when trivy output is too long test-modules and plan jobs fail

[rochana-atapattu]

tfaction version

v1.4.0

Overview

I have noticed when the trivy output is too long reviewdog (I think) fails, crashing the pipeline. as a workaround I have added
trivy.yaml which helps sometimes but not a good solution.

severity:
  - MEDIUM
  - HIGH
  - CRITICAL

Also trivy scans modules/examples in .terraform folder. this is specially annoying when using open source modules like gcp modules where there could be multiple modules we don't use in the current config and trivy scans and reports issues in them producing a huge list of useful and useless information.

How to reproduce

main.tf

####################################################
#             VPC                                  #
####################################################

module "vpc" {
    source  = "terraform-google-modules/network/google"
    version = "~> 9.1"
}

####################################################
#                NAT                               #
####################################################

module "subnet-cloud-nat" {
  source  = "terraform-google-modules/cloud-nat/google"
  version = "5.0.0"
}

####################################################
#             Private service connect              #
####################################################

resource "google_compute_global_address" "database_service_range" {
  provider      = google-beta
  project       = var.project_id
}

resource "google_compute_global_address" "redis_service_range" {
  provider      = google-beta
}


# Creates the peering with the producer network.
resource "google_service_networking_connection" "private_service_access" {
  provider                = google-beta
}


#################################################
#           Private Google APIs                 #
#################################################


module "private-google-apis" {
  source  = "terraform-google-modules/cloud-dns/google"
  version = "5.2.0"
}

#################################################
#           Private GCR                         #
#################################################

module "private-gcr-io" {
  source  = "terraform-google-modules/cloud-dns/google"
  version = "5.2.0"
}

GitHub Actions' log

Raw Output:
message:"Firewall rule allows ingress traffic from multiple addresses on the public internet." location:{path:".terraform/modules/vpc/modules/fabric-net-firewall/main.tf" range:{start:{line:105} end:{line:105}}} severity:ERROR source:{name:"trivy" url:"https://github.com/aquasecurity/trivy"} code:{value:"AVD-GCP-0027" url:"https://avd.aquasec.com/misconfig/avd-gcp-0027"}
Error: [trivy] reported by reviewdog 🐶
Firewall rule allows ingress traffic from multiple addresses on the public internet.

Raw Output:
message:"Firewall rule allows ingress traffic from multiple addresses on the public internet." location:{path:".terraform/modules/vpc/modules/fabric-net-firewall/main.tf" range:{start:{line:75} end:{line:75}}} severity:ERROR source:{name:"trivy" url:"https://github.com/aquasecurity/trivy"} code:{value:"AVD-GCP-0027" url:"https://avd.aquasec.com/misconfig/avd-gcp-0027"}
Warning: [trivy] reported by reviewdog 🐶
Service account access is granted to a user at project level.

Raw Output:
message:"Service account access is granted to a user at project level." location:{path:".terraform/modules/vpc/test/setup/iam.tf" range:{start:{line:41} end:{line:41}}} severity:WARNING source:{name:"trivy" url:"https://github.com/aquasecurity/trivy"} code:{value:"AVD-GCP-0011" url:"https://avd.aquasec.com/misconfig/avd-gcp-0011"}
reviewdog: found at least one result in diff
Error: The process '/home/runner/.local/share/aquaproj-aqua/bin/reviewdog' failed with exit code 1

Expected behaviour

pipeline should pass

Actual behaviour

pipeline failure

Important Factoids

No response

Note

Most of the findings here are not necessary because I'm not using them in my config.

