Terraform Trivy scan not detecting all misconfigurations

[nbs-devops]

Description

I have a large Terraform configuration that uses a combination of local modules and remote modules in a private git repo. Trivy is able to correctly detect misconfigurations up to a certain point. Then, when additional module calls are added, the number of vulnerabilities decreases, even when there is no link between the new and existing modules.

When I scan my entire configuration with tfsec, it reports 19 misconfigurations. Then when I scan with trivy returns only 2 misconfigurations.

Are there any limitations of Trivy that I could be missing? For example a limit on the number of resources that can be scanned?

Desired Behavior

Trivy reports all expected misconfigurations

Actual Behavior

Trivy does not report all expected misconfigurations

Reproduction Steps

It's difficult to provide my Terraform configuration here given its size.

When I run the following command 19 misconfigurations are reported
- tfsec ./ --format lovely,junit --out ./tfsecoutput --tfvars-file dev.tfvars

When I run the following command only 2 misconfigurations are reported
- trivy fs ./ --scanners vuln,misconfig,secret,license --tf-vars dev.tfvars --debug

If I run the trivy command against a subset of my configuration, it detects some misconfigurations correctly. Then, when I re-add module calls to the configuration 1 by 1 and re-run trivy, the number of misconfigurations goes down despite no link between the modules.

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

Ideally do not want to provide this but can consider if absolutely necessary.

Operating System

Windows 11 & Ubuntu 20.04

Version

Version: 0.51.2

Checklist

• Run trivy image --reset
• Read the troubleshooting

[nikpivkin]

Hi @nbs-devops !

Many fixes and improvements have been made to Trivy, so the number of detected misconfigurations may vary. You say that unrelated resources affect each other, how did you detect this? Can you give a minimally reproducible example?

[nbs-devops]

Hey @nikpivkin, for example we have an unmodified copy of this VPC git repo stored privately. Trivy would correctly report that VPC Flow Logs are not used. However when we add a call to this Route53 repo (again, copied, unmodified and stored privately), Trivy stops reporting the original VPC Flow Logs issue. There's nothing in here that would enable VPC Flow Logs.

It feels like when the configuration gets beyond a certain size, the number of misconfigurations detected decreases. Will pull together a reproducible example and get back to you - apologies I haven't given much to go off so far.