You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have noticed when the trivy output is too long reviewdog (I think) fails, crashing the pipeline. as a workaround I have added trivy.yaml which helps sometimes but not a good solution.
severity:
- MEDIUM
- HIGH
- CRITICAL
Also trivy scans modules/examples in .terraform folder. this is specially annoying when using open source modules like gcp modules where there could be multiple modules we don't use in the current config and trivy scans and reports issues in them producing a huge list of useful and useless information.
Raw Output:
message:"Firewall rule allows ingress traffic from multiple addresses on the public internet." location:{path:".terraform/modules/vpc/modules/fabric-net-firewall/main.tf" range:{start:{line:105} end:{line:105}}} severity:ERROR source:{name:"trivy" url:"https://github.com/aquasecurity/trivy"} code:{value:"AVD-GCP-0027" url:"https://avd.aquasec.com/misconfig/avd-gcp-0027"}
Error: [trivy] reported by reviewdog 🐶
Firewall rule allows ingress traffic from multiple addresses on the public internet.
Raw Output:
message:"Firewall rule allows ingress traffic from multiple addresses on the public internet." location:{path:".terraform/modules/vpc/modules/fabric-net-firewall/main.tf" range:{start:{line:75} end:{line:75}}} severity:ERROR source:{name:"trivy" url:"https://github.com/aquasecurity/trivy"} code:{value:"AVD-GCP-0027" url:"https://avd.aquasec.com/misconfig/avd-gcp-0027"}
Warning: [trivy] reported by reviewdog 🐶
Service account access is granted to a user at project level.
Raw Output:
message:"Service account access is granted to a user at project level." location:{path:".terraform/modules/vpc/test/setup/iam.tf" range:{start:{line:41} end:{line:41}}} severity:WARNING source:{name:"trivy" url:"https://github.com/aquasecurity/trivy"} code:{value:"AVD-GCP-0011" url:"https://avd.aquasec.com/misconfig/avd-gcp-0011"}
reviewdog: found at least one result in diff
Error: The process '/home/runner/.local/share/aquaproj-aqua/bin/reviewdog' failed with exit code 1
Expected behaviour
pipeline should pass
Actual behaviour
pipeline failure
Important Factoids
No response
Note
Most of the findings here are not necessary because I'm not using them in my config.
If you want to ignore .terraform, I think you can use .trivyignore.
it would be nice to actually get issues related to the modules we depend on, I guess until trivy comes up with a solution I'll have to ignore .terraform dir.
Hmm. The crash of reviewdog is an issue of reviewdog.
But it's good for tfaction to handle the issue.
yeah, it can be confusing whether its an issue with trivy or reviewdog otherwise.
tfaction version
v1.4.0
Overview
I have noticed when the trivy output is too long reviewdog (I think) fails, crashing the pipeline. as a workaround I have added
trivy.yaml
which helps sometimes but not a good solution.Also trivy scans modules/examples in
.terraform
folder. this is specially annoying when using open source modules like gcp modules where there could be multiple modules we don't use in the current config and trivy scans and reports issues in them producing a huge list of useful and useless information.How to reproduce
main.tf
GitHub Actions' log
Expected behaviour
pipeline should pass
Actual behaviour
pipeline failure
Important Factoids
No response
Note
Most of the findings here are not necessary because I'm not using them in my config.
❌ Trivy error
Build link | trivy
Working Directory:
modules/network
The text was updated successfully, but these errors were encountered: