bug(terraform): Trivy does not scan remote modules

[nikpivkin]

Discussed in #5411

^{Originally posted by bkonicek-calm October 19, 2023}

IDs

avd-gcp-0027

Description

I have a Terragrunt module that calls several custom modules as well as defines individual resources. When I run a trivy config . the output is

❯ trivy config .
2023-10-19T10:12:28.817-0400    INFO    Misconfiguration scanning is enabled
2023-10-19T10:12:29.690-0400    INFO    Detected config files: 0

If I first terragrunt init, then it identifies misconfigurations within the downloaded modules from .terraform. However, it will not identify any misconfigurations from individual resources. I thought this behavior might be caused by Trivy not working properly with Terragrunt. However, when I have Trivy scan my terraform plan output it also does not detect an issue.

It appears to be having an issue with the modules sourced from private git repos. If I comment them out, it correctly identifies the individual resource with a misconfiguration, and if I add a module from a public git repo, it also works.

Reproduction Steps

Reproducing may be slightly difficult since it relies on using a module from a private repository.

1. Create a basic Terraform configuration with `main.tf`

module "service_account" {
  source         = "git::https://github.com/ORG/REPO-NAME.git//gcp-modules/service_account?ref=service_account-0.0.1"
  project_id     = var.project_id
  environment    = var.environment
  service        = var.service
  product_family = var.product_family
}

resource "google_compute_firewall" "app" {
  project       = "foo"
  name          = "test"
  network       = "foo"
  priority      = "1001"
  source_ranges = ["0.0.0.0/0"]

  allow {
    protocol = "tcp"
    ports    = ["443", "80"]
  }

  target_tags = ["foo"]
}

2. Run trivy config ./ and see no results.
3. Comment out the module and re-run trivy config ./
4. See output

main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Firewall rule allows ingress traffic from multiple addresses on the public internet.
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.

See https://avd.aquasec.com/misconfig/avd-gcp-0027
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:28
   via main.tf:23-36 (google_compute_firewall.app)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  23   resource "google_compute_firewall" "app" {
  ..   
  28 [   source_ranges = ["0.0.0.0/0"]
  ..   
  36   }

Target

Filesystem

Scanner

Misconfiguration

Target OS

macOS Ventura

Debug Output

❯ trivy config ./ --debug
2023-10-19T10:47:15.514-0400    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-19T10:47:15.525-0400    DEBUG   cache dir:  /Users/benkonicek/Library/Caches/trivy
2023-10-19T10:47:15.525-0400    INFO    Misconfiguration scanning is enabled
2023-10-19T10:47:15.525-0400    DEBUG   Policies successfully loaded from disk
2023-10-19T10:47:15.536-0400    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-10-19T10:47:15.551-0400    DEBUG   Walk the file tree rooted at '.' in parallel
2023-10-19T10:47:15.551-0400    DEBUG   Scanning Terraform files for misconfigurations...
2023-10-19T10:47:15.897-0400    DEBUG   OS is not detected.
2023-10-19T10:47:15.897-0400    INFO    Detected config files: 0

Version

❯ trivy --version
Version: 0.46.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[bkonicek-calm]

Thanks @nikpivkin - there is a working example of this in this other discussion as it seems to be related

#5408 (reply in thread)