Trivy aws scanner run with --exit-code option also returns non-zero exit code when no tests fail

[jkvbe]

Description

When performing a trivy aws scan with --exit-code 1 option, the command also returns a non-zero exit code if environment related errors occur: e.g., ERROR [rego] Error occurred while parsing. Trying to fallback to embedded check

Desired Behavior

I only want a non-zero exit code if a test/check fails. Or I want to be able to make the difference between a failed test and another error when I run trivy aws in a pipeline.

Actual Behavior

Returns non-zero exit code when no test/checks are failing. Therefore I can't use it in a pipeline.

Reproduction Steps

1. Deploy a service in AWS
2. Run trivy aws against it and make sure no tests are failing (e.g., by limiting the SEVERITIES or adding an ignore file). I see rego parsing errors displayed as described above.
3. Run it again with --exit-code 1.   Exits with FATAL error
...

Target

AWS

Scanner

Misconfiguration

Output Format

JSON

Mode

Standalone

Debug Output

trivy aws --debug --severity CRITICAL,HIGH --region eu-central-1 --format json --output test_trivy.json --ignorefile [DIRECTORY_PATH]/.trivyignore_deployed_prod --exit-code 1
2025-06-25T15:38:04+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-06-25T15:38:04+02:00       DEBUG   Cache dir       dir="[DIRECTORY_PATH]"
2025-06-25T15:38:04+02:00       DEBUG   Cache dir       dir="[DIRECTORY_PATH]"
2025-06-25T15:38:04+02:00       DEBUG   Parsed severities       severities=[CRITICAL HIGH]
2025-06-25T15:38:04+02:00       DEBUG   Timeout is set to less than 1 hour - upgrading to 1 hour for this command.
2025-06-25T15:38:04+02:00       DEBUG   [aws] Looking for AWS credentials provider...
2025-06-25T15:38:04+02:00       DEBUG   [aws] Looking up AWS caller identity...
2025-06-25T15:38:04+02:00       DEBUG   [aws] Verified AWS credentials for account!     account="[ACCOUNT_ID]"
2025-06-25T15:38:04+02:00       DEBUG   [aws] No service(s) specified, scanning all services...
2025-06-25T15:38:04+02:00       DEBUG   [aws] Scanning services services=[accessanalyzer api-gateway athena cloudfront cloudtrail codebuild documentdb dynamodb ec2 ecr ecs efs eks elasticache elasticsearch elb emr iam kinesis kms lambda mq msk neptune rds redshift s3 sns sqs ssm workspaces cloudwatch]
2025-06-25T15:38:04+02:00       DEBUG   Policies successfully loaded from disk
2025-06-25T15:38:05+02:00       DEBUG   [rego] Overriding filesystem for checks
2025-06-25T15:38:05+02:00       DEBUG   [rego] Embedded libraries are loaded    count=15
2025-06-25T15:38:05+02:00       DEBUG   [rego] Embedded checks are loaded       count=509
2025-06-25T15:38:05+02:00       DEBUG   [rego] Checks from disk are loaded      count=536
2025-06-25T15:38:05+02:00       DEBUG   [rego] Overriding filesystem for data
2025-06-25T15:38:05+02:00       ERROR   [rego] Error occurred while parsing. Trying to fallback to embedded check       file_path="[DIRECTORY_PATH]/specify_ami_owners.rego" err="[ERROR_DETAILS]"
2025-06-25T15:38:05+02:00       ERROR   [rego] Failed to find embedded check, skipping  file_path="[DIRECTORY_PATH]/specify_ami_owners.rego"
2025-06-25T15:38:05+02:00       ERROR   [rego] Error occurred while parsing     file_path="[DIRECTORY_PATH]/specify_ami_owners.rego" err="[ERROR_DETAILS]"
2025-06-25T15:38:06+02:00       DEBUG   [rego] Scanning inputs  count=1
2025-06-25T15:38:08+02:00       DEBUG   [aws] Writing report to output...
2025-06-25T15:38:08+02:00       DEBUG   Found an ignore file    file_path="[DIRECTORY_PATH]/.trivyignore_deployed_prod"
2025-06-25T15:38:08+02:00       DEBUG   Ignored id="[IGNORED_ID]" target="[RESOURCE_ARN]"
2025-06-25T15:38:08+02:00       FATAL   Fatal error
  - exit status 1

Operating System

Ubuntu

Version

Version: 0.63.0
Check Bundle:
  Digest: sha256:f172f9b652441a2e47843032f22551be5647ce0e77a3f8970498f935d3768cf7
  DownloadedAt: 2025-06-25 11:37:29.048185235 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

2025-06-25T15:38:05+02:00 ERROR [rego] Error occurred while parsing. Trying to fallback to embedded check file_path="[DIRECTORY_PATH]/specify_ami_owners.rego" err="[ERROR_DETAILS]"

Can you share what the error details are? It seems you've redacted it in the log output.

[jkvbe]

ERROR [rego] Error occurred while parsing. Trying to fallback to embedded check file_path="<home>/.cache/trivy/policy/content/policies/cloud/policies/aws/ec2/specify_ami_owners.rego" err="<home>/.cache/trivy/policy/content/policies/cloud/policies/aws/ec2/specify_ami_owners.rego:30: rego_type_error: undefined ref: input.aws.ec2.requestedamis[local622]\n\tinput.aws.ec2.requestedamis[local622]\n\t ^\n\t have: "requestedamis"\n\t want (one of): ["instances" "launchconfigurations" "launchtemplates" "networkacls" "securitygroups" "subnets" "volumes" "vpcs"]"
2025-06-25T12:55:32Z ERROR [rego] Failed to find embedded check, skipping file_path="<home>/.cache/trivy/policy/content/policies/cloud/policies/aws/ec2/specify_ami_owners.rego"
2025-06-25T12:55:32Z ERROR [rego] Error occurred while parsing file_path="<home>/.cache/trivy/policy/content/policies/cloud/policies/aws/ec2/specify_ami_owners.rego" err="<home>/.cache/trivy/policy/content/policies/cloud/policies/aws/ec2/specify_ami_owners.rego:30: rego_type_error: undefined ref: input.aws.ec2.requestedamis[local622]\n\tinput.aws.ec2.requestedamis[local622]\n\t ^\n\t have: "requestedamis"\n\t want (one of): ["instances" "launchconfigurations" "launchtemplates" "networkacls" "securitygroups" "subnets" "volumes" "vpcs"]"