Inline terraform suppression rule for specific tfvar input instead of on the resource definition

[nitrocode]

Description

I use workspaces to reuse terraform root directories

For example, the terraform code to provision an s3 bucket is located here

components/terraform/s3/main.tf

I setup workspaces such as this

ue1-dev-my-bucket2.tfvars
ue1-prod-my-bucket3.tfvars

My ue1-dev-my-bucket2.tfvars contains

kms_master_key_arn = ""

My ue1-prod-my-bucket3.tfvars contains

kms_master_key_arn = "aws:kms"

Then I run trivy for ue1-prod and no issues.

When I run trivy for ue1-dev, I have one issue.

trivy config . --tf-vars=ue1-dev-my-bucket2.tfvars
2024-08-29T17:44:46-05:00	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-29T17:44:47-05:00	INFO	Detected config files	num=3

cloudposse/s3-bucket/aws/main.tf (terraform)

Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 cloudposse/s3-bucket/aws/main.tf:80-94
   via main.tf:3-21 (module.s3_bucket)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  80 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
  81 │   count = local.enabled ? 1 : 0
  82 │
  83 │   bucket                = local.bucket_id
  84 │   expected_bucket_owner = var.expected_bucket_owner
  85 │
  86 │   rule {
  87 │     bucket_key_enabled = var.bucket_key_enabled

How do I only suppress this issue for ue1-dev-my-bucket2.tfvars and not ue1-prod-my-bucket3.tfvars ?

---

I can technically do this but this will suppress for both my tfvars files.

#trivy:ignore:AVD-AWS-0132
module "s3_bucket" {

I cannot add the comment in beside the input directly to the tfvars file. It seems it has to be in before the module definition.

e.g.

#trivy:ignore:AVD-AWS-0132
kms_master_key_arn = ""

---

I looked into filtering using the ignore file which would essentially be the same thing as the module definition inline comment.

https://aquasecurity.github.io/trivy/test/docs/configuration/filtering/#by-finding-ids

I looked into filtering by open policy agent

https://aquasecurity.github.io/trivy/test/docs/configuration/filtering/#by-open-policy-agent

This has some promise but looking at the json output, I don't see any way to ignore based on the inputs. Do I have the ability to see which individual inputs were passed in to the outputted json?

Here is my output json

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-08-29T18:19:07.025472-05:00",
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": ".",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 3,
        "Failures": 0,
        "Exceptions": 0
      }
    },
    {
      "Target": "cloudposse/s3-bucket/aws/cloudposse/iam-s3-user/aws/cloudposse/iam-system-user/aws/main.tf",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 1,
        "Failures": 0,
        "Exceptions": 0
      }
    },
    {
      "Target": "cloudposse/s3-bucket/aws/main.tf",
      "Class": "config",
      "Type": "terraform",
      "MisconfSummary": {
        "Successes": 8,
        "Failures": 1,
        "Exceptions": 0
      },
      "Misconfigurations": [
        {
          "Type": "Terraform Security Check",
          "ID": "AVD-AWS-0132",
          "AVDID": "AVD-AWS-0132",
          "Title": "S3 encryption should use Customer Managed Keys",
          "Description": "Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.",
          "Message": "Bucket does not encrypt data with a customer managed key.",
          "Query": "data..",
          "Resolution": "Enable encryption using customer managed keys",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0132",
          "References": [
            "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html",
            "https://avd.aquasec.com/misconfig/avd-aws-0132"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Resource": "module.s3_bucket",
            "Provider": "AWS",
            "Service": "s3",
            "StartLine": 80,
            "EndLine": 94,
            "Code": {
              "Lines": [
                {
                  "Number": 80,
                  "Content": "resource \"aws_s3_bucket_server_side_encryption_configuration\" \"default\" {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "Highlighted": "\u001b[0m\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_s3_bucket_server_side_encryption_configuration\"\u001b[0m \u001b[38;5;37m\"default\"\u001b[0m {",
                  "FirstCause": true,
                  "LastCause": false
                },
                {
                  "Number": 81,
                  "Content": "  count = local.enabled ? 1 : 0",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "Highlighted": "  \u001b[38;5;245mcount\u001b[0m = local.enabled \u001b[38;5;245m?\u001b[0m \u001b[38;5;37m1\u001b[0m \u001b[38;5;245m:\u001b[0m \u001b[38;5;37m0",
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 82,
                  "Content": "",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "Highlighted": "\u001b[0m",
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 83,
                  "Content": "  bucket                = local.bucket_id",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "Highlighted": "  \u001b[38;5;245mbucket\u001b[0m                = local.bucket_id",
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 84,
                  "Content": "  expected_bucket_owner = var.expected_bucket_owner",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "Highlighted": "  \u001b[38;5;245mexpected_bucket_owner\u001b[0m = \u001b[38;5;33mvar\u001b[0m.expected_bucket_owner",
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 85,
                  "Content": "",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 86,
                  "Content": "  rule {",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "Highlighted": "  rule {",
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 87,
                  "Content": "    bucket_key_enabled = var.bucket_key_enabled",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "Highlighted": "    \u001b[38;5;245mbucket_key_enabled\u001b[0m = \u001b[38;5;33mvar\u001b[0m.bucket_key_enabled",
                  "FirstCause": false,
                  "LastCause": false
                },
                {
                  "Number": 88,
                  "Content": "",
                  "IsCause": true,
                  "Annotation": "",
                  "Truncated": false,
                  "FirstCause": false,
                  "LastCause": true
                },
                {
                  "Number": 89,
                  "Content": "",
                  "IsCause": false,
                  "Annotation": "",
                  "Truncated": true,
                  "FirstCause": false,
                  "LastCause": false
                }
              ]
            },
            "Occurrences": [
              {
                "Resource": "module.s3_bucket",
                "Filename": "main.tf",
                "Location": {
                  "StartLine": 3,
                  "EndLine": 20
                }
              }
            ]
          }
        }
      ]
    }
  ]
}

