Run trivy config in terraform dry modules

[JulesClaussen]

Description

Hello !
I am using terraform along with terragrunt. So all my terraform modules are dry, and I do not run terraform init commands (but terragrunt one, in another folder).
I am trying to setup trivy config scan in my github action. I tried both manually with below command, and with the actions itself. It works fine locally, but fails in my CI.
Manually:
trivy config --ignore-policy trivy-config.rego infrastructure/terraform/modules

Through trivy-action:

      - name: Run Trivy in Config Mode
        uses: aquasecurity/[email protected]
        with:
          scan-type: "config"
          scan-ref: infrastructure/terraform/modules
          ignore-policy: trivy-config.rego

It both fails with error:
2025-01-08T16:24:25Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="failed to locate cache directory: cache directory is not writable"

I have tried to disable the cache in the trivy-action, or to set the cache to a custom manually created directory (with chmod 777), but always the same error.

Important note, the errors occur for folders that have resources pointing to submodules. See in reproduction step for more details.

What am I missing? Why does it work locally and find some vulns, but not in my github action?

Thanks!

Desired Behavior

I would like to be able to run the trivy config within my github action.
This could be either through disabling cache, or allowing no init files for example.

Actual Behavior

Currently, I have the following error:
2025-01-08T16:24:25Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="failed to locate cache directory: cache directory is not writable"

Reproduction Steps

1. Create a tf file with an external private module: 

module "postgresql_credapi_db" {
  source = "github.com/myorg/myrepo//mymodule?ref=mymodule-v1.4.2"