❌ Trivy error

Build link | trivy

Working Directory: modules/network

rule	severity	filepath	range	message
AVD-GCP-0013	WARNING	.terraform/modules/private-gcr-io/main.tf	104 ... 140	Managed zone does not have DNSSEC enabled.
AVD-GCP-0013	WARNING	.terraform/modules/private-google-apis/main.tf	104 ... 140	Managed zone does not have DNSSEC enabled.
AVD-GCP-0007	ERROR	.terraform/modules/project_services/modules/core_project_factory/main.tf	158 ... 158	Service account is granted a privileged role.
AVD-GCP-0007	ERROR	.terraform/modules/project_services/test/fixtures/vpc_sc_project/main.tf	57 ... 57	Service account is granted a privileged role.
AVD-GCP-0011	WARNING	.terraform/modules/project_services/test/setup/iam.tf	57 ... 57	Service account access is granted to a user at project level.
AVD-GCP-0027	ERROR	.terraform/modules/subnet-cloud-nat/examples/nat_with_compute_engine/main.tf	72 ... 72	Firewall rule allows ingress traffic from multiple addresses on the public internet.
AVD-GCP-0030	WARNING	.terraform/modules/subnet-cloud-nat/examples/nat_with_compute_engine/main.tf	36 ... 50	Instance allows use of project-level SSH keys.
AVD-GCP-0041	WARNING	.terraform/modules/subnet-cloud-nat/examples/nat_with_compute_engine/main.tf	36 ... 50	Instance does not have VTPM for shielded VMs enabled.
AVD-GCP-0045	WARNING	.terraform/modules/subnet-cloud-nat/examples/nat_with_compute_engine/main.tf	36 ... 50	Instance does not have shielded VM integrity monitoring enabled.
AVD-GCP-0067	WARNING	.terraform/modules/subnet-cloud-nat/examples/nat_with_compute_engine/main.tf	36 ... 50	Instance does not have shielded VM secure boot enabled.
AVD-GCP-0027	ERROR	.terraform/modules/subnet-cloud-nat/examples/nat_with_gke/main.tf	64 ... 64	Firewall rule allows ingress traffic from multiple addresses on the public internet.
AVD-GCP-0048	ERROR	.terraform/modules/subnet-cloud-nat/examples/nat_with_gke/main.tf	36 ... 52	Cluster has legacy metadata endpoints enabled.
AVD-GCP-0050	WARNING	.terraform/modules/subnet-cloud-nat/examples/nat_with_gke/main.tf	36 ... 52	Cluster does not override the default service account.
AVD-GCP-0056	WARNING	.terraform/modules/subnet-cloud-nat/examples/nat_with_gke/main.tf	36 ... 52	Cluster does not have a network policy enabled.
AVD-GCP-0011	WARNING	.terraform/modules/subnet-cloud-nat/test/setup/iam.tf	36 ... 36	Service account access is granted to a user at project level.
AVD-GCP-0027	ERROR	.terraform/modules/vpc/codelabs/simple/main.tf	104 ... 104	Firewall rule allows ingress traffic from multiple addresses on the public internet.
AVD-GCP-0030	WARNING	.terraform/modules/vpc/codelabs/simple/main.tf	68 ... 91	Instance allows use of project-level SSH keys.
AVD-GCP-0031	ERROR	.terraform/modules/vpc/codelabs/simple/main.tf	84 ... 86	Instance has a public IP allocated.
AVD-GCP-0041	WARNING	.terraform/modules/vpc/codelabs/simple/main.tf	68 ... 91	Instance does not have VTPM for shielded VMs enabled.
AVD-GCP-0045	WARNING	.terraform/modules/vpc/codelabs/simple/main.tf	68 ... 91	Instance does not have shielded VM integrity monitoring enabled.
AVD-GCP-0067	WARNING	.terraform/modules/vpc/codelabs/simple/main.tf	68 ... 91	Instance does not have shielded VM secure boot enabled.
AVD-GCP-0027	ERROR	.terraform/modules/vpc/examples/basic_firewall_rule/main.tf	18 ... 29	Firewall rule allows ingress traffic from multiple addresses on the public internet.
AVD-GCP-0030	WARNING	.terraform/modules/vpc/examples/basic_shared_vpc/main.tf	75 ... 88	Instance allows use of project-level SSH keys.
AVD-GCP-0030	WARNING	.terraform/modules/vpc/examples/basic_shared_vpc/main.tf	57 ... 71	Instance allows use of project-level SSH keys.
