Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(misconf): Improve support for scanning Terraform plan JSON input #5907

Closed
simar7 opened this issue Jan 10, 2024 · 6 comments · Fixed by #6176
Closed

feat(misconf): Improve support for scanning Terraform plan JSON input #5907

simar7 opened this issue Jan 10, 2024 · 6 comments · Fixed by #6176
Assignees
@simar7 @nikpivkin
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.50.0

Comments

@simar7
Copy link
Member

simar7 commented Jan 10, 2024
edited
Loading

Motivation

We've run into several occasions (see linked issues below) where we incorrectly flag (false positive) misconfigurations in Terraform scanning when the input is the Terraform plan in JSON. This issue takes place as we're unable to parse nested blocks and attributes past the first stage as currently there's no way to "walk" the JSON input. See the more on this here

Action items

Drop support for Terraform JSON until we have a proper way to walk the input. Flagging false positives creates misinformation.

Update Feb 2024

We've found a better approach to keep and improve the terraform plan scanning functionality. As it turns out, we can unzip the plan contents (it is a zip file) and parse the HCL directly from it. This allows us to have a functionally complete HCL input which we can scan and flag for misconfigurations.

Affected issues
@simar7 simar7 added kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. scan/misconfiguration Issues relating to misconfiguration scanning labels Jan 10, 2024
This was referenced Jan 10, 2024
Closed
Closed
@itaysk
Copy link
Contributor

itaysk commented Jan 15, 2024

a couple of questions:

  1. If this removing an existing advertised feature? should we mark it as break or feat?
  2. is this also affecting tf plan scanning? if so, also need to properly communicate.

@simar7
Copy link
Member Author

simar7 commented Jan 15, 2024
edited
Loading

a couple of questions:

  1. If this removing an existing advertised feature? should we mark it as break or feat?

Yes we're planning to drop scanning of Terraform JSON for the reasons above. I can change that.

  1. is this also affecting tf plan scanning? if so, also need to properly communicate.

Yes this is just a placeholder issue to triage any future issues that are related. I'll open a discussion to field any questions or concerns and give enough time before we actually start working on it.

@simar7 simar7 changed the title chore(misconf): Drop support for Terraform JSON input feat(misconf): Drop support for Terraform JSON input Jan 15, 2024
@simar7
Copy link
Member Author

simar7 commented Jan 15, 2024

Discuss here #5950

@knqyf263
Copy link
Collaborator

This is a breaking change.

It is described above In #5950, so should we change the title prefix from "feat(misconf)" to "BREAKING CHANGE(miscong)"?
e.g. #1571

@simar7 simar7 changed the title feat(misconf): Drop support for Terraform JSON input BREAKING CHANGE: Drop support for Terraform JSON input Jan 17, 2024
@simar7
Copy link
Member Author

simar7 commented Jan 17, 2024

This is a breaking change.

It is described above In #5950, so should we change the title prefix from "feat(misconf)" to "BREAKING CHANGE(miscong)"? e.g. #1571

thanks, I updated it.

@simar7 simar7 changed the title BREAKING CHANGE: Drop support for Terraform JSON input feat(misconf): Improve support for scanning Terraform plan JSON input Feb 22, 2024
@simar7
Copy link
Member Author

simar7 commented Feb 22, 2024

Update Feb 2024: We've found a better approach to keep and improve the terraform plan scanning functionality. As it turns out, we can unzip the plan contents (it is a zip file) and parse the HCL directly from it. This allows us to have a functionally complete HCL input which we can scan and flag for misconfigurations.

I've updated this issue's description and title to reflect the above. The PR to improve this functionality is here: #6176

@simar7 simar7 added kind/feature Categorizes issue or PR as related to a new feature. and removed kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. labels Feb 22, 2024
@simar7 simar7 added this to the v0.50.0 milestone Feb 22, 2024
@nikpivkin nikpivkin mentioned this issue Feb 22, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

@nikpivkin nikpivkin

Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.50.0
Development

Successfully merging a pull request may close this issue.

feat(terraform): Terraform Plan snapshot scanning support nikpivkin/trivy
4 participants
@itaysk @simar7 @knqyf263 @nikpivkin