  some_variable = true
}

2. Run trivy config on this folder, within a github action (it works fine locally)

### Target

None

### Scanner

Misconfiguration

### Output Format

None

### Mode

None

### Debug Output

```bash
2025-01-08T16:41:08Z	INFO	Removing scan cache...
2025-01-08T16:41:08Z	INFO	Removing vulnerability database...
2025-01-08T16:41:08Z	INFO	Removing Java database...
2025-01-08T16:41:08Z	INFO	Removing check bundle...
2025-01-08T16:41:08Z	INFO	Removing VEX repositories...
2025-01-08T16:41:08Z	DEBUG	No plugins loaded
2025-01-08T16:41:08Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-01-08T16:41:08Z	DEBUG	Cache dir	dir="/tmp/"
2025-01-08T16:41:08Z	DEBUG	Cache dir	dir="/tmp/"
2025-01-08T16:41:08Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-01-08T16:41:08Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-08T16:41:08Z	DEBUG	[misconfig] Checks successfully loaded from disk
2025-01-08T16:41:08Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-01-08T16:41:08Z	DEBUG	Initializing scan cache...	type="memory"
2025-01-08T16:41:08Z	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Terraform"
2025-01-08T16:41:08Z	DEBUG	[terraform scanner] Scanning directory	file_path="."
2025-01-08T16:41:08Z	DEBUG	[rego] Overriding filesystem for checks
2025-01-08T16:41:08Z	DEBUG	[rego] Embedded libraries are loaded	count=15
2025-01-08T16:41:08Z	DEBUG	[rego] Embedded checks are loaded	count=511
2025-01-08T16:41:08Z	DEBUG	[rego] Checks from disk are loaded	count=526
2025-01-08T16:41:08Z	DEBUG	[rego] Overriding filesystem for data
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Setting project/module root	module="root" file_path="."
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing FS	module="root" file_path="."
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="credapi-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="credapi-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="k8s-namespace.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="k8s-namespace.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="k8s-unbound.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="k8s-unbound.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="main.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="main.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="outputs.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="outputs.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="router-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="router-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="runner-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="runner-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="tasks-documentdb.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="tasks-documentdb.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="tasks-subnets.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="tasks-subnets.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="uptimemonitor-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="uptimemonitor-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="vars.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="vars.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="versions.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="versions.tf"
2025-01-08T16:41:08Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Setting project/module root	module="root" file_path="."
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing FS	module="root" file_path="."
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="credapi-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="credapi-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="k8s-namespace.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="k8s-namespace.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="k8s-unbound.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="k8s-unbound.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="main.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="main.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="outputs.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="outputs.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="router-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="router-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="runner-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="runner-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="tasks-documentdb.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="tasks-documentdb.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="tasks-subnets.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="tasks-subnets.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="uptimemonitor-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="uptimemonitor-aurora.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="vars.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="vars.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Parsing	module="root" file_path="versions.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added file	module="root" file_path="versions.tf"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Loading module	module="root" module="root"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Read block(s) and ignore(s)	module="root" blocks=105 ignores=0
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Added input variables from tfvars	module="root" count=0
2025-01-08T16:41:08Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="quite a few variables"
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Working directory for module evaluation	module="root" file_path="/home/actions-runner-1/actions-runner/_work/current-git-repo/current-git-repo"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Starting module evaluation...	path="."
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Starting iteration	iteration=0
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Starting iteration	iteration=1
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Starting iteration	iteration=2
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Context unchanged	iteration=2
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Expanded block into clones via 'count' attribute.	block="aws_docdb_cluster_instance.instances" clones=1
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Expanded block into clones via 'count' attribute.	block="aws_route_table_association.tasks_share" clones=14
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Expanded block into clones via 'count' attribute.	block="aws_subnet.tasks_share" clones=3
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Expanded block into clones via 'count' attribute.	block="data.aws_ec2_managed_prefix_list.data" clones=1
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Expanded block into clones via 'count' attribute.	block="data.aws_subnet.dbs" clones=1
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Expanded block into clones via 'for_each' attribute.	block="aws_flow_log.tasks_share_subnets" clones=3
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Locating non-initialized module	source="github.com/myorg/myrepo//some-module?ref=some-module-v4.1.1"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Resolving module	name="module.aurora_postgresql_credapi" source="github.com/myorg/myrepo//some-module?ref=some-module-v4.1.1"
2025-01-08T16:41:08Z	DEBUG	[module resolver] No cache filesystem is available on this machine.	err="cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Caching module	key="key1"
2025-01-08T16:41:08Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="failed to locate cache directory: cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Locating non-initialized module	source="github.com/myorg/myrepo//some-module?ref=some-module-v4.1.1"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Resolving module	name="module.aurora_postgresql_router" source="github.com/myorg/myrepo//some-module?ref=some-module-v4.1.1"
2025-01-08T16:41:08Z	DEBUG	[module resolver] No cache filesystem is available on this machine.	err="cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Caching module	key="key1"
2025-01-08T16:41:08Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="failed to locate cache directory: cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Locating non-initialized module	source="github.com/myorg/myrepo//some-module?ref=some-module-v4.1.1"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Resolving module	name="module.aurora_postgresql_runner" source="github.com/myorg/myrepo//some-module?ref=some-module-v4.1.1"
2025-01-08T16:41:08Z	DEBUG	[module resolver] No cache filesystem is available on this machine.	err="cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Caching module	key="key1"
2025-01-08T16:41:08Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="failed to locate cache directory: cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Locating non-initialized module	source="github.com/myorg/myrepo//some-module?ref=some-module-v4.1.1"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Resolving module	name="module.aurora_postgresql_uptimemonitor" source="github.com/myorg/myrepo//some-module?ref=some-module-v4.1.1"
2025-01-08T16:41:08Z	DEBUG	[module resolver] No cache filesystem is available on this machine.	err="cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Caching module	key="key1"
2025-01-08T16:41:08Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="failed to locate cache directory: cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Locating non-initialized module	source="terraform-aws-modules/security-group/aws"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Resolving module	name="module.docdb_sg" source="terraform-aws-modules/security-group/aws"
2025-01-08T16:41:08Z	DEBUG	[module resolver] No cache filesystem is available on this machine.	err="cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Requesting module versions from registry using	url="https://registry.terraform.io/v1/modules/terraform-aws-modules/security-group/aws/versions"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Found module version	version="5.3.0" constraint="5.3.0"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Requesting module source from registry	url="https://registry.terraform.io/v1/modules/terraform-aws-modules/security-group/aws/5.3.0/download"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Module resolved via registry to new source	source="git::https://github.com/terraform-aws-modules/terraform-aws-security-group?ref=badbab67cd0d7f976523fd44647e1ee9fb87001b" name="terraform-aws-modules/security-group/aws"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Caching module	key="key2"
2025-01-08T16:41:08Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="failed to locate cache directory: cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Locating non-initialized module	source="terraform-aws-modules/security-group/aws"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Resolving module	name="module.docdb_sg_vpn_rule" source="terraform-aws-modules/security-group/aws"
2025-01-08T16:41:08Z	DEBUG	[module resolver] No cache filesystem is available on this machine.	err="cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Requesting module versions from registry using	url="https://registry.terraform.io/v1/modules/terraform-aws-modules/security-group/aws/versions"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Found module version	version="5.3.0" constraint="5.3.0"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Requesting module source from registry	url="https://registry.terraform.io/v1/modules/terraform-aws-modules/security-group/aws/5.3.0/download"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Module resolved via registry to new source	source="git::https://github.com/terraform-aws-modules/terraform-aws-security-group?ref=badbab67cd0d7f976523fd44647e1ee9fb87001b" name="terraform-aws-modules/security-group/aws"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Caching module	key="key2"
2025-01-08T16:41:08Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="failed to locate cache directory: cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Starting post-submodules evaluation...
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Starting iteration	iteration=0
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Starting iteration	iteration=1
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Context unchanged	iteration=1
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Module evaluation complete.
2025-01-08T16:41:08Z	DEBUG	[terraform parser] Finished parsing module	module="root"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulestion_url_tasks" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulestion_url_tasks" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesedapi" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesuter" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesnner" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulestimemonitor" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesi" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodules" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodules" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesmonitor" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesredapi" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesouter" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesunner" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesptimemonitor" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesedapi" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesuter" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesnner" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulestimemonitor" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesoncredapi" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesonrouter" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesonrunner" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesonuptimemonitor" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesoncredapi" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesonha_credapi" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesonha_router" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesonha_runner" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesonha_uptimemonitor" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesonrouter" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesonrunner" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesonuptimemonitor" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesedapi" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesuter" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesnner" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulestimemonitor" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulesb_ey" value="cty.NilVal"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Added module output	block="somemodulescidr_blocks" value="cty.TupleVal([]cty.Value{cty.NilVal, cty.NilVal, cty.NilVal})"
2025-01-08T16:41:08Z	DEBUG	[terraform executor] Adapting modules...
2025-01-08T16:41:08Z	DEBUG	[terraform executor] Adapted module(s) into state data.	count=1
2025-01-08T16:41:08Z	DEBUG	[rego] Scanning inputs	count=1
2025-01-08T16:41:08Z	DEBUG	[terraform executor] Finished applying rules.
2025-01-08T16:41:08Z	DEBUG	[terraform executor] Applying ignores...
2025-01-08T16:41:08Z	DEBUG	OS is not detected.
2025-01-08T16:41:08Z	INFO	Detected config files	num=2
2025-01-08T16:41:08Z	DEBUG	Scanned config file	file_path="."
2025-01-08T16:41:08Z	DEBUG	Scanned config file	file_path="tasks-documentdb.tf"
2025-01-08T16:41:08Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-01-08T16:41:08Z	DEBUG	[vex] VEX filtering is disabled

### Operating System

Ubuntu 22

### Version

