Skip to content

⚠️ Trivy scan failed on refs/pull/11/merge #13

New issue
New issue
Closed
Closed
⚠️ Trivy scan failed on refs/pull/11/merge#13
Labels
securitytrivy
@github-actions

Description

@github-actions
github-actions
opened on Jun 6, 2025

Trivy security scan detected HIGH/CRITICAL findings.

Report Summary

┌───────────────────────────────────┬───────────┬─────────┬───────────────────┐
│              Target               │   Type    │ Secrets │ Misconfigurations │
├───────────────────────────────────┼───────────┼─────────┼───────────────────┤
│ .                                 │ terraform │    -    │         0         │
├───────────────────────────────────┼───────────┼─────────┼───────────────────┤
│ lambda.tf                         │ terraform │    -    │         0         │
├───────────────────────────────────┼───────────┼─────────┼───────────────────┤
│ launch_template.tf                │ terraform │    -    │         1         │
├───────────────────────────────────┼───────────┼─────────┼───────────────────┤
│ modules/bastion                   │ terraform │    -    │         0         │
├───────────────────────────────────┼───────────┼─────────┼───────────────────┤
│ modules/bastion/security_group.tf │ terraform │    -    │         0         │
├───────────────────────────────────┼───────────┼─────────┼───────────────────┤
│ modules/iam/lambda                │ terraform │    -    │         0         │
├───────────────────────────────────┼───────────┼─────────┼───────────────────┤
│ security_groups.tf                │ terraform │    -    │         0         │
└───────────────────────────────────┴───────────┴─────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


launch_template.tf (terraform)
==============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 launch_template.tf:1-26
────────────────────────────────────────
   1 ┌ resource "aws_launch_template" "sensor_launch_template" {
   2 │   name = var.sensor_launch_template_name
   3 │ 
   4 │   instance_type = var.sensor_launch_template_instance_type
   5 │   image_id      = var.corelight_sensor_ami_id
   6 │   key_name      = var.aws_key_pair_name
   7 │   ebs_optimized = false
   8 │ 
   9 └   dynamic "iam_instance_profile" {
  ..   
────────────────────────────────────────

Workflow run: https://github.com/corelight/terraform-aws-sensor/actions/runs/15495595173

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitytrivy

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions