Terraform false positive (AZU-0006): Use a more recent TLS/SSL policy for the App Service

[ZeynelKoca]

Describe the bug

My Trivy job in azure pipelines gives a false positive and suggests using a more recent TLS/SSL policy for an App Service:

However, the specific file + line it fails on, specifies a minimum TLS version of 1.3; the latest available version:

site_config {
    always_on                         = true
    ftps_state                        = "FtpsOnly"
    websockets_enabled                = true
    health_check_path                 = var.health_check_path
    health_check_eviction_time_in_min = var.health_check_path == null ? null : 2
    vnet_route_all_enabled            = var.vnet_route_all_enabled
    ip_restriction_default_action     = length(var.ip_restriction_allow_list) > 0 ? "Deny" : "Allow"

    minimum_tls_version = "1.3" # <-- Trivy fails on this line

    app_command_line = var.startup_command

   # And more...
}

Context:

• This is an azurerm_linux_web_app resource (App Service)
• TLS 1.3 is the highest TLS version currently supported by Azure App Service
• According to https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-versions, the valid values are "1.0", "1.1", "1.2", and "1.3"

Agent details

• Type: Self-Hosted Agent (Azure Virtual Machine Scale Set)
• OS: Linux
• Version: Azure DevOps agent (latest from scale set)

Task Version

trivy@2

Task Inputs

- task: trivy@2
  inputs:
    type: 'filesystem'
    target: '.'
    scanners: 'vuln,misconfig,secret'
    severities: 'CRITICAL,HIGH'

Error message

See screenshot