Desired Behavior

It would be nice to suppress/ignore directly in my tfvars files per input that triggers the issue

Or use a rego policy with the context of each individual tfvars, including tfvars file, to suppress/ignore

Actual Behavior

I only have 2 options

• disable the check all together using an ignore file
• disable the check for every instance of my module by defining it in-line above our reusable module definition

Reproduction Steps

See above

Target

AWS

Scanner

Misconfiguration

Output Format

JSON

Mode

Standalone

Debug Output

N/A

Operating System

maxOS Sonoma

Version

$ trivy --version
Version: 0.54.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-08-29 12:13:22.107262984 +0000 UTC
  NextUpdate: 2024-08-29 18:13:22.107262603 +0000 UTC
  DownloadedAt: 2024-08-29 22:24:12.772066 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-29 22:25:45.025088 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

references

• Similar issue in checkov Enhancement: make suppression work with external modules bridgecrewio/checkov#4366
• PR to improve ignorefile to include ignoring by argument/attribute feat(misconf): Filtering findings for Terraform modules based on attributes #7180
• Previous discussion Filtering findings for Terraform modules based on attributes #7157
• https://github.com/aquasecurity/trivy/milestone/37

[nikpivkin]

Hi @nitrocode !

You can ignore misconfigurations by resource parameters https://aquasecurity.github.io/trivy/v0.54/docs/scanner/misconfiguration/#ignoring-by-attributes

[nitrocode]

Oh I see. I understood what you meant before but I was unsure of how to tie it back to a unique set of inputs coming from my tfvars.

This seems to work for me because s3 bucket names are global so if I use an ignore inline code exclusion for the name, then I can stack them.

# ue1-dev-my-dev-bucket.tfvars
name = "my-dev-bucket"

kms_master_key_arn = ""

variable "kms_master_key_arn" {}
variable "name" {}

#trivy:ignore:avd-aws-0132[name=my-dev-bucket]
#trivy:ignore:avd-aws-0132[name=my-xyz-bucket]
module "s3_bucket" {
  source = "cloudposse/s3-bucket/aws"

  name    = var.name
  enabled = true

  s3_object_ownership = "BucketOwnerEnforced"
  versioning_enabled  = true

  logging = [{
    bucket_name = "app"
    prefix      = "logs/"
  }]

  kms_master_key_arn = var.kms_master_key_arn
}

This works for me and is far easier than a custom rego policy combined with custom data.

Thanks a lot!

[nitrocode]

One last thing, if I did want to use an ignore rego file to ignore based on an attribute, is that possible?

I'd prefer to avoid inline comments all together if possible by using an ignore file such as this.

trivy config --tf-vars=ue1-dev-my-dev-bucket.tfvars --ignore-policy ./ignore/policy.rego --config-policy policy --config-data data/ --trace --debug . -f json

package trivy

import data.lib.trivy

default ignore = false

ignore {
  input.name == "my-dev-bucket"
  input.ID == "AVD-AWS-0132"
}

The above doesn't seem to work because the tfvars inputs aren't available in the outputted json file.

Maybe if the attributes of the module/resource definition were exposed to the json then I could reproduce what I'm doing in the inline comment within the rego.

ignore {
  input.module.s3_bucket.name == "my-dev-bucket"
  input.ID == "AVD-AWS-0132"
}

Is there a way to make the tfvar input or module attributes available to the ignore file ?

Maybe with custom data? I tried with custom data too and couldn't figure it out with this use case

Or maybe with the trivy ignore file?

[nitrocode]

This looks promising to me because it should be able to ignore based on the attribute/argument of the module in a separate ignore file instead of modifying the terraform code.

• feat(misconf): Filtering findings for Terraform modules based on attributes #7180

[nitrocode]

cc: @nikpivkin @simar7 what do you folks think?

Even with the upcoming #7180 in the upcoming v0.55.0, I think the custom ignore rego policy would still come in handy provided that the inputs are available to the rego.

[simar7]

We will get back to you on this.