You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are migrating from tfsec to trivy and trivy is not scanning most of the nested terraform modules in one of our projects - the number of config files detected is fewer than expected and expected misconfigurations are not flagged. The reason for this seems to be that they are called in a loop based on a variable defined in a symlinked file (simplified version of our project structure below)
virtual_environments is defined in the variables file, which is actually a symlink from the root module directory variables.tf -> ../../shared/variables.tf
The actual value for virtual_environments for an environment is in a tfvars file which is passed in as an argument to the trivy config command.
If I replace the symlink to variables.tf with an actual variables.tf file with exactly the same content, then the number of config files detected is greater and ../../modules/0_network is actually scanned, so it looks like it is the symlink that is causing the issue. We use the symlink to a shared file because we have multiple layers in the project which use the same variables, so this way we only have to update them in one place. tfsec works fine with this.
I've found #4184 which says that symlinks are not supported, but it's from last year and was wondering if it is still the case, and if there are any plans to add support?
Target
Filesystem
Scanner
Misconfiguration
Output Format
None
Mode
None
Operating System
macOS Sonoma
Version
% trivy --version
Version: 0.51.2
Vulnerability DB:
Version: 2
UpdatedAt: 2024-06-07 12:13:50.7744497 +0000 UTC
NextUpdate: 2024-06-07 18:13:50.774449409 +0000 UTC
DownloadedAt: 2024-06-07 13:31:05.815831 +0000 UTC
Check Bundle:
Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
DownloadedAt: 2024-08-28 14:16:07.350996 +0000 UTC
The text was updated successfully, but these errors were encountered:
This one issue makes Trivy pretty much useless to us. We modularise pretty much everything and use symlinks to "attach" our modules folder into our stacks. This worked fine with TFSec, but with Trivy it means basically none of our resources are scanned.
Yeah, same issue here. We use symlinks quite a bit when we want to share a small piece of TF code across multiple projects (we also use modules for this, but sometimes that just feels a bit too heavy). As trivy has gotten smarter about resolving variables in recent versions, the lack of symlink support has caused us more and more false positives (since it appears to be unable to resolve variables that are defined in symlinked files.
This is part of a bigger discussion as to if Trivy should support on a global scanner level or not as seen here: #4184
Discussed in #7419
Originally posted by h-l-b August 29, 2024
Question
We are migrating from tfsec to trivy and trivy is not scanning most of the nested terraform modules in one of our projects - the number of config files detected is fewer than expected and expected misconfigurations are not flagged. The reason for this seems to be that they are called in a loop based on a variable defined in a symlinked file (simplified version of our project structure below)
main.tf in root module
virtual_environments is defined in the variables file, which is actually a symlink from the root module directory
variables.tf -> ../../shared/variables.tf
The actual value for virtual_environments for an environment is in a tfvars file which is passed in as an argument to the trivy config command.
If I replace the symlink to variables.tf with an actual variables.tf file with exactly the same content, then the number of config files detected is greater and ../../modules/0_network is actually scanned, so it looks like it is the symlink that is causing the issue. We use the symlink to a shared file because we have multiple layers in the project which use the same variables, so this way we only have to update them in one place. tfsec works fine with this.
I've found #4184 which says that symlinks are not supported, but it's from last year and was wondering if it is still the case, and if there are any plans to add support?
Target
Filesystem
Scanner
Misconfiguration
Output Format
None
Mode
None
Operating System
macOS Sonoma
Version
The text was updated successfully, but these errors were encountered: