Issues running terrascan in azure pipelines

[BHeilemann]

• terrascan version: v1.6.0
• Operating System: ubuntu 20.04 => azure pipelines vmImage: ubuntu-latest

Description

Goal is to scan our terraform files for issues in azure pipelines (yaml pipeline).
We can run terrascan --help
We can't run terrascan init
We can't run terrescan scan
The logout put hints that there is a filesystem issue with getting terrascan policies.

What I Did

curl --location https://github.com/accurics/terrascan/releases/download/v1.6.0/terrascan_1.6.0_Linux_x86_64.tar.gz --output terrascan.tar.gz
tar -xvf terrascan.tar.gz
sudo install terrascan /usr/local/bin
terrascan scan -t azure -i terraform -d /home/vsts/work/1/s/infrastructure/development -o xml

Output of terrascan

terra init -l debug

	debug	cli/register.go:50	TERRASCAN_CONFIG:
	debug	config/config-reader.go:48	no config file specified
	debug	utils/policy.go:27	absolute rego_subdir path, `/home/vsts/work/1/s/pkg/policies/opa/rego`, does not fall under base repo path's `/home/vsts/.terrascan` directory structure
	debug	utils/policy.go:28	appending rego_subdir path: `pkg/policies/opa/rego` to the policy base path: `/home/vsts/.terrascan`. checking ...
	debug	config/global.go:116	global config loaded
	debug	initialize/run.go:39	initializing terrascan
	debug	initialize/run.go:68	downloading policies
	debug	initialize/run.go:70	base directory path : /home/vsts/.terrascan
	debug	initialize/run.go:71	policy directory path : /home/vsts/.terrascan/pkg/policies/opa/rego
	debug	initialize/run.go:72	policy repo url : https://github.com/accurics/terrascan.git
	debug	initialize/run.go:73	policy repo git branch : master
	debug	initialize/run.go:77	cloning terrascan repo at /home/vsts/.terrascan
fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0x63 pc=0x7fbeb430e5ca]

runtime stack:
runtime.throw(0x25cb3a3, 0x2a)
	/usr/lib/go-1.15/src/runtime/panic.go:1116 +0x72
runtime.sigpanic()
	/usr/lib/go-1.15/src/runtime/signal_unix.go:726 +0x4ac

terra scan

 fatal error: unexpected signal during runtime execution
 [signal SIGSEGV: segmentation violation code=0x1 addr=0x63 pc=0x7f716813c5ca]
 
 runtime stack:
 runtime.throw(0x25cb3a3, 0x2a)
 	/usr/lib/go-1.15/src/runtime/panic.go:1116 +0x72
 runtime.sigpanic()
 	/usr/lib/go-1.15/src/runtime/signal_unix.go:726 +0x4ac
 
 goroutine 11 [syscall]:
 runtime.cgocall(0x1efb9a0, 0xc000b5cdc0, 0xc0002421f8)
 	/usr/lib/go-1.15/src/runtime/cgocall.go:133 +0x5b fp=0xc000b5cd90 sp=0xc000b5cd58 pc=0x40b0db
 net._C2func_getaddrinfo(0xc000bc6e90, 0x0, 0xc000bc93b0, 0xc0002421f8, 0x0, 0x0, 0x0)
 	_cgo_gotypes.go:94 +0x55 fp=0xc000b5cdc0 sp=0xc000b5cd90 pc=0x607475
 net.cgoLookupIPCNAME.func1(0xc000bc6e90, 0xb, 0xb, 0xc000bc93b0, 0xc0002421f8, 0x0, 0xc000b5cea0, 0x60a992)
 	/usr/lib/go-1.15/src/net/cgo_unix.go:161 +0xc5 fp=0xc000b5ce08 sp=0xc000b5cdc0 pc=0x60d1e5
 net.cgoLookupIPCNAME(0x25777cc, 0x3, 0xc000bc6e70, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
 	/usr/lib/go-1.15/src/net/cgo_unix.go:161 +0x16b fp=0xc000b5cf18 sp=0xc000b5ce08 pc=0x60898b
 net.cgoIPLookup(0xc000334600, 0x25777cc, 0x3, 0xc000bc6e70, 0xa)
 	/usr/lib/go-1.15/src/net/cgo_unix.go:218 +0x67 fp=0xc000b5cfb8 sp=0xc000b5cf18 pc=0x6090c7
 runtime.goexit()
 	/usr/lib/go-1.15/src/runtime/asm_amd64.s:1374 +0x1 fp=0xc000b5cfc0 sp=0xc000b5cfb8 pc=0x475ee1
 created by net.cgoLookupIP
 	/usr/lib/go-1.15/src/net/cgo_unix.go:228 +0xc7
 
 goroutine 1 [select]:
 net/http.(*Transport).getConn(0x397f1c0, 0xc000b84d80, 0x0, 0xc000b91180, 0x5, 0xc000bc6e70, 0xe, 0x0, 0x0, 0x0, ...)
 	/usr/lib/go-1.15/src/net/http/transport.go:1347 +0x5ac
 net/http.(*Transport).roundTrip(0x397f1c0, 0xc00017ad00, 0x30, 0x7f71683121c8, 0x150)
 	/usr/lib/go-1.15/src/net/http/transport.go:569 +0x77c
 net/http.(*Transport).RoundTrip(0x397f1c0, 0xc00017ad00, 0x397f1c0, 0x0, 0x0)
 	/usr/lib/go-1.15/src/net/http/roundtrip.go:17 +0x35
 net/http.send(0xc00017ad00, 0x28d1d80, 0x397f1c0, 0x0, 0x0, 0x0, 0xc0002421e0, 0x203000, 0x1, 0x0)
 	/usr/lib/go-1.15/src/net/http/client.go:252 +0x453
 net/http.(*Client).send(0x3a8b580, 0xc00017ad00, 0x0, 0x0, 0x0, 0xc0002421e0, 0x0, 0x1, 0x10)
 	/usr/lib/go-1.15/src/net/http/client.go:176 +0xff
 net/http.(*Client).do(0x3a8b580, 0xc00017ad00, 0x0, 0x0, 0x0)
 	/usr/lib/go-1.15/src/net/http/client.go:718 +0x45f
 net/http.(*Client).Do(...)
 	/usr/lib/go-1.15/src/net/http/client.go:586
 gopkg.in/src-d/go-git.v4/plumbing/transport/http.advertisedReferences(0xc000bc9230, 0x258a1fb, 0xf, 0x0, 0x0, 0x0)
 	/go/pkg/mod/gopkg.in/src-d/go-git.v4@v4.13.1/plumbing/transport/http/common.go:48 +0x24a
 gopkg.in/src-d/go-git.v4/plumbing/transport/http.(*upSession).AdvertisedReferences(0xc0002421c0, 0x29173c0, 0xc0002421c0, 0x7f7160dc4478)
 	/go/pkg/mod/gopkg.in/src-d/go-git.v4@v4.13.1/plumbing/transport/http/upload_pack.go:28 +0x45
 gopkg.in/src-d/go-git%2ev4.(*Remote).fetch(0xc0007964e0, 0x292d280, 0xc000130010, 0xc0006918c8, 0x0, 0x0, 0x0, 0x0)
 	/go/pkg/mod/gopkg.in/src-d/go-git.v4@v4.13.1/remote.go:296 +0x1e5
 gopkg.in/src-d/go-git%2ev4.(*Repository).fetchAndUpdateReferences(0xc000bc8f90, 0x292d280, 0xc000130010, 0xc0006918c8, 0x2577c15, 0x4, 0xc000bc8f60, 0xc000691928, 0xa24b19)
 	/go/pkg/mod/gopkg.in/src-d/go-git.v4@v4.13.1/repository.go:877 +0xc5
 gopkg.in/src-d/go-git%2ev4.(*Repository).clone(0xc000bc8f90, 0x292d280, 0xc000130010, 0xc000691b80, 0x0, 0x0)
 	/go/pkg/mod/gopkg.in/src-d/go-git.v4@v4.13.1/repository.go:744 +0x291
 gopkg.in/src-d/go-git%2ev4.PlainCloneContext(0x292d280, 0xc000130010, 0xc000132660, 0x15, 0xc000691a00, 0xc000691b80, 0x1, 0x0, 0x0)
 	/go/pkg/mod/gopkg.in/src-d/go-git.v4@v4.13.1/repository.go:360 +0xcc
 gopkg.in/src-d/go-git%2ev4.PlainClone(...)
 	/go/pkg/mod/gopkg.in/src-d/go-git.v4@v4.13.1/repository.go:336
 github.com/accurics/terrascan/pkg/initialize.DownloadPolicies(0x26032c0, 0x45)
 	/go/src/github.com/accurics/terrascan/pkg/initialize/run.go:80 +0x4e5
 github.com/accurics/terrascan/pkg/initialize.Run(0x1, 0x0, 0xc0000cdc98)
 	/go/src/github.com/accurics/terrascan/pkg/initialize/run.go:53 +0xfd
 github.com/accurics/terrascan/pkg/cli.initial(0x3981480, 0xc000179880, 0x0, 0x8, 0x1, 0x1, 0xc000011170)
 	/go/src/github.com/accurics/terrascan/pkg/cli/init.go:41 +0x31
 github.com/accurics/terrascan/pkg/cli.glob..func2(0x3981480, 0xc000179880, 0x0, 0x8, 0x0, 0x0)
 	/go/src/github.com/accurics/terrascan/pkg/cli/scan.go:39 +0x4e
 github.com/spf13/cobra.(*Command).execute(0x3981480, 0xc000179800, 0x8, 0x8, 0x3981480, 0xc000179800)
 	/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:839 +0x530
 github.com/spf13/cobra.(*Command).ExecuteC(0x39811e0, 0x3acee58, 0x0, 0x0)
 	/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:958 +0x375
 github.com/spf13/cobra.(*Command).Execute(...)
 	/go/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:895
 github.com/accurics/terrascan/pkg/cli.Execute()
 	/go/src/github.com/accurics/terrascan/pkg/cli/register.go:79 +0x3dd
 main.main()
 	/go/src/github.com/accurics/terrascan/cmd/terrascan/main.go:22 +0x25
 
 goroutine 19 [select]:
 go.opencensus.io/stats/view.(*worker).start(0xc000178480)
 	/go/pkg/mod/go.opencensus.io@v0.22.4/stats/view/worker.go:276 +0x105
 created by go.opencensus.io/stats/view.init.0
 	/go/pkg/mod/go.opencensus.io@v0.22.4/stats/view/worker.go:34 +0x68
 
 goroutine 21 [chan receive]:
 k8s.io/klog/v2.(*loggingT).flushDaemon(0x3a8c2c0)
 	/go/pkg/mod/k8s.io/klog/v2@v2.2.0/klog.go:1131 +0x8b
 created by k8s.io/klog/v2.init.0
 	/go/pkg/mod/k8s.io/klog/v2@v2.2.0/klog.go:416 +0xd8
 
 goroutine 26 [IO wait]:
 internal/poll.runtime_pollWait(0x7f71684c9298, 0x72, 0x28d5240)
 	/usr/lib/go-1.15/src/runtime/netpoll.go:222 +0x55
 internal/poll.(*pollDesc).wait(0xc000179a18, 0x72, 0x28d5200, 0x398f738, 0x0)
 	/usr/lib/go-1.15/src/internal/poll/fd_poll_runtime.go:87 +0x45
 internal/poll.(*pollDesc).waitRead(...)
 	/usr/lib/go-1.15/src/internal/poll/fd_poll_runtime.go:92
 internal/poll.(*FD).Read(0xc000179a00, 0xc0000f8000, 0x12a3, 0x12a3, 0x0, 0x0, 0x0)
 	/usr/lib/go-1.15/src/internal/poll/fd_unix.go:159 +0x1a5
 net.(*netFD).Read(0xc000179a00, 0xc0000f8000, 0x12a3, 0x12a3, 0x203000, 0xc, 0xc0000f8af5)
 	/usr/lib/go-1.15/src/net/fd_posix.go:55 +0x4f
 net.(*conn).Read(0xc000242010, 0xc0000f8000, 0x12a3, 0x12a3, 0x0, 0x0, 0x0)
 	/usr/lib/go-1.15/src/net/net.go:182 +0x8e
 crypto/tls.(*atLeastReader).Read(0xc000bc3f80, 0xc0000f8000, 0x12a3, 0x12a3, 0x7ae, 0xc0000f8af0, 0xc000353730)
 	/usr/lib/go-1.15/src/crypto/tls/conn.go:779 +0x62
 bytes.(*Buffer).ReadFrom(0xc0000e4280, 0x28ce360, 0xc000bc3f80, 0x412ca5, 0x22bd500, 0x24eb9c0)
 	/usr/lib/go-1.15/src/bytes/buffer.go:204 +0xb1
 crypto/tls.(*Conn).readFromUntil(0xc0000e4000, 0x28d1cc0, 0xc000242010, 0x5, 0xc000242010, 0xc0000f8af5)
