Replies: 3 comments
-
Another idea would be to be able to specify the terraform resource name on the
|
Beta Was this translation helpful? Give feedback.
0 replies
-
Thanks for the idea. |
Beta Was this translation helpful? Give feedback.
0 replies
-
for tracking, feature was implemented #6137 (comment) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
Hey,
can we have this feature , which is ignore specific values, but for terraform modules as well?
Is better to explain with an example of use case:
This terraform code creates a AWS Security Groups rules
locals.tf
with this terraform code that uses security-group module to create rules:
sg.tf
In this case,
trivy
will report: CRITICAL: Security group rule allows ingress from public internet.So, since we really need to allow traffic from
0.0.0.0/0
to TCP/80 (HTTP), let's ignore it adding the#trivy:ignore:aws-ec2-no-public-ingress-sgr
And it works as expected,
trivy
ignores this check. However, let's say that I add another service and rule for SSH. BUT I forgot to restrict the FROM traffic and added0.0.0.0/0
like so:In this case
trivy
completely ignores theaws-ec2-no-public-ingress-sgr
checks.It would be nice to be able to ignore based on the value, something like
#trivy:ignore:aws-ec2-no-public-ingress-sgr[locals.aws-sg.service1]
, because there are situation that we don't want to fully ignore a check but only for some configuration.Target
None
Scanner
Misconfiguration
Beta Was this translation helpful? Give feedback.
All reactions