Terrascan does not exit with error code in pipeline or CLI

[stefangreim]

• terrascan version: v1.8.1
• Operating System: ubuntu:latest (21.10) docker

Description

I want to execute terrascan in a gitlab pipeline. I noticed that terrascan was not able to clone the relevant terraform modules, but instead of exiting the pipeline, the job succeeded.
My first guess was that I was losing the exit code due to a pipe in my command. But after some tests it is clear that this is not the case but exit code 0 is returned.
I have tested the following errors:

• git repo could not be cloned (authentication error, occured because of a wrong config on my side).
• Scan of an empty directory (easier to test)

echo $? returns 0 in both cases and the pipeline reports "Job succeeded" although no proper scan took place.
I would have expected anything other than 0 to be returned in case of an error. Is there anything I can do to react to such errors?

What I Did

terrascan scan

2021-07-27T18:51:15.631Z	error	downloader/getter.go:105	failed to download "git::ssh://<<my-internal-module>>". error: 'error downloading 'ssh://git@<<my-internal-module>>': /usr/bin/git exited with 128: Cloning into '/tmp/7mj7ng'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
'
2021-07-27T18:51:15.750Z	error	utils/dir.go:49	directory  does not exist.
2021-07-27T18:51:15.754Z	warn	commons/load-dir.go:128	failed to build unified config. errors:
<nil>: Failed to read module directory; Module directory  does not exist or cannot be read.
<nil>: Failed to read module directory; Module directory  does not exist or cannot be read.
{
  "results": {
    "scan_errors": [
      {
        "iac_type": "terraform",
        "directory": "/tmp/core/config",
        "errMsg": "directory '/tmp/core/config' has no terraform config files"
      },
      {
        "iac_type": "terraform",
        "directory": "/tmp/core/docs",
        "errMsg": "directory '/tmp/core/docs' has no terraform config files"
      },
      {
        "iac_type": "terraform",
        "directory": "/tmp/core/kubernetes",
        "errMsg": "directory '/tmp/core/kubernetes' has no terraform config files"
      },
      {
        "iac_type": "terraform",
        "directory": "/tmp/core",
        "errMsg": "failed to build unified config. errors:\n\u003cnil\u003e: Failed to read module directory; Module directory  does not exist or cannot be read.\n\u003cnil\u003e: Failed to read module directory; Module directory  does not exist or cannot be read.\n"
      }
    ],
    "violations": null,
    "skipped_violations": null,
    "scan_summary": {
      "file/folder": "/tmp/core",
      "iac_type": "terraform",
      "scanned_at": "2021-07-27 18:51:17.230625175 +0000 UTC",
      "policies_validated": 757,
      "violated_policies": 0,
      "low": 0,
      "medium": 0,
      "high": 0
    }
  }
}

echo $?
0

or, easier for testing (in an empty directory):

root@ec3525e0c8b7:/# terrascan scan
2021-07-27T16:43:18.324-0100    error   utils/path.go:85        error encountered traversing directories{base path 15 0 / <nil>} {error 26 0  lstat /proc/3069/fd/6: no such file or directory}
2021-07-27T16:43:18.331-0100    error   utils/path.go:85        error encountered traversing directories{base path 15 0 / <nil>} {error 26 0  lstat /proc/3069/fd/6: no such file or directory}
2021-07-27T16:43:18.332-0100    error   utils/path.go:85        error encountered traversing directories{base path 15 0 / <nil>} {error 26 0  lstat /proc/3069/fd/6: no such file or directory}
2021-07-27T16:43:18.337-0100    error   utils/path.go:85        error encountered traversing directories{base path 15 0 / <nil>} {error 26 0  lstat /proc/3069/fd/6: no such file or directory}


Scan Summary -

        File/Folder         :   /
        IaC Type            :   all
        Scanned At          :   2021-07-27 17:43:19.6930941 +0000 UTC
        Policies Validated  :   757
        Violated Policies   :   0
        Low                 :   0
        Medium              :   0
        High                :   0
root@ec3525e0c8b7:/# echo $?
0

[patilpankaj212]

Hello @stefangreim,

Thanks for reporting this issue.

Terrascan exits with a non zero exit code (exit code 3) when there are violations found in the scan. In the example you have shared, since there were no violations, the exit code is zero.

By default, when a directory scan is initiated, terrascan scans with all iac types it supports and doesn't exit when error occurs in an iac provider. Instead, the errors are collected and reported in the scan summary.

[stefangreim]

Hello @patilpankaj212,

Thanks for the answer!

Ok, that means if no violations occur but another error occurs during the scan (e.g. something could not be cloned), the exit code is equal to 0. Correct?
I can't imagine that this behavior is desired in a pipeline.

But as a workaround I could write the scan results to a file and check them for errors...

[patilpankaj212]

Hello @stefangreim,

We will fix the behaviour for the scenario where scan errors exist in the scan summary.

Thanks.

[stefangreim]

Hello @patilpankaj212,

that's great news.

Thank you very much!