 	/usr/lib/go-1.15/src/crypto/tls/conn.go:801 +0xf3
 crypto/tls.(*Conn).readRecordOrCCS(0xc0000e4000, 0x0, 0x0, 0xc000353d38)
 	/usr/lib/go-1.15/src/crypto/tls/conn.go:608 +0x115
 crypto/tls.(*Conn).readRecord(...)
 	/usr/lib/go-1.15/src/crypto/tls/conn.go:576
 crypto/tls.(*Conn).Read(0xc0000e4000, 0xc0004ff000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
 	/usr/lib/go-1.15/src/crypto/tls/conn.go:1252 +0x15f
 bufio.(*Reader).Read(0xc000039ec0, 0xc000b86f18, 0x9, 0x9, 0xc000353d38, 0x267c000, 0x710eeb)
 	/usr/lib/go-1.15/src/bufio/bufio.go:227 +0x222
 io.ReadAtLeast(0x28ce0e0, 0xc000039ec0, 0xc000b86f18, 0x9, 0x9, 0x9, 0xc000112050, 0x0, 0x28ce600)
 	/usr/lib/go-1.15/src/io/io.go:314 +0x87
 io.ReadFull(...)
 	/usr/lib/go-1.15/src/io/io.go:333
 net/http.http2readFrameHeader(0xc000b86f18, 0x9, 0x9, 0x28ce0e0, 0xc000039ec0, 0x0, 0x0, 0xc000bc8c60, 0x0)
 	/usr/lib/go-1.15/src/net/http/h2_bundle.go:1477 +0x89
 net/http.(*http2Framer).ReadFrame(0xc000b86ee0, 0xc000bc8c60, 0x0, 0x0, 0x0)
 	/usr/lib/go-1.15/src/net/http/h2_bundle.go:1735 +0xa5
 net/http.(*http2clientConnReadLoop).run(0xc000353fa8, 0x0, 0x0)
 	/usr/lib/go-1.15/src/net/http/h2_bundle.go:8251 +0x8d
 net/http.(*http2ClientConn).readLoop(0xc000001980)
 	/usr/lib/go-1.15/src/net/http/h2_bundle.go:8179 +0x6f
 created by net/http.(*http2Transport).newClientConn
 	/usr/lib/go-1.15/src/net/http/h2_bundle.go:7175 +0x685
 
 goroutine 8 [runnable]:
 net/http.(*http2clientStream).awaitRequestCancel(0xc00060e840, 0xc00017b200)
 	/usr/lib/go-1.15/src/net/http/h2_bundle.go:6812
 created by net/http.(*http2clientConnReadLoop).handleResponse
 	/usr/lib/go-1.15/src/net/http/h2_bundle.go:8483 +0x768
 
