Cannot get custom checks for Terraform config to work (misconfiguration, rego)

[ricardo-kh]

Question

Hi! 👋🏻

I'm migrating from tfsec to trivy. Unfortunately I hit a snag when trying to convert our custom checks. We use these checks to limit which resources can be used in a Terraform configuration. Based on HCL "code", not based on a Terraform plan.

Since I'm new to Rego I decided to simplify things and first get my checks to work with conftest. I got that to work and it gave me some confidence about being on the right path with Rego.

But I simply don't know how to get these checks to work with trivy.

This is my example:

I have this policy (deny.rego):

# METADATA
# title: "Creating a key for a service account"
# description: "..."
# url: https://example.com
# schemas:
#   - input: schema["cloud"]
# custom:
#   id: creating_key_for_service_account
#   severity: HIGH
#   recommmended_actions: "..."
#   input:
#     selector:
#     - type: terraform
package custom.creating_key_for_service_account

deny[msg] {
    some type
    resource := input.resource[type]
    type == "google_service_account_key"
    msg = sprintf("Creating a key for a service account: %v", [type])
}

and this Terraform config (main.tf):

resource "google_service_account" "myaccount" {
  account_id   = "myaccount"
  display_name = "My Service Account"
}

resource "google_service_account_key" "mykey" {
  service_account_id = google_service_account.myaccount.name
  public_key_type    = "TYPE_X509_PEM_FILE"
}

With conftest the config doesn't pass, as expected:

$ conftest test -p deny.rego --all-namespaces main.tf

FAIL - main.tf - custom.creating_key_for_service_account - Creating a key for a service account: google_service_account_key

When I try the same with trivy the config passes.
Therefore I checked with debugging output and could see that the rule doesn't adhere to the cloud schema.

$ trivy conf --trace --debug --policy deny.rego --policy-namespaces custom main.tf

2024-04-03T20:20:57.797+0200    DEBUG   [misconf] 20:57.797342000 terraform.scanner.rego           Error occurred while parsing: Users/ricardo/source/terraform-custom-checks/simplified/deny.rego, Users/ricardo/source/terraform-custom-checks/simplified/deny.rego:18: rego_type_error: undefined ref: input.resource[type]
        input.resource[type]
              ^
              have: "resource"
              want (one of): ["aws" "azure" "cloudstack" "digitalocean" "github" "google" "kubernetes" "nifcloud" "openstack" "oracle"]

But when I try to do something that is more or less in-line with that schema (using input.google.xxxx as found here and here, instead of input.resource.xxxx):

deny[msg] {
    some type
    resource := input.google.iam.organizations[type] # This is not a correct reference, but it does "trigger" schema parsing
    type == "google_service_account_key"
    msg = sprintf("Creating a key for a service account: %v", [type])
}

then I get: fatal error: stack overflow.

It looks like something similar has been reported before: #5865?

So my question is; how can I get custom checks for Terraform (HCL) to work?
Is it maybe possible to not use the cloud schema? And instead have a JSON input that is like what is used by conftest? Or maybe try something else?

Hopefully somebody can point me in the right direction.

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Operating System

MacOS Sonoma 14.4.1

Version

Version: 0.50.1
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-04-03 09:47:28.942338 +0000 UTC

[simar7]

hi you can always provide your own schema if that's what you want. The docs are here

As far as this custom check is concerned, what are you trying to do?

[ricardo-kh]

Hi @simar7, thanks for your reply!

hi you can always provide your own schema if that's what you want. The docs are here

Thanks, I did had a look at it but the thing I'm not sure about: will the schema dictate how the configuration files are parsed by trivy and thus the input within the Rego policy will have the structure as in the schema? Or will trivy always parse TF configuration as described in the cloud schema? And thus the cloud schema will have the function to make sure that the Rego policy only refers to items that have been defined in the schema? But I will read-up on the OPA documentation about schemas to see if I can find an answer on my question.

As far as this custom check is concerned, what are you trying to do?

In this case (the example I shared) a simple check is done to make sure that the google_service_account_key resource is not being used in configurations. Something we also limit on permission level, but this check is a nice to have for doing 'static analysis', thus warning before doing a terraform plan etc.

[ricardo-kh]

In attempt to get more insight in how the input looks like I created the following Rego policy file (deny.rego):

# METADATA
# title: "Trying to see what the input is"
# schemas:
#   - input: schema.input
# custom:
#   id: foo
#   severity: HIGH
#   input:
#     combine: true
package custom.foo

deny[res]{
  msg := sprintf("%v", [input])
  res := result.new(msg, input)
}

• using schema.input, to prevent stack-overflow when using schema["cloud"]
• combining files, in attempt to get everything in the input
• not limiting to any input selectors, in attempt to parse all files under ./

Running trivy conf --debug --policy deny.rego --policy-namespaces custom ./ gives the following output:

2024-04-04T15:18:46.944+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-04T15:18:46.983+0200    DEBUG   cache dir:  /Users/ricardo/Library/Caches/trivy
2024-04-04T15:18:46.983+0200    INFO    Misconfiguration scanning is enabled
2024-04-04T15:18:46.984+0200    DEBUG   Policies successfully loaded from disk
2024-04-04T15:18:46.984+0200    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-04T15:18:46.999+0200    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-04-04T15:18:47.010+0200    DEBUG   Walk the file tree rooted at '.' in series
2024-04-04T15:18:47.010+0200    DEBUG   Scanning Terraform files for misconfigurations...
2024-04-04T15:18:47.010+0200    DEBUG   [misconf] 18:47.010410000 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13941957032847175856 640440376 0x10d031140} <nil>} {{{0 0} {[] {} 0x14001ed30b0} map[main.tf:0x14001608c60 providers.tf:0x14001608c70 terraform.tf:0x14001608c80] 0}}}) .}] at '.'...
2024-04-04T15:18:47.012+0200    DEBUG   [misconf] 18:47.012345000 terraform.scanner.rego           Overriding filesystem for policies!
2024-04-04T15:18:47.053+0200    DEBUG   [misconf] 18:47.053655000 terraform.scanner.rego           Loaded 191 policies from disk.
2024-04-04T15:18:47.053+0200    DEBUG   [misconf] 18:47.053904000 terraform.scanner.rego           Overriding filesystem for data!
2024-04-04T15:18:47.306+0200    DEBUG   [misconf] 18:47.306249000 terraform.scanner.rego           WARNING: Module Users/ricardo/source/terraform-custom-checks/simplified/deny.rego has no input selectors - it will be loaded for all inputs!
2024-04-04T15:18:47.365+0200    DEBUG   [misconf] 18:47.365503000 terraform.parser.<root>          Setting project/module root to '.'
2024-04-04T15:18:47.365+0200    DEBUG   [misconf] 18:47.365538000 terraform.parser.<root>          Parsing FS from '.'
2024-04-04T15:18:47.365+0200    DEBUG   [misconf] 18:47.365579000 terraform.parser.<root>          Parsing 'main.tf'...
2024-04-04T15:18:47.367+0200    DEBUG   [misconf] 18:47.367454000 terraform.parser.<root>          Added file main.tf.
2024-04-04T15:18:47.367+0200    DEBUG   [misconf] 18:47.367465000 terraform.parser.<root>          Parsing 'providers.tf'...
2024-04-04T15:18:47.367+0200    DEBUG   [misconf] 18:47.367660000 terraform.parser.<root>          Added file providers.tf.
2024-04-04T15:18:47.367+0200    DEBUG   [misconf] 18:47.367670000 terraform.parser.<root>          Parsing 'terraform.tf'...
2024-04-04T15:18:47.367+0200    DEBUG   [misconf] 18:47.367850000 terraform.parser.<root>          Added file terraform.tf.
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368234000 terraform.scanner                Scanning root module '.'...
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368238000 terraform.parser.<root>          Setting project/module root to '.'
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368240000 terraform.parser.<root>          Parsing FS from '.'
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368251000 terraform.parser.<root>          Parsing 'main.tf'...
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368301000 terraform.parser.<root>          Added file main.tf.
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368307000 terraform.parser.<root>          Parsing 'providers.tf'...
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368678000 terraform.parser.<root>          Added file providers.tf.
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368684000 terraform.parser.<root>          Parsing 'terraform.tf'...
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368718000 terraform.parser.<root>          Added file terraform.tf.
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368722000 terraform.parser.<root>          Evaluating module...
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368781000 terraform.parser.<root>          Read 4 block(s) and 0 ignore(s) for module 'root' (3 file[s])...
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368789000 terraform.parser.<root>          Added 0 variables from tfvars.
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368793000 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-04-04T15:18:47.368+0200    DEBUG   [misconf] 18:47.368802000 terraform.parser.<root>          Working directory for module evaluation is '/Users/ricardo/source/terraform-custom-checks/simplified'
2024-04-04T15:18:47.369+0200    DEBUG   [misconf] 18:47.369116000 terraform.parser.<root>.evaluator Filesystem key is '3c4fa0143f43a7e349d0b2276a694953d48151e09c9206b44ada31ccbcf39ad6'
2024-04-04T15:18:47.369+0200    DEBUG   [misconf] 18:47.369120000 terraform.parser.<root>.evaluator Starting module evaluation...
2024-04-04T15:18:47.369+0200    DEBUG   [misconf] 18:47.369256000 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-04-04T15:18:47.369+0200    DEBUG   [misconf] 18:47.369259000 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-04-04T15:18:47.369+0200    DEBUG   [misconf] 18:47.369261000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-04-04T15:18:47.369+0200    DEBUG   [misconf] 18:47.369319000 terraform.parser.<root>.evaluator Module evaluation complete.
2024-04-04T15:18:47.369+0200    DEBUG   [misconf] 18:47.369322000 terraform.parser.<root>          Finished parsing module 'root'.
2024-04-04T15:18:47.369+0200    DEBUG   [misconf] 18:47.369325000 terraform.executor               Adapting modules...
2024-04-04T15:18:47.371+0200    DEBUG   [misconf] 18:47.371133000 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-04-04T15:18:47.371+0200    DEBUG   [misconf] 18:47.371142000 terraform.executor               Using max routines of 9
2024-04-04T15:18:47.371+0200    DEBUG   [misconf] 18:47.371144000 terraform.executor               Applying state modifier functions...
2024-04-04T15:18:47.371+0200    DEBUG   [misconf] 18:47.371502000 terraform.executor               Initialized 486 rule(s).
2024-04-04T15:18:47.371+0200    DEBUG   [misconf] 18:47.371506000 terraform.executor               Created pool with 9 worker(s) to apply rules.
2024-04-04T15:18:47.372+0200    DEBUG   [misconf] 18:47.372221000 terraform.scanner.rego           Scanning 1 inputs...
2024-04-04T15:18:47.379+0200    DEBUG   [misconf] 18:47.379972000 terraform.executor               Finished applying rules.
2024-04-04T15:18:47.379+0200    DEBUG   [misconf] 18:47.379995000 terraform.executor               Applying ignores...
2024-04-04T15:18:47.404+0200    DEBUG   OS is not detected.
2024-04-04T15:18:47.404+0200    INFO    Detected config files: 1
2024-04-04T15:18:47.404+0200    DEBUG   Scanned config file: .

