How to create custom checks detecting destroy operations in plan #9355

Afsalmc · 2025-08-19T13:49:50Z

Afsalmc
Aug 19, 2025

Question

Basically, I am trying to deny all changes with destroy operations using trvy custom checks. This is my code, and so far I only get an acknowledgement that the rego file is taken by trivy.

WARN [rego] Module has no input selectors - it will be loaded for all inputs file_path="root/deny_deletion.rego" module="root/deny_deletion.rego"

# METADATA
# title: Deny Deletion of Resources
# description: Prevents deletion of any resources in a Terraform plan
# custom:
#   id: TF-NO-DELETE-001
#   severity: CRITICAL
package user.terraform.no_delete

# Deny rule: Flag any resource with a delete action
deny[msg] {
  resource := input.resource_changes[_]  # Iterate over resource changes
  resource.change.actions[_] == "create"  # Check for delete action
  msg := sprintf("Deletion of resource '%s' (type: %s) is not allowed", [resource.address, resource.type])
}

The command I have used is:

~/trivy config --exit-code 0 --format json -o "gl-codeclimate-$plan_file_name.json" --config-check ~/deny_deletion.rego --namespaces user.terraform.no_delete "$plan_file_name"

Target

Git Repository

Scanner

Misconfiguration

Output Format

JSON

Mode

Standalone

Operating System

Linux

Version

v0.65.0

Answered by nikpivkin

Aug 27, 2025

Hi @Afsalmc !

To scan Terraform Plan as JSON, you must enable the JSON scanner.

❯ trivy conf plan.json --misconfig-scanners json --namespaces user --config-check deny_deletion.rego -q --table-mode detailed

plan.json (json)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

 (CRITICAL): Deletion of resource 'aws_s3_bucket.example' (type: aws_s3_bucket) is not allowed
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Prevents deletion of any resources in a Terraform plan
──────────────────────────────────────────────────────────────────────────…

View full answer

nikpivkin · 2025-08-27T11:18:51Z

nikpivkin
Aug 27, 2025
Maintainer

Hi @Afsalmc !

To scan Terraform Plan as JSON, you must enable the JSON scanner.

❯ trivy conf plan.json --misconfig-scanners json --namespaces user --config-check deny_deletion.rego -q --table-mode detailed

plan.json (json)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

 (CRITICAL): Deletion of resource 'aws_s3_bucket.example' (type: aws_s3_bucket) is not allowed
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Prevents deletion of any resources in a Terraform plan
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Also, for the namespaces flag, you should pass the package prefix user instead of the full package name. See https://trivy.dev/latest/docs/scanner/misconfiguration/config/config/#passing-namespaces

BTW, you check that the resource is being created, not deleted: resource.change.actions[_] == “create”.

1 reply

nikpivkin Sep 17, 2025
Maintainer

@Afsalmc Did that solve your problem?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

How to create custom checks detecting destroy operations in plan #9355

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How to create custom checks detecting destroy operations in plan #9355

Uh oh!

Afsalmc Aug 19, 2025

Question

Target

Scanner

Output Format

Mode

Operating System

Version

Replies: 1 comment · 1 reply

Uh oh!

nikpivkin Aug 27, 2025 Maintainer

Uh oh!

nikpivkin Sep 17, 2025 Maintainer

Afsalmc
Aug 19, 2025

Replies: 1 comment 1 reply

nikpivkin
Aug 27, 2025
Maintainer

nikpivkin Sep 17, 2025
Maintainer