 goroutine 9 [select]:
 net.(*Resolver).lookupIPAddr(0x3a8a7e0, 0x292d2c0, 0xc000334540, 0x25777cc, 0x3, 0xc000bc6e70, 0xa, 0x1bb, 0x0, 0x0, ...)
 	/usr/lib/go-1.15/src/net/lookup.go:299 +0x685
 net.(*Resolver).internetAddrList(0x3a8a7e0, 0x292d2c0, 0xc000334540, 0x25777cc, 0x3, 0xc000bc6e70, 0xe, 0x0, 0x0, 0x0, ...)
 	/usr/lib/go-1.15/src/net/ipsock.go:280 +0x4d4
 net.(*Resolver).resolveAddrList(0x3a8a7e0, 0x292d2c0, 0xc000334540, 0x257804d, 0x4, 0x25777cc, 0x3, 0xc000bc6e70, 0xe, 0x0, ...)
 	/usr/lib/go-1.15/src/net/dial.go:221 +0x47d
 net.(*Dialer).DialContext(0xc0001361e0, 0x292d280, 0xc000130010, 0x25777cc, 0x3, 0xc000bc6e70, 0xe, 0x0, 0x0, 0x0, ...)
 	/usr/lib/go-1.15/src/net/dial.go:403 +0x22b
 net/http.(*Transport).dial(0x397f1c0, 0x292d280, 0xc000130010, 0x25777cc, 0x3, 0xc000bc6e70, 0xe, 0x0, 0x2f736e6f6974696e, 0x736d6574496e696d, ...)
 	/usr/lib/go-1.15/src/net/http/transport.go:1141 +0x1fd
 net/http.(*Transport).dialConn(0x397f1c0, 0x292d280, 0xc000130010, 0x0, 0xc000b91180, 0x5, 0xc000bc6e70, 0xe, 0x0, 0xc00049ca20, ...)
 	/usr/lib/go-1.15/src/net/http/transport.go:1575 +0x1abb
 net/http.(*Transport).dialConnFor(0x397f1c0, 0xc000b3e210)
 	/usr/lib/go-1.15/src/net/http/transport.go:1421 +0xc6
 created by net/http.(*Transport).queueForDial
 	/usr/lib/go-1.15/src/net/http/transport.go:1390 +0x40f
 
 goroutine 10 [select]:
 net.cgoLookupIP(0x292d240, 0xc000b84dc0, 0x25777cc, 0x3, 0xc000bc6e70, 0xa, 0x0, 0x0, 0x0, 0x0, ...)
 	/usr/lib/go-1.15/src/net/cgo_unix.go:229 +0x199
 net.(*Resolver).lookupIP(0x3a8a7e0, 0x292d240, 0xc000b84dc0, 0x25777cc, 0x3, 0xc000bc6e70, 0xa, 0x0, 0x0, 0x0, ...)
 	/usr/lib/go-1.15/src/net/lookup_unix.go:96 +0x187
 net.glob..func1(0x292d240, 0xc000b84dc0, 0xc000365d90, 0x25777cc, 0x3, 0xc000bc6e70, 0xa, 0xc000130010, 0x0, 0xc000b91180, ...)
 	/usr/lib/go-1.15/src/net/hook.go:23 +0x72
 net.(*Resolver).lookupIPAddr.func1(0x0, 0x0, 0x0, 0x0)
 	/usr/lib/go-1.15/src/net/lookup.go:293 +0xb9
 internal/singleflight.(*Group).doCall(0x3a8a7f0, 0xc000bc4dc0, 0xc000bc6e80, 0xe, 0xc000b84e00)
 	/usr/lib/go-1.15/src/internal/singleflight/singleflight.go:95 +0x2e
 created by internal/singleflight.(*Group).DoChan
 	/usr/lib/go-1.15/src/internal/singleflight/singleflight.go:88 +0x2cc
 ##[error]Bash exited with code '2'.
 ##[section]Finishing: Run terrascan

[russmckendrick]

If it helps, I had the same issue and settled on the following solution, it feels like a bit of a hack but does the job;

  - bash: |
      docker pull accurics/terrascan
      echo $(docker run --rm -t -v $(pwd):/iac -w /iac accurics/terrascan scan -o junit-xml) > Terrascan-Report.xml
    workingDirectory: $(System.DefaultWorkingDirectory)
    displayName: "Run > Terrascan"

  - task: PublishTestResults@2
    displayName: "Publish > Terrascan scan results"
    inputs:
      testRunTitle: "Terrascan Results"
      failTaskOnFailedTests: true
      testResultsFormat: "JUnit"
      testResultsFiles: "Terrascan-Report.xml"
      searchFolder: "$(System.DefaultWorkingDirectory)"

[kanchwala-yusuf]

Thanks @russmckendrick , for suggesting this work around.

[kanchwala-yusuf]

On digging a bit into this issue, it seems like an issue because of CGO. We have enabled CGO in terrascan due to a certain package dependency, have raised a #906 for fixing this issue.