
| | | | | TLS_1_2). -->tfsec.dev/docs/aws/AWS025/ |
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.missing_security_policy' |
| | | | | should include security_policy (defaults to outdated |
| | | | | SSL/TLS policy). -->tfsec.dev/docs/aws/AWS025/ |
| | | | | Resource |
| | | | | 'aws_api_gateway_domain_name.outdated_security_policy' |
| | | | | defines outdated SSL/TLS policies (not using TLS_1_2). |
| | | | | -->tfsec.dev/docs/aws/AWS025/ |
| | AZU003 | Unencrypted managed disk. | | Resource 'azurerm_managed_disk.source' |
| | | | | defines an unencrypted managed disk. |
| | | | | -->tfsec.dev/docs/azure/AZU003/ |
+------------------------------------------+------------+------------------------------------------+----------+--------------------------------------------------------+
Actual Behavior
But the actual output is this
modules/volume/main.tf (terraform)
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (LOW: 2, MEDIUM: 0, HIGH: 2)
HIGH: EBS volume is not encrypted.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
By enabling encryption on EBS volumes you protect the volume, the disk I/O and any derived snapshots from compromise if intercepted.
See https://avd.aquasec.com/misconfig/avd-aws-0026
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
modules/volume/main.tf:4-22
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
4 ┌ resource "aws_ebs_volume" "CreateVolume" {
5 │ count = var.volumeCount
6 │ availability_zone = data.aws_availability_zones.azs.names[count.index]
7 │ iops = var.dataDiskIops
8 │ size = var.dataDiskSize
9 │ type = var.dataDiskType
10 │ snapshot_id = var.snapshotId
11 │
12 └ tags = merge(
..
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Reproduction Steps
Target
Filesystem
Scanner
Misconfiguration
Output Format
Table
Mode
None
Debug Output
Operating System
MAC/ubuntu2004
Version
Checklist
trivy image --resetBeta Was this translation helpful? Give feedback.
All reactions