```bash
0.58.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

hi @JulesClaussen - the issue isn't that Trivy isn't able to fetch remote modules (which is what you're trying to do here with dry terraform configs) but instead that Trivy doesn't have necessary permissions to go fetch them in the CI as you are able to locally.

When you run locally, Trivy can fetch remote modules as seen here:

2025-01-08T16:41:08Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="failed to locate cache directory: cache directory is not writable"
2025-01-08T16:41:08Z	DEBUG	[terraform evaluator] Locating non-initialized module	source="github.com/myorg/myrepo//some-module?ref=some-module-v4.1.1"
2025-01-08T16:41:08Z	DEBUG	[module resolver] Resolving module	name="module.aurora_postgresql_router" source="github.com/myorg/myrepo//some-module?ref=some-module-v4.1.1"

[nikpivkin]

Hi @JulesClaussen !

Are your modules in a private repository? If so, Simar is right. You need to access the repo before scanning. See aquasecurity/trivy-action#383

[JulesClaussen]

Hello @nikpivkin and @simar7, I have both private and public repos, and both returns the same "Locating non-initialized module" error.
I have tried adding the git config step, but I still have the same issue:
- run: git config --global url."https://oauth2:${{ secrets.GH_LIBS_READ_TOKEN }}@github.com".insteadOf https://github.com where GH_LIBS_READ_TOKEN is a Fine Grained token, with repository access to both my repo where this scan is running, and the repo where the terraform modules are stored.

Logs for public modules: (looks like it achieves to pull it?)

