Trivy can't scan terraform plan json #7363

Molaire · 2024-08-20T16:37:48Z

Molaire
Aug 20, 2024

Description

Hello I planned a dummy terraform project using our boilerplate, turned it in a json and trivy does not seem to be able to scan it. I have no problem with Regula and Checkov.

I'm wondering what part of the plan is tripping up Trivy.

It shows no successful check using --include-non-failures, so it seems it's simply not able to scan it.

(venv) ➜  uswest1-devc git:(main) ✗ trivy clean -a
2024-08-20T09:31:17-07:00	INFO	Removing all caches...
(venv) ➜  uswest1-devc git:(main) ✗ trivy conf ./tf_plan.json  --include-non-failures -v
2024-08-20T09:31:20-07:00	INFO	Misconfiguration scanning is enabled
2024-08-20T09:31:20-07:00	INFO	Need to update the built-in policies
2024-08-20T09:31:20-07:00	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 0s
2024-08-20T09:31:20-07:00	INFO	Detected config files	num=0

pastebin of json plan: https://pastebin.com/zjb0xgti

Desired Behavior

It should trigger the IMDSv2 check

Actual Behavior

It scans no resource at all

Reproduction Steps

1. Use shared plan
2. Run `trivy conf ./tf_plan.json  --include-non-failures -v`
3. Be sad
...

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

(venv) ➜  uswest1-devc git:(main) ✗ trivy conf ./tf_plan.json  --include-non-failures -d
2024-08-20T09:37:24-07:00	DEBUG	Cache dir	dir="/nail/home/vit/.cache/trivy"
2024-08-20T09:37:24-07:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-20T09:37:24-07:00	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-20T09:37:24-07:00	DEBUG	[misconfig] Policies successfully loaded from disk
2024-08-20T09:37:24-07:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-20T09:37:24-07:00	DEBUG	Initializing scan cache...	type="memory"
2024-08-20T09:37:24-07:00	DEBUG	Scanning files for misconfigurations...	scanner="Terraform Plan JSON"
2024-08-20T09:37:24-07:00	DEBUG	OS is not detected.
2024-08-20T09:37:24-07:00	INFO	Detected config files	num=0
2024-08-20T09:37:24-07:00	DEBUG	[vex] VEX filtering is disabled

Operating System

Ubuntu Jammy

Version

Version: 0.54.1
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-20 16:31:20.785372254 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

simar7 · 2024-08-22T00:20:21Z

simar7
Aug 22, 2024
Maintainer

hi @Molaire - it seems to be fine for me

 trivy --debug config .
2024-08-21T18:19:15-06:00       DEBUG   Cache dir       dir="/Users/simarpreetsingh/Library/Caches/trivy"
2024-08-21T18:19:15-06:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-21T18:19:15-06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-08-21T18:19:15-06:00       DEBUG   Loading check bundle    repository="ghcr.io/aquasecurity/trivy-checks:0"
2024-08-21T18:19:18-06:00       DEBUG   [misconfig] Policies successfully loaded from disk
2024-08-21T18:19:18-06:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-21T18:19:18-06:00       DEBUG   Initializing scan cache...      type="memory"
2024-08-21T18:19:18-06:00       DEBUG   Scanning files for misconfigurations... scanner="Terraform Plan JSON"
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.712756000 tfplan.scanner                   Scanning file tfplan.json
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.713261000 terraform.scanner                Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13954894796821672200 3388316585 0x1093673c0} 2147484096 <nil>} map[] map[main.tf:0x140019eb700]})}] at '.'...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.715276000 terraform.scanner.rego           Overriding filesystem for checks!
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.715922000 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.747139000 terraform.scanner.rego           Loaded 192 embedded policies.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.798862000 terraform.scanner.rego           Loaded 195 checks from disk.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.799133000 terraform.scanner.rego           Overriding filesystem for data!
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992562000 terraform.parser.<root>          Setting project/module root to '.'
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992592000 terraform.parser.<root>          Parsing FS from '.'
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992599000 terraform.parser.<root>          Parsing 'main.tf'...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992837000 terraform.parser.<root>          Added file main.tf.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992920000 terraform.scanner                Scanning root module '.'...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992924000 terraform.parser.<root>          Setting project/module root to '.'
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992926000 terraform.parser.<root>          Parsing FS from '.'
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992929000 terraform.parser.<root>          Parsing 'main.tf'...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992960000 terraform.parser.<root>          Added file main.tf.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992963000 terraform.parser.<root>          Evaluating module...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.992989000 terraform.parser.<root>          Read 1 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993051000 terraform.parser.<root>          Added 0 variables from tfvars.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993133000 terraform.parser.<root>          Working directory for module evaluation is "/Users/simarpreetsingh/repos/trivy-issues/7363"
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993214000 terraform.parser.<root>.evaluator Filesystem key is 'b25df03676d4189b5b4d9c56a0dff39c5246aef1172da11370701526debf0be3'
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993217000 terraform.parser.<root>.evaluator Starting module evaluation...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993289000 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993292000 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993295000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993595000 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993598000 terraform.parser.<root>.evaluator Module evaluation complete.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993602000 terraform.parser.<root>          Finished parsing module 'root'.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.993606000 terraform.executor               Adapting modules...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.994061000 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.994065000 terraform.executor               Using max routines of 9
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.994125000 terraform.executor               Initialized 487 rule(s).
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.994128000 terraform.executor               Created pool with 9 worker(s) to apply rules.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.996463000 terraform.scanner.rego           Scanning 1 inputs...
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.998468000 terraform.executor               Finished applying rules.
2024-08-21T18:19:18-06:00       DEBUG   [misconf] 19:18.998497000 terraform.executor               Applying ignores...
2024-08-21T18:19:19-06:00       DEBUG   OS is not detected.
2024-08-21T18:19:19-06:00       INFO    Detected config files   num=2
2024-08-21T18:19:19-06:00       DEBUG   Scanned config file     file_path="."
2024-08-21T18:19:19-06:00       DEBUG   Scanned config file     file_path="main.tf"
2024-08-21T18:19:19-06:00       DEBUG   [vex] VEX filtering is disabled

