terraform_trivy ignoring "trivy ignore" settings

[vbontempi]

Describe the bug

Describe the bug

We configured our precommit setting with pre-commit-terraform and the terraform_trivy hook is raising an issue with a k8s yaml
The same yaml, in the same path, is present in the repo for some months but with the recent upgrade jumping from pre-commit-terraform from v1.96.3 to v1.97.4 the terraform_trivy started to raise the following alert:

AVD-KSV-0104 (MEDIUM): container "ubi-micro" of deployment "ubi-micro-deployment" in "ubimicro" namespace should specify a seccomp profile
════════════════════════════════════════
A program inside the container can bypass Seccomp protection policies.

See https://avd.aquasec.com/misconfig/ksv104
────────────────────────────────────────
 scripts/ubi_micro.yaml:81-103
────────────────────────────────────────
  81 ┌       - image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
  82 │         imagePullPolicy: Always
  83 │         name: ubi-micro
  84 │         command:
  85 │           - "/bin/sh"
  86 │           - "-c"
  87 │           - "sleep infinity"
  88 │         securityContext:
  89 └           allowPrivilegeEscalation: false

The yaml path relative to the repo is
examples/deploy-proxy/scripts/ubi_micro.yaml

This is the pre-commit-setting we use, that seemed to work fine until the recent upgrade, as we expect the yaml to be ignored.

- repo: https://github.com/antonbabenko/pre-commit-terraform
  rev: v1.97.4
  hooks:
    - id: terraform_fmt
    - id: terraform_validate
      # only scan directories with provider config in them due to limitation https://github.com/hashicorp/terraform/issues/28490
      files: ^examples/|^patterns/|^solutions/
      args:
        - --hook-config=--retry-once-with-cleanup=true
    - id: terraform_tflint
      args:
        - --args=--enable-rule=terraform_unused_declarations
        - --args=--enable-rule=terraform_deprecated_index
        - --args=--enable-rule=terraform_comment_syntax
        - --args=--enable-rule=terraform_documented_outputs
        - --args=--enable-rule=terraform_documented_variables
        - --args=--enable-rule=terraform_typed_variables
        - --args=--enable-rule=terraform_naming_convention
        - --args=--enable-rule=terraform_required_version
        - --args=--enable-rule=terraform_required_providers
        - --args=--enable-rule=terraform_unused_required_providers
        - --args=--enable-rule=terraform_standard_module_structure
      exclude: dynamic_values/ 
    - id: terraform_trivy
      args:
        - --args=--skip-files="**/.terraform/**/*"
        - --args=--skip-files="**/examples/**/*.yaml"
        - --args=--skip-files="**/examples/**/*.yml"
        - --args=--skip-files="**/helm-charts/**/*"
        - --args=--skip-files="**/tests/**/*"
        - --args=--skip-files="common-dev-assets/**/*"
        # workaround for https://github.com/antonbabenko/pre-commit-terraform/issues/691
        - --hook-config=--parallelism-limit=1

We tried to set the following trivy ignore tag as workaroud, but it seems to be ignored as well: # trivy:ignore:AVD-KSV-0104

containers:
      - image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
        imagePullPolicy: Always
        name: ubi-micro
        command:
          - "/bin/sh"
          - "-c"
          - "sleep infinity"
        # trivy:ignore:AVD-KSV-0104
        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          readOnlyRootFilesystem: true
          runAsUser: 10001
          runAsGroup: 10001
          capabilities:
            drop:
              - "ALL"

We tried also to use the same tag at the very start of the container section whose code makes trivy to complain but didn't help as well

containers:
      # trivy:ignore:AVD-KSV-0104
      - image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
        imagePullPolicy: Always
        name: ubi-micro
        command:
          - "/bin/sh"
          - "-c"
          - "sleep infinity"
        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          readOnlyRootFilesystem: true

Also setting at the very start of the deployment yaml didn't help.