. (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: [{"contents": {"aws": {"config": {"configurationaggregrator": {"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "sourceallregions": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}}}, "iam": {"passwordpolicy": {"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "maxagedays": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": 9223372036854775807}, "minimumlength": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": 0}, "requirelowercase": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "requirenumbers": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "requiresymbols": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "requireuppercase": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "reusepreventioncount": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": 0}}}}, "azure": {"storage": {"accounts": [{"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "enforcehttps": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "minimumtlsversion": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": ""}, "queueproperties": {"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "enablelogging": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}}}]}}, "google": {"compute": {"projectmetadata": {"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "enableoslogin": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}}}}}, "path": "."}]

Although multiple .tf files are being parsed according to the debug output, I don't see those in the combined input that is printed. But maybe I'm misunderstanding how combine works and it isn't to be expected in the printed JSON?

The main.tf file is the same as in my original message above.

[ricardo-kh]

I think I found out what is happening for my example. Why the JSON didn't contain expected data.

In my example main.tf I used resource "google_service_account".
But I think that this kind of resource is not recognized. That's at least my impression after browsing this code: https://github.com/aquasecurity/trivy-iac/tree/main/internal/adapters/terraform/google.

After adding something like resource "google_project_iam_member" to the main.tf I do see that the JSON includes GCP specific information.