main.tf (terraformplan)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:8
   via main.tf:5-9 (metadata_options)
    via main.tf:1-10 (aws_instance.bad_example)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   resource "aws_instance" "bad_example" {
   2    ami = "ami-005e54dee72cc1d00"
   3    instance_type = "t2.micro"
   4    source_dest_check = true
   5    metadata_options {
   6    http_endpoint = "enabled"
   7    http_protocol_ipv6 = "disabled"
   8 [  http_tokens = "optional"
   9    }
  10   }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Root block device is not encrypted.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:1-10
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_instance" "bad_example" {
   2 │  ami = "ami-005e54dee72cc1d00"
   3 │  instance_type = "t2.micro"
   4 │  source_dest_check = true
   5 │  metadata_options {
   6 │  http_endpoint = "enabled"
   7 │  http_protocol_ipv6 = "disabled"
   8 │  http_tokens = "optional"
   9 │  }
  10 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


➜  7363 trivy --version
Version: 0.54.1
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-22 00:19:18.60706 +0000 UTC

0 replies

Molaire · 2024-08-26T15:57:11Z

Molaire
Aug 26, 2024
Author

Seems you copied the values of my plan file in HCL files and ran trivy config against that.

I guess I missed an important detail here: I have no problem with terraform file scanning, my issue is with the terraform plan json scanning capabilities of Trivy, and that's the reason I only gave the plan json.

We use terragrunt, so only scanning HCL files will generate a lot of blind spots for us and that's why I'm testing json plan scanning

4 replies

nikpivkin Aug 26, 2024
Maintainer

Hi @Molaire !

Terraform plan JSON file should have the following file name *.tfplan.json as specified in the documentation:
https://aquasecurity.github.io/trivy/v0.54/docs/coverage/iac/#supported-configurations

nikpivkin Aug 26, 2024
Maintainer

@simar7 I noticed that we detect Terraform Plan JSON by content, but then the file is filtered by name. I think we could improve this, and get rid of the repeated filtering.

simar7 Aug 26, 2024
Maintainer

ah I see - right, I think we should improve that @nikpivkin. I'll create this into an issue to track it.

simar7 Aug 26, 2024
Maintainer

Track #7393

Molaire · 2024-08-27T03:01:37Z

Molaire
Aug 27, 2024
Author

Thank you! That clear things up

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy can't scan terraform plan json #7363

{{title}}

Replies: 3 comments 4 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

Trivy can't scan terraform plan json #7363

Molaire Aug 20, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 3 comments · 4 replies

simar7 Aug 22, 2024 Maintainer

Molaire Aug 26, 2024 Author

nikpivkin Aug 26, 2024 Maintainer

nikpivkin Aug 26, 2024 Maintainer

simar7 Aug 26, 2024 Maintainer

simar7 Aug 26, 2024 Maintainer

Molaire Aug 27, 2024 Author

Molaire
Aug 20, 2024

Replies: 3 comments 4 replies

simar7
Aug 22, 2024
Maintainer

Molaire
Aug 26, 2024
Author

nikpivkin Aug 26, 2024
Maintainer

nikpivkin Aug 26, 2024
Maintainer

simar7 Aug 26, 2024
Maintainer

simar7 Aug 26, 2024
Maintainer

Molaire
Aug 27, 2024
Author