Bug(panic): value is null

[rogi-sh]

Description

If a map is empty or null trivy config fails with value is null (go-cty/cty.Value.AsString)

Desired Behavior

Should skip null values

Actual Behavior

panic: value is null
goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x6654470?, 0xc000289099?}}, {0x0?, 0x0?}})
/home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1413 +0x10b
github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/provider.adaptDefaultTags.(*Attribute).AsMapValue.func1.1({{{0x6654470?, 0xc000289099?}}, {0x4839700?, 0xc0026ec6e0?}}, {{{0x6654470?, 0xc000289099?}}, {0x0?, 0x0?}})
/home/runner/work/trivy/trivy/pkg/iac/terrafo

Reproduction Steps

1. User provider AWS
2. add default tags with empty map
3. run trivy config
4.

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

025-09-24T17:45:54Z	DEBUG	Cleaning up temp directory	path="/tmp/trivy-148"
panic: value is null
goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x6654470?, 0xc000289099?}}, {0x0?, 0x0?}})
	/home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1413 +0x10b
github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/provider.adaptDefaultTags.(*Attribute).AsMapValue.func1.1({{{0x6654470?, 0xc000289099?}}, {0x4839700?, 0xc0026ec6e0?}}, {{{0x6654470?, 0xc000289099?}}, {0x0?, 0x0?}})
	/home/runner/work/trivy/trivy/pkg/iac/terraform/attribute.go:680 +0x16a
github.com/zclconf/go-cty/cty.Value.ForEachElement({{{0x66543c8?, 0xc00525e0b0?}}, {0x4c153c0?, 0xc0051ec750?}}, 0xc00100bb20)
	/home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1247 +0x97
github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/provider.adaptDefaultTags.(*Attribute).AsMapValue.func1({{{0x66543c8?, 0xc00525e0b0?}}, {0x4c153c0?, 0xc0051ec750?}})
	/home/runner/work/trivy/trivy/pkg/iac/terraform/attribute.go:677 +0xf9
github.com/aquasecurity/trivy/pkg/iac/terraform.safeOp[...](0xc0053b5260?, 0xc0026ec690?)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/attribute.go:831 +0x14c
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Attribute).AsMapValue(...)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/attribute.go:671
github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/provider.adaptDefaultTags(_)
	/home/runner/work/trivy/trivy/pkg/iac/adapters/terraform/aws/provider/adapt.go:147 +0x105
github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/provider.adaptProvider(_)
	/home/runner/work/trivy/trivy/pkg/iac/adapters/terraform/aws/provider/adapt.go:41 +0x245
github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/provider.adaptProviders({0xc001d9ee70, 0x5, 0x0?})
	/home/runner/work/trivy/trivy/pkg/iac/adapters/terraform/aws/provider/adapt.go:24 +0x34c
github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/provider.Adapt(...)
	/home/runner/work/trivy/trivy/pkg/iac/adapters/terraform/aws/provider/adapt.go:17
github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws.Adapt({_, _, _})
	/home/runner/work/trivy/trivy/pkg/iac/adapters/terraform/aws/adapt.go:44 +0x65
github.com/aquasecurity/trivy/pkg/iac/adapters/terraform.Adapt({0xc001d9ee70, 0x5, 0x6})
	/home/runner/work/trivy/trivy/pkg/iac/adapters/terraform/adapt.go:20 +0x45
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor.(*Executor).Execute(0xc0025fc200, {0x6651f08, 0xc00534b050}, {0xc001d9ee70, 0x5, 0x6}, {0x65d0b48, 0x1})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/executor/executor.go:44 +0xae
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc003f44750, {0x6651f08, 0xc00534b050}, {0x65eff20, 0xc0033eeab0}, {0x65d0b48, 0x1})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:139 +0xa8a
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc0047a8b00, {0x6651fb0, 0xc0003d9810}, {0x65eff20, 0xc002dff6f8})
	/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:149 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc0045df5e0, {0x6651fb0?, 0xc0003d9810?}, {{0x65eff20, 0xc002dff6f8}, {0x0, 0x0, 0x0}, {0x0, 0x0}})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x45
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc00477cd20, {0xc0045df2e0, 0x2, 0x2}, {0xc004c8ce00, 0x8, 0x8}, 0xc0047952f0, {0x0, 0x0}}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:519 +0x399
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffe23cfea4a, 0x1}, 0xc00477d540, {0x7fecd90ffaf8, 0xc0034cf6e0}, {0x65efe40, 0x9864720}, {0xc00477cd20, {0xc0045df2e0, 0x2, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:237 +0x809
github.com/aquasecurity/trivy/pkg/scan.Service.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0x0, 0x0, 0x0}, {0x0, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/scan/service.go:164 +0xe7
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x5455fc9, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:683 +0x377
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x5455fc9, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:289 +0xc9
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x5455fc9, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:234 +0xc7
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x5455fc9, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:214 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.run({_, _}, {{{0x5455fc9, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc000076270, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:450 +0x710
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x5455fc9, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc000076270, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:412 +0x399
github.com/aquasecurity/trivy/pkg/commands.NewConfigCommand.func2(0xc000fc9808, {0xc0011475c0, 0x1, 0xc})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:740 +0x2d3
github.com/spf13/cobra.(*Command).execute(0xc000fc9808, {0xc001147500, 0xc, 0xc})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1015 +0xaaa
github.com/spf13/cobra.(*Command).ExecuteC(0xc000be9508)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1148 +0x46f
github.com/spf13/cobra.(*Command).Execute(...)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1071
github.com/spf13/cobra.(*Command).ExecuteContext(0x6651ed0?, {0x66522c0?, 0xc000f20840?})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1064 +0x47
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:51 +0x19f
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f