AVD-GCP-0041	WARNING	.terraform/modules/vpc/examples/basic_shared_vpc/main.tf	75 ... 88	Instance does not have VTPM for shielded VMs enabled.
AVD-GCP-0041	WARNING	.terraform/modules/vpc/examples/basic_shared_vpc/main.tf	57 ... 71	Instance does not have VTPM for shielded VMs enabled.
AVD-GCP-0045	WARNING	.terraform/modules/vpc/examples/basic_shared_vpc/main.tf	75 ... 88	Instance does not have shielded VM integrity monitoring enabled.
AVD-GCP-0045	WARNING	.terraform/modules/vpc/examples/basic_shared_vpc/main.tf	57 ... 71	Instance does not have shielded VM integrity monitoring enabled.
AVD-GCP-0067	WARNING	.terraform/modules/vpc/examples/basic_shared_vpc/main.tf	75 ... 88	Instance does not have shielded VM secure boot enabled.
AVD-GCP-0067	WARNING	.terraform/modules/vpc/examples/basic_shared_vpc/main.tf	57 ... 71	Instance does not have shielded VM secure boot enabled.
AVD-GCP-0027	ERROR	.terraform/modules/vpc/examples/firewall_logging/main.tf	18 ... 33	Firewall rule allows ingress traffic from multiple addresses on the public internet.
AVD-GCP-0030	WARNING	.terraform/modules/vpc/examples/network_service_tiers/main.tf	34 ... 50	Instance allows use of project-level SSH keys.
AVD-GCP-0031	ERROR	.terraform/modules/vpc/examples/network_service_tiers/main.tf	46 ... 48	Instance has a public IP allocated.
AVD-GCP-0041	WARNING	.terraform/modules/vpc/examples/network_service_tiers/main.tf	34 ... 50	Instance does not have VTPM for shielded VMs enabled.
AVD-GCP-0045	WARNING	.terraform/modules/vpc/examples/network_service_tiers/main.tf	34 ... 50	Instance does not have shielded VM integrity monitoring enabled.
AVD-GCP-0067	WARNING	.terraform/modules/vpc/examples/network_service_tiers/main.tf	34 ... 50	Instance does not have shielded VM secure boot enabled.
AVD-GCP-0030	WARNING	.terraform/modules/vpc/examples/packet_mirroring/main.tf	17 ... 33	Instance allows use of project-level SSH keys.
AVD-GCP-0041	WARNING	.terraform/modules/vpc/examples/packet_mirroring/main.tf	17 ... 33	Instance does not have VTPM for shielded VMs enabled.
AVD-GCP-0045	WARNING	.terraform/modules/vpc/examples/packet_mirroring/main.tf	17 ... 33	Instance does not have shielded VM integrity monitoring enabled.
AVD-GCP-0067	WARNING	.terraform/modules/vpc/examples/packet_mirroring/main.tf	17 ... 33	Instance does not have shielded VM secure boot enabled.
AVD-GCP-0027	ERROR	.terraform/modules/vpc/modules/fabric-net-firewall/main.tf	90 ... 90	Firewall rule allows ingress traffic from multiple addresses on the public internet.
AVD-GCP-0027	ERROR	.terraform/modules/vpc/modules/fabric-net-firewall/main.tf	105 ... 105	Firewall rule allows ingress traffic from multiple addresses on the public internet.
AVD-GCP-0027	ERROR	.terraform/modules/vpc/modules/fabric-net-firewall/main.tf	75 ... 75	Firewall rule allows ingress traffic from multiple addresses on the public internet.
AVD-GCP-0011	WARNING	.terraform/modules/vpc/test/setup/iam.tf	41 ... 41	Service account access is granted to a user at project level.

[suzuki-shunsuke]

If you want to ignore .terraform, I think you can use .trivyignore.

Hmm. The crash of reviewdog is an issue of reviewdog.
But it's good for tfaction to handle the issue.

[rochana-atapattu]

If you want to ignore .terraform, I think you can use .trivyignore.

it would be nice to actually get issues related to the modules we depend on, I guess until trivy comes up with a solution I'll have to ignore .terraform dir.

Hmm. The crash of reviewdog is an issue of reviewdog.
But it's good for tfaction to handle the issue.

yeah, it can be confusing whether its an issue with trivy or reviewdog otherwise.

thank you for the feedback.