Discussed in #10674
Summary
Trivy reports GIT-0003 (Vulnerability alerts are not enabled for the repository) as a false positive when vulnerability alerts are managed via the dedicated github_repository_vulnerability_alerts resource instead of the deprecated vulnerability_alerts field on github_repository.
Background
The vulnerability_alerts field in github_repository has been deprecated by the Terraform GitHub provider in favour of the standalone github_repository_vulnerability_alerts resource. When users follow the provider's recommendation and migrate to the new resource, Trivy no longer detects the configuration and incorrectly raises GIT-0003.
Current Behavior
Using the deprecated field — no finding:
resource "github_repository" "example" {
name = "my-repo"
description = "GitHub repo managed by Terraform"
visibility = "private"
vulnerability_alerts = true # deprecated, but recognised by Trivy
}Using the recommended standalone resource — GIT-0003 is raised:
resource "github_repository" "example" {
name = "my-repo"
description = "GitHub repo managed by Terraform"
visibility = "private"
}
# Recommended approach per provider docs, but NOT detected by Trivy
resource "github_repository_vulnerability_alerts" "example" {
repository = github_repository.example.name
enabled = true
}Expected Behavior
GIT-0003 should not be reported when a github_repository_vulnerability_alerts resource exists for the repository with enabled = true.
Implementation Details
The fix should be applied in pkg/iac/adapters/terraform/github/repositories/adapt.go.
The adapter needs to parse the github_repository_vulnerability_alerts resource and populate the VulnerabilityAlerts field of github.Repository, while preserving backward compatibility with the deprecated vulnerability_alerts field on github_repository.
Additional Context
Discussed in #10674
Summary
Trivy reports GIT-0003 (
Vulnerability alerts are not enabled for the repository) as a false positive when vulnerability alerts are managed via the dedicatedgithub_repository_vulnerability_alertsresource instead of the deprecatedvulnerability_alertsfield ongithub_repository.Background
The
vulnerability_alertsfield ingithub_repositoryhas been deprecated by the Terraform GitHub provider in favour of the standalonegithub_repository_vulnerability_alertsresource. When users follow the provider's recommendation and migrate to the new resource, Trivy no longer detects the configuration and incorrectly raisesGIT-0003.Current Behavior
Using the deprecated field — no finding:
Using the recommended standalone resource —
GIT-0003is raised:Expected Behavior
GIT-0003should not be reported when agithub_repository_vulnerability_alertsresource exists for the repository withenabled = true.Implementation Details
The fix should be applied in
pkg/iac/adapters/terraform/github/repositories/adapt.go.The adapter needs to parse the
github_repository_vulnerability_alertsresource and populate theVulnerabilityAlertsfield ofgithub.Repository, while preserving backward compatibility with the deprecatedvulnerability_alertsfield ongithub_repository.Additional Context