The only way to solve this issue started with recent upgrade is to add the following path --args=--skip-files="**/scripts/*.yaml" to the skip-file configuration, with the following final result

- id: terraform_trivy
      args:
        - --args=--skip-files="**/.terraform/**/*"
        - --args=--skip-files="**/examples/**/*.yaml"
        - --args=--skip-files="**/examples/**/*.yml"
        - --args=--skip-files="**/helm-charts/**/*"
        - --args=--skip-files="**/tests/**/*"
        - --args=--skip-files="**/scripts/*.yaml"
        - --args=--skip-files="common-dev-assets/**/*"
        # workaround for https://github.com/antonbabenko/pre-commit-terraform/issues/691
        - --hook-config=--parallelism-limit=1

Below the logs of the precommit hook failure

Terraform validate with trivy.............................................Failed
- hook id: terraform_trivy
- exit code: 1

2025-03-05T10:41:22+01:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-03-05T10:41:25+01:00	INFO	[terraform scanner] Scanning root module	file_path="examples/deploy-proxy"
2025-03-05T10:41:25+01:00	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="ibmcloud_api_key"
2025-03-05T10:41:25+01:00	INFO	[terraform scanner] Scanning root module	file_path="examples/deploy-proxy-existing-cluster"
2025-03-05T10:41:25+01:00	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="cluster_id, ibmcloud_api_key"
2025-03-05T10:41:25+01:00	INFO	Detected config files	num=13
2025-03-05T10:41:25+01:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-03-05T10:41:27+01:00	INFO	[terraform scanner] Scanning root module	file_path="."
2025-03-05T10:41:27+01:00	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="ibmcloud_api_key"
2025-03-05T10:41:28+01:00	INFO	Detected config files	num=2

scripts/ubi_micro.yaml (kubernetes)

Tests: 110 (SUCCESSES: 108, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-KSV-0030 (LOW): Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
════════════════════════════════════════
According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.

See https://avd.aquasec.com/misconfig/ksv030
────────────────────────────────────────
 scripts/ubi_micro.yaml:80-103
────────────────────────────────────────
  80 ┌       - image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
  81 │         imagePullPolicy: Always
  82 │         name: ubi-micro
  83 │         command:
  84 │           - "/bin/sh"
  85 │           - "-c"
  86 │           - "sleep infinity"
  87 │         # trivy:ignore:AVD-KSV-0104
  88 └         securityContext:
  ..
────────────────────────────────────────


AVD-KSV-0104 (MEDIUM): container "ubi-micro" of deployment "ubi-micro-deployment" in "ubimicro" namespace should specify a seccomp profile
════════════════════════════════════════
A program inside the container can bypass Seccomp protection policies.

See https://avd.aquasec.com/misconfig/ksv104
────────────────────────────────────────
 scripts/ubi_micro.yaml:80-103
────────────────────────────────────────
  80 ┌       - image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
  81 │         imagePullPolicy: Always
  82 │         name: ubi-micro
  83 │         command:
  84 │           - "/bin/sh"
  85 │           - "-c"
  86 │           - "sleep infinity"
  87 │         # trivy:ignore:AVD-KSV-0104
  88 └         securityContext:
  ..
────────────────────────────────────────


2025-03-05T10:41:28+01:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-03-05T10:41:29+01:00	INFO	[terraform scanner] Scanning root module	file_path="."
2025-03-05T10:41:29+01:00	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="cluster_id, ibmcloud_api_key"
2025-03-05T10:41:29+01:00	INFO	Detected config files	num=1
2025-03-05T10:41:29+01:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-03-05T10:41:30+01:00	INFO	[terraform scanner] Scanning root module	file_path="."
2025-03-05T10:41:30+01:00	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="cluster_id"
2025-03-05T10:41:30+01:00	INFO	Detected config files	num=1

I mentioned the issue AVD-KSV-0104 as example, even if it raised also AVD-KSV-0030

How can we reproduce it?

pre-commit run --all-files

Environment information

Environment information

• OS: MacOS and GitHub Action using golang:1.24 as base image

• Tools availability and versions:

GNU bash, version 5.2.37(1)-release (x86_64-apple-darwin23.4.0)
pre-commit 4.1.0
OpenTofu v1.6.2
Terraform v1.9.2
python SKIPPED
Python 3.12.6
checkov SKIPPED
infracost SKIPPED
terraform-docs version v0.19.0 af31cc6 darwin/amd64
terragrunt version v0.55.1
terrascan SKIPPED
TFLint version 0.55.1
+ ruleset.terraform (0.10.0-bundled)
tfsec v1.28.5
trivy Version: 0.59.1
Check Bundle:
  Digest: sha256:2bc834fc222789e26b85dc3e92e3333b488e16a9bfa192aa971cca25db884837
  DownloadedAt: 2025-03-04 11:03:29.487846 +0000 UTC
tfupdate SKIPPED
hcledit SKIPPED

pre-commit-config.yaml

• .pre-commit-config.yaml:

- repo: https://github.com/antonbabenko/pre-commit-terraform
  rev: v1.97.4
  hooks:
    - id: terraform_fmt
    - id: terraform_validate
      # only scan directories which has provider config in them due to limitation https://github.com/hashicorp/terraform/issues/28490
      files: ^examples/|^patterns/|^solutions/
      args:
        - --hook-config=--retry-once-with-cleanup=true
    - id: terraform_tflint
      args:
        - --args=--enable-rule=terraform_unused_declarations
        - --args=--enable-rule=terraform_deprecated_index
        - --args=--enable-rule=terraform_comment_syntax
        - --args=--enable-rule=terraform_documented_outputs
        - --args=--enable-rule=terraform_documented_variables
        - --args=--enable-rule=terraform_typed_variables
        - --args=--enable-rule=terraform_naming_convention
        - --args=--enable-rule=terraform_required_version
        - --args=--enable-rule=terraform_required_providers
        - --args=--enable-rule=terraform_unused_required_providers
        - --args=--enable-rule=terraform_standard_module_structure
      exclude: dynamic_values/ 
    - id: terraform_trivy
      args:
        - --args=--skip-files="**/.terraform/**/*"
        - --args=--skip-files="**/examples/**/*.yaml"
        - --args=--skip-files="**/examples/**/*.yml"
        - --args=--skip-files="**/helm-charts/**/*"
        - --args=--skip-files="**/tests/**/*"
        - --args=--skip-files="common-dev-assets/**/*"
        # workaround for https://github.com/antonbabenko/pre-commit-terraform/issues/691
        - --hook-config=--parallelism-limit=1

[yermulnik]

@vbontempi Thanks for providing details, it indeed helps to compose test env to try and reproduce an issue.
Unfortunately I can't seem to reproduce it using provided data though 🤔

Details

> cat .pre-commit-config.yaml
repos:
# https://pre-commit.com/#meta-hooks
- repo: meta
  hooks:
    - id: check-hooks-apply

- repo: https://github.com/antonbabenko/pre-commit-terraform
  rev: v1.97.4
  hooks:
    - id: terraform_trivy
      files: .+
      verbose: true
      args:
        - --args=--skip-files="**/.terraform/**/*"
        - --args=--skip-files="**/examples/**/*.yaml"
        - --args=--skip-files="**/examples/**/*.yml"
        - --args=--skip-files="**/helm-charts/**/*"
        - --args=--skip-files="**/tests/**/*"
        - --args=--skip-files="common-dev-assets/**/*"
        # workaround for https://github.com/antonbabenko/pre-commit-terraform/issues/691
        - --hook-config=--parallelism-limit=1

> tree -a -I .git/
.
├── .pre-commit-config.yaml
└── examples
    └── deploy-proxy
        └── scripts
            └── ubi_micro.yaml

3 directories, 2 files

> cat examples/deploy-proxy/scripts/ubi_micro.yaml
containers:
      - image: registry.access.redhat.com/ubi9/ubi-micro@sha256:...
        imagePullPolicy: Always
        name: ubi-micro
        command:
          - "/bin/sh"
          - "-c"
          - "sleep infinity"
        # trivy:ignore:AVD-KSV-0104
        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          readOnlyRootFilesystem: true
          runAsUser: 10001
          runAsGroup: 10001
          capabilities:
            drop:

> pre-commit run -a
Check hooks apply to the repository......................................Passed
Terraform validate with trivy............................................Passed
- hook id: terraform_trivy
- duration: 1.33s

2025-03-05T15:02:00+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-03-05T15:02:01+02:00       INFO    Detected config files   num=0
2025-03-05T15:02:01+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-03-05T15:02:02+02:00       INFO    Detected config files   num=0

> trivy conf examples/deploy-proxy/scripts --exit-code=1
2025-03-05T15:02:29+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-03-05T15:02:29+02:00       INFO    Detected config files   num=0

> trivy conf examples/deploy-proxy/scripts --exit-code=1 --debug
2025-03-05T15:06:43+02:00       DEBUG   No plugins loaded
2025-03-05T15:06:43+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-03-05T15:06:43+02:00       DEBUG   Cache dir       dir="/home/georgii/.cache/trivy"
2025-03-05T15:06:43+02:00       DEBUG   Cache dir       dir="/home/georgii/.cache/trivy"
2025-03-05T15:06:43+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-03-05T15:06:43+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-03-05T15:06:43+02:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-03-05T15:06:43+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-03-05T15:06:43+02:00       DEBUG   Initializing scan cache...      type="memory"
2025-03-05T15:06:43+02:00       DEBUG   [fs] Analyzing...       root="examples/deploy-proxy/scripts"
2025-03-05T15:06:43+02:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Helm"
2025-03-05T15:06:43+02:00       DEBUG   [rego] Overriding filesystem for checks
2025-03-05T15:06:43+02:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-03-05T15:06:43+02:00       DEBUG   [rego] Embedded checks are loaded       count=517
2025-03-05T15:06:43+02:00       DEBUG   [rego] Checks from disk are loaded      count=534
2025-03-05T15:06:43+02:00       DEBUG   [rego] Overriding filesystem for data
2025-03-05T15:06:43+02:00       DEBUG   OS is not detected.
2025-03-05T15:06:43+02:00       INFO    Detected config files   num=0
2025-03-05T15:06:43+02:00       DEBUG   Specified ignore file does not exist    file=".trvyignore"

Could you please provide a reproducible data set?

[yermulnik]

You may also set up a public repo with minimal reproducible data set so that we can clone and see failure in action.

[MaxymVlasov]

@vbontempi I can't reproduce, it always Passed for me.
Reproduction repo from what I saw in this issue: https://github.com/pre-commit-terraform/GH-834-repoduce

I actually can't get any violations not only via hook, but also via trivy conf examples/deploy-proxy/scripts --exit-code=1 including situation when # trivy:ignore:AVD-KSV-0104 is removed

I used for tests same trivy version as reported by you

➜ trivy --version                                       
Version: 0.59.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-08 18:17:34.106494638 +0000 UTC
  NextUpdate: 2024-11-09 18:17:34.106494247 +0000 UTC
  DownloadedAt: 2024-11-08 19:49:02.285946591 +0000 UTC
Check Bundle:
  Digest: sha256:38e239e5ab2bc9e914e69131537e92f429c4b53c108ec0ac1d7f6f91b752b9bc
  DownloadedAt: 2025-03-20 18:04:13.832395781 +0000 UTC

Anyway, that's what passed to trivy from hook in v1.97.4

trace: per_dir_hook_unique_part common::per_dir_hook main main
       terraform_trivy.sh:51: trivy conf /tmp/trivy_834/examples/deploy-proxy/scripts --exit-code=1
 '--skip-files=**/.terraform/**/*' '--skip-files=**/examples/**/*.yaml' '--skip-files=**/examples/**/*.yml'
 '--skip-files=**/helm-charts/**/*' '--skip-files=**/tests/**/*' '--skip-files=common-dev-assets/**/*'

That's what passed to trivy from hook in v1.96.3

trace: per_dir_hook_unique_part common::per_dir_hook main main
       terraform_trivy.sh:51: trivy conf /tmp/trivy_834/examples/deploy-proxy/scripts --exit-code=1
 '--skip-files=**/.terraform/**/*' '--skip-files=**/examples/**/*.yaml' '--skip-files=**/examples/**/*.yml'
 '--skip-files=**/helm-charts/**/*' '--skip-files=**/tests/**/*' '--skip-files=common-dev-assets/**/*'

They are identical.

Please create our own or enhance ours repo for reproducing your issue. Otherwise, I'll not be able to help you.

[yermulnik]

I can't reproduce, it always Passed for me.

Yeah, I struggled with that too to no avail and it seems like topicstarter has abandoned this issue 🤷🏻

[vbontempi]

sorry for the late in getting back to you, I am trying to provide you a way to replicate the issue, by reducing the repo where we experience this problem to the only content impacted by the error seems to solve the problem itself.
Working on this