2025-01-09T08:56:08Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="failed to locate cache directory: cache directory is not writable"
2025-01-09T08:56:08Z	DEBUG	[terraform evaluator] Locating non-initialized module	source="terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
2025-01-09T08:56:08Z	DEBUG	[module resolver] Resolving module	name="module.credapi-irsa" source="terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
2025-01-09T08:56:08Z	DEBUG	[module resolver] No cache filesystem is available on this machine.	err="cache directory is not writable"
2025-01-09T08:56:08Z	DEBUG	[module resolver] Requesting module versions from registry using	url="https://registry.terraform.io/v1/modules/terraform-aws-modules/iam/aws/versions"
2025-01-09T08:56:08Z	DEBUG	[module resolver] Found module version	version="5.52.1" constraint="5.52.1"
2025-01-09T08:56:08Z	DEBUG	[module resolver] Requesting module source from registry	url="https://registry.terraform.io/v1/modules/terraform-aws-modules/iam/aws/5.52.1/download"
2025-01-09T08:56:08Z	DEBUG	[module resolver] Module resolved via registry to new source	source="git::https://github.com/terraform-aws-modules/terraform-aws-iam?ref=da5e04acccbf830da97c108919bcf7ae81e66679" name="terraform-aws-modules/iam/aws"
2025-01-09T08:56:08Z	DEBUG	[module resolver] Caching module	key="some-cache-key"

Logs for private modules:

2025-01-09T08:56:09Z	DEBUG	[terraform evaluator] Locating non-initialized module	source="github.com/myorg/my-repo//my-module?ref=my-module-v4.1.1"
2025-01-09T08:56:09Z	DEBUG	[module resolver] Resolving module	name="module.aurora_postgresql_credapi" source="github.com/myorg/my-repo//my-module?ref=my-module-v4.1.1"
2025-01-09T08:56:09Z	DEBUG	[module resolver] No cache filesystem is available on this machine.	err="cache directory is not writable"
2025-01-09T08:56:09Z	DEBUG	[module resolver] Caching module	key="some-cache-key"
2025-01-09T08:56:09Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="failed to locate cache directory: cache directory is not writable"

[nikpivkin]

I just now noticed that the cache directory does not allow writing err=“failed to locate cache directory: cache directory is not writable”. What does your workflow look like? Have you changed the directory for the temporary files?

[JulesClaussen]

These are my github action steps. Quite blunt, then you can see all my attempts, but overall both trivy-action, and manual are failing:

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Git Config
        run: |
          git config --global credential.helper store
          echo "https://git:${{ secrets.GH_LIBS_READ_TOKEN }}@github.com" > ~/.git-credentials
          echo "machine github.com login git password ${{ secrets.GH_LIBS_READ_TOKEN }}" > ~/.netrc

      - name: Manual Trivy Setup
        uses: aquasecurity/[email protected]
        with:
          cache: true
          # renovate: datasource=github-releases depName=aquasecurity/trivy
          version: v0.58.1

      - name: Checkout gh-action repository
        uses: actions/checkout@v2
        with:
          repository: myorg/gh-actions
          token: ${{ secrets.GH_LIBS_READ_TOKEN }}
          path: gh-actions
          ref: feat/add-trivy-workflows

      - run: git config --global url."https://oauth2:${{ secrets.GH_LIBS_READ_TOKEN }}@github.com".insteadOf https://github.com

      - name: Copy trivy config file
        run: |
          cp ./gh-actions/trivy/trivy-config.rego .

      - name: Run Trivy in Config Mode
        uses: aquasecurity/[email protected]
        with:
          scan-type: "config"
          scan-ref: infrastructure/terraform/modules
          ignore-policy: trivy-config.rego
          cache: false
          # format: "sarif"
          # output: "trivy-results.sarif"
        env:
          # https://aquasecurity.github.io/trivy/v0.55/docs/references/troubleshooting/#github-rate-limiting
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2401703776
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db

      # - name: Run Trivy in Config Mode
      #   run: |
      #     trivy clean --all
      #     TIMESTAMP=`date +%s`
      #     mkdir /tmp/trivy-cache-$TIMESTAMP && chmod 777 /tmp/trivy-cache-$TIMESTAMP
      #     trivy config --debug --cache-dir /tmp/trivy-cache-$TIMESTAMP --ignore-policy trivy-config.rego infrastructure/terraform/modules
      #   env:
      #     # https://aquasecurity.github.io/trivy/v0.55/docs/references/troubleshooting/#github-rate-limiting
      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      #     # https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2401703776
      #     TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db

Thanks @nikpivkin