-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(terraform): recursively detect all Root Modules #4457
Conversation
It'll take me a lot more time to learn the test setup in this repo, so I'm hoping to get some positive feedback from a maintainer first before spending more time making tests and docs to complete this PR. |
Thanks I'll take a look at it. |
Signed-off-by: Simar <simar@linux.com>
Signed-off-by: Simar <simar@linux.com>
Thanks for the PR again, I had some time to work on this finally and I think your suggestion to add another feature flag makes sense for two reasons:
Therefore, I've added a command line flag Before$ tree ./Bug2
./Bug2
├── empty.tf
└── test
└── main.tf
1 directory, 2 files
$ trivy config ./Bug2
2023-05-24T18:19:47.948-0600 INFO Misconfiguration scanning is enabled
2023-05-24T18:19:48.451-0600 INFO Detected config files: 0
After$ trivy config --scan-all-dirs ./Bug2
2023-05-24T18:20:06.131-0600 INFO Misconfiguration scanning is enabled
2023-05-24T18:20:06.626-0600 INFO Detected config files: 1
test/main.tf (terraform)
Tests: 10 (SUCCESSES: 1, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 6, CRITICAL: 0)
<snip> |
Coming from |
Can someone please clarify this for me -- maybe @jof -- from what I understood
Separately, thank you for taking initiative on this and contributing :) |
Thank you for having a proper look at this @simar7 and @AnaisUrlichs -- it is really appreciated. I have a similar perspective as @reedloden -- coming from tfsec/defsec to Trivy/defsec, this feels like a regression in user experience and expectations. For example, in one of our internal repos:
Some points of clarification:
Addressing each of @AnaisUrlichs's questions:
Something like this. Without this option set, defsec does something like a breadth-first search for Terraform Root Modules. Once it finds any Terraform Root Modules at a layer of depth, it stops descending into deeper subdirectories. This probably works just fine for simple cases where there is a single Terraform Root Module, or there is one repo per-Root Module, but fails in moderately complex environments with multiple Terraform Root Modules in a single repo. Ideally we want to point Trivy's Config scanning at a directory, and have it examine everything inside of that directory.
This is a better question for @simar7; I think any option for this should only be needed in Trivy Config scanning contexts when the Terraform scanner is used.
I feel like the docs changes will depend on what we decide about making this a default option or not. But regardless, we should describe in the docs how the |
To summarize:
As for 1) this option is only used within terraform https://github.com/aquasecurity/trivy/pull/4457/files#diff-50dbe9b7496c81601826d673eea9cf88d33170ff79be2ca201032a187adc5219R255-R256 – I am not sure why the generated markdowns include changes for other subcommands as well. @knqyf263 would you know why that's the case? As for 2) I'm open to changing it, but in my opinion this will be a breaking change as for the reasons I mentioned above. @itaysk and @knqyf263 any thoughts? |
Ah, I didn't realize those documentation files were auto-generated. It makes some sense then, that it might reflect an option being defined for all config scans into all of those docs contexts. Could we clarify what a "breaking change" is? While I would advocate for this recursive Terraform scanning becoming a new default, the outcome is not super important to me: I only care that we can enable this recursive scanning through GitHub Actions (whether as a new default that comes with a Trivy/trivy-action release, or with an added option that we pass into the job spec) |
I was curious to explore how/why this regressed (IMO) from I still feel like the changes in here appear to do the right thing, but now I'm having some doubts about my approach and could use some more debugger time (or original author perspective) to figure out why the behavior is different between the tools. |
The flag group is also used for other subcommands having the functionality to detect misconfigurations. trivy/pkg/flag/misconf_flags.go Lines 60 to 72 in aeae031
You've got to explicitly disable it in irrelevant subcommands if it is unneeded. Line 332 in 2d8d63e
If it is a regression, it is just a bug fix. I don't think it's a breaking change. I'd vote for changing the default behavior. Actually, I expected any reason to change the behavior in tfsec, and blamed commits, but didn't find any clue. Looks like it is simply a regression. |
Signed-off-by: Simar <simar@linux.com>
Signed-off-by: Simar <simar@linux.com>
a3a30b6
to
e107620
Compare
Fair enough, I've changed the behaviour to be true by default now. @knqyf263 could you take another look at reviewing this? |
pkg/flag/misconf_flags.go
Outdated
ScanAllDirsFlag = Flag{ | ||
Name: "scan-all-dirs", | ||
ConfigName: "misconfiguration.scan-all-dirs", | ||
Value: true, | ||
Usage: "scan all dirs recursively", | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another question: do we need the flag? We can just change the default behavior and add this flag when someone complains about it. I'm wondering if almost all users want to enable it. Please correct me if I'm wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough. I left it in since at least having the ability to keep the behaviour that exists today, is guaranteed with such a flag. This would at least give users the time to fix all the issues before their pipeline is operational again.
I'll remove it for now as you mentioned.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would at least give users the time to fix all the issues before their pipeline is operational again
It also makes sense. We can probably explain that Trivy had a bug on Terraform scanning and didn't work well. They can keep using older versions until they fix issues.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for just making this the default -- it really feels like the right thing for the tool.
Signed-off-by: Simar <simar@linux.com> Signed-off-by: Simar <simar@linux.com>
Thanks for merging this in. Making this change and putting it as default really feels like the right thing for the tool to do. After a bit more testing and debugger time, I couldn't reproduce a simpler test case with tfsec, so I think my last comment might have been a bit of a distraction. |
Signed-off-by: Simar <simar@linux.com> Co-authored-by: Simar <simar@linux.com>
Addreses #4463
Description
This forces
trivy
to use defsec to recursively scan for all Terraform Root Modules.This fixes some immediate issues and sets a new default.
This defsec scanner option could also make sense as a CLI option, conditionally enabled by Trivy.
Checklist