Sharing my test setup for completeness:

deny.rego:

# METADATA
# title: "Trying to see what the input is"
# description: "Printing the complete input"
# custom:
#   id: foo
#   severity: HIGH
package custom.foo

deny[res]{
  msg := sprintf("%v", [input])
  res := result.new(msg, input)
}

main.tf:

resource "google_service_account" "myaccount" {
  account_id   = "myaccount"
  display_name = "My Service Account"
}

resource "google_service_account_key" "mykey" {
  service_account_id = google_service_account.myaccount.name
  public_key_type    = "TYPE_X509_PEM_FILE"
}

# Adding a resource that is known in https://github.com/aquasecurity/trivy-iac/tree/main/internal/adapters/terraform/google
resource "google_project_iam_member" "secret-accessor-on-project-level" {
  project = "your-project-id"
  role    = "roles/secretmanager.secretAccessor"
  member  = "serviceAccount:your-service@your-project-id.iam.gserviceaccount.com"
}

Command: trivy config --policy deny.rego --policy-namespaces custom main.tf

Output:

2024-04-05T21:45:58.710+0200    INFO    Misconfiguration scanning is enabled
2024-04-05T21:45:59.115+0200    INFO    Detected config files: 2

. (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: {"aws": {"config": {"configurationaggregrator": {"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "sourceallregions": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}}}, "iam": {"passwordpolicy": {"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "maxagedays": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": 9223372036854775807}, "minimumlength": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": 0}, "requirelowercase": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "requirenumbers": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "requiresymbols": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "requireuppercase": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "reusepreventioncount": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": 0}}}}, "azure": {"storage": {"accounts": [{"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "enforcehttps": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "minimumtlsversion": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": ""}, "queueproperties": {"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "enablelogging": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}}}]}}, "google": {"compute": {"projectmetadata": {"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "enableoslogin": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}}}, "iam": {"organizations": [{"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "projects": [{"__defsec_metadata": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0}, "autocreatenetwork": {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": false, "resource": "", "sourceprefix": "", "startline": 0, "value": false}, "members": [{"__defsec_metadata": {"endline": 16, "explicit": false, "filepath": "main.tf", "fskey": "0ddf873530312425476d20f604f6aa869bda36735bc2aefd7cb7c3d1d35d566c", "managed": true, "resource": "google_project_iam_member.secret-accessor-on-project-level", "sourceprefix": "", "startline": 12}, "defaultserviceaccount": {"endline": 16, "explicit": false, "filepath": "main.tf", "fskey": "0ddf873530312425476d20f604f6aa869bda36735bc2aefd7cb7c3d1d35d566c", "managed": true, "resource": "google_project_iam_member.secret-accessor-on-project-level", "sourceprefix": "", "startline": 12, "value": false}, "member": {"endline": 15, "explicit": true, "filepath": "main.tf", "fskey": "0ddf873530312425476d20f604f6aa869bda36735bc2aefd7cb7c3d1d35d566c", "managed": true, "parent": {"endline": 16, "explicit": false, "filepath": "main.tf", "fskey": "0ddf873530312425476d20f604f6aa869bda36735bc2aefd7cb7c3d1d35d566c", "managed": true, "resource": "google_project_iam_member.secret-accessor-on-project-level", "sourceprefix": "", "startline": 12}, "resource": "google_project_iam_member.secret-accessor-on-project-level.member", "sourceprefix": "", "startline": 15, "value": "serviceAccount:your-service@your-project-id.iam.gserviceaccount.com"}, "role": {"endline": 14, "explicit": true, "filepath": "main.tf", "fskey": "0ddf873530312425476d20f604f6aa869bda36735bc2aefd7cb7c3d1d35d566c", "managed": true, "parent": {"endline": 16, "explicit": false, "filepath": "main.tf", "fskey": "0ddf873530312425476d20f604f6aa869bda36735bc2aefd7cb7c3d1d35d566c", "managed": true, "resource": "google_project_iam_member.secret-accessor-on-project-level", "sourceprefix": "", "startline": 12}, "resource": "google_project_iam_member.secret-accessor-on-project-level.role", "sourceprefix": "", "startline": 14, "value": "roles/secretmanager.secretAccessor"}}]}]}]}}}

The printed JSON then contains data under google.iam.

[ricardo-kh]

This is off-topic from my original question. But it is an outcome of putting in some time and effort to get our custom checks to work with trivy.

Because I now have the feeling that the structure of the input (cloud.json) is limiting. As compored to how, for example, conftest provides input. Which seems to be a 1-on-1 conversion from HCL to JSON.

For me, referring to input.resource.google_project_iam_member feels more intuitive than input.google.iam.organizations.projects.members.

Is it perhaps also possible in trivy to have an input like conftest provides?

[simar7]

I understand but as I mentioned you can always specify a custom schema if you want. As for comparison with conftest, Trivy provides support for many IaC (e.g. CloudFormation, Azure ARM etc.) so making it specific to HCL isn't ideal.

[ricardo-kh]

Thanks for your replies! I'm going to close this discussion.