Regression: False positives on aws_s3_bucket with dynamic resources (Trivy v0.65.0)

[bokyung-kang]

Description

After upgrading Trivy from v0.64.x to v0.65.0, false positive misconfiguration warnings appear for S3 buckets created dynamically using for_each, even though proper aws_s3_bucket_public_access_block and aws_s3_bucket_server_side_encryption_configuration resources are defined.

In v0.64.x, Trivy suppressed these warnings correctly. In v0.65.0, multiple HIGH-level issues are reported:

• AVD-AWS-0086
• AVD-AWS-0087
• AVD-AWS-0088
• AVD-AWS-0091
• AVD-AWS-0093

This appears to be a regression in how Trivy evaluates dynamic Terraform resources and correlates separate S3-related resources.

Desired Behavior

Trivy should recognize aws_s3_bucket_public_access_block and aws_s3_bucket_server_side_encryption_configuration applied to dynamic buckets, and suppress the relevant HIGH-level AVD warnings.

Actual Behavior

Trivy reports multiple HIGH issues for dynamically created S3 buckets, despite the public access block and encryption being properly configured.

Reproduction Steps

Terraform example code:


s3.tf:20-24
20 ┌ resource "aws_s3_bucket" "this" {
21 │   for_each      = local.bucket_map
22 │   bucket        = each.value.name
23 │   force_destroy = false
24 └ }

resource "aws_s3_bucket_public_access_block" "this" { 
  for_each = local.bucket_map
  bucket   = each.value.name

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  for_each = local.bucket_map
  bucket   = each.value.name

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

# Note: local.bucket_map contents omitted for brevity

Run:
1. Run Trivy against a single file:
   trivy config -s CRITICAL,HIGH s3.tf
   → No warnings reported.

2. Run Trivy against the whole directory:
   trivy config  . -s CRITICAL,HIGH
   → Warnings are reported on the same `aws_s3_bucket` resources.

### Target

Filesystem

### Scanner

Misconfiguration

### Output Format

None

### Mode

Standalone

### Debug Output

```bash
trivy config . --severity CRITICAL,HIGH --debug
DEBUG   [terraform executor] No matching Terraform block found  cause_range="s3.tf:20-24"

Operating System

WSL2 (Ubuntu)

Version

Version: 0.65.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

hi @bokyung-kang - could you try v0.66.0? It should be able to handle this.

trivy config ~/repos/trivy-issues/9415/main.tf
2025-09-02T19:06:44-06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-09-02T19:06:50-06:00       INFO    [misconfig] Need to update the checks bundle
2025-09-02T19:06:50-06:00       INFO    [misconfig] Downloading the checks bundle...
165.20 KiB / 165.20 KiB [----------------------------------------------------------------------------------------------------------------------------------------] 100.00% 2.90 MiB p/s 300ms
2025-09-02T19:06:51-06:00       INFO    [terraform scanner] Scanning root module        file_path="."
2025-09-02T19:06:52-06:00       INFO    Detected config files   num=1

Report Summary

┌────────┬───────────┬───────────────────┐
│ Target │   Type    │ Misconfigurations │
├────────┼───────────┼───────────────────┤
│ .      │ terraform │         0         │
└────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
- 

[bokyung-kang]

Hi, @simar7 thanks for your suggestion.

After investigation, we realized the false positives were caused by null values in our map entries. By adjusting the for_each logic to skip these nulls, the issue is resolved. It appears this is not related to the Trivy version.

We’ve updated our code accordingly and will close this discussion. Thanks again for your guidance!