Operating System

aquasec/trivy:0.66.0 in Gitlab Pipeline

Version

Version: 0.66.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

Can you share a small reproducible example for this issue?

[nikpivkin]

Hi @rogi-sh !

I cannot reproduce this issue on the latest version:

❯ cat main.tf
provider "aws" {
    default_tags {
      tags = {}
    }
}%                                                                                                                                  
❯ trivy conf main.tf
2025-09-25T15:18:50+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-09-25T15:18:51+06:00       INFO    [terraform scanner] Scanning root module        file_path="."
2025-09-25T15:18:51+06:00       INFO    Detected config files   num=1

Report Summary

┌────────┬───────────┬───────────────────┐
│ Target │   Type    │ Misconfigurations │
├────────┼───────────┼───────────────────┤
│ .      │ terraform │         0         │
└────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

[nikpivkin]

Is default.json a variables file?

Can you show how the variable name and the output default_tags are declared in the configuration? Thanks.

[rogi-sh]

Yes default.json is just a place where variables are set

{
  "tags": {
    "company:owner": "company",
    "company:managedby": "terraform@comp-iac"
  },
}

[rogi-sh]

Provider is like this

provider "aws" {
  region              = module.config.region
  allowed_account_ids = [module.config.allowed_account_id, module.config.iam_origin_account_id]
  dynamic "assume_role" {
    for_each = module.config.aws_provider_enabled ? [1] : []
    content {
      role_arn = "arn:aws:iam::${module.config.aws_provider_shared_id}:role/${module.config.aws_provider_role}"
    }
  }
  default_tags {
    tags = module.config.default_tags
  }
}

[rogi-sh]

Mapping is then over output:

output "default_tags" {
  value       = local.defaults.tags
  description = "Default tags"
}

  tags = merge(
      local.def.tags,
      {
        "product"      = local.input.product,
        "environment"  = local.input.stage,
        "organization" = "company",
      }
    )

[nikpivkin]

How is local.input defined? Do module variables have types? To reproduce the problem, we need a little more configuration data.

[petrobubka]

Additional Reproduction Case

Hi @nikpivkin
I'm experiencing the same panic with a similar but slightly different scenario involving data.git_repository data source.

Configuration Structure

Provider configuration:

provider "aws" {
  region = "us-west-2"
  default_tags {
    tags = module.default_tags.tags
  }
}

Module: terraform/modules/default_tags/main.tf

locals {
  default_tags = {
    Project     = var.project
    Environment = var.environment
    Owner       = var.owner
  }
  vcs_tags = {
    "VCS:Source" = data.git_repository.this.url
    "VCS:Branch" = data.git_repository.this.branch
    "VCS:Path"   = data.git_repository.this.relative_path
    "VCS:Clean"  = data.git_repository.this.clean
    "VCS:Commit" = data.git_repository.this.commit_sha
  }
  tags = merge(local.default_tags, local.vcs_tags)
}

data "git_repository" "this" {
}

output "tags" {
  value       = local.tags
  description = "Default tags map including Project and Git related info."
}

Root Cause

When Trivy performs static analysis, the data.git_repository data source returns null values for all attributes (url, branch, commit_sha, etc.) because the data source cannot be evaluated without actually running Terraform.

These null values get merged into the tags map and passed to the AWS provider's default_tags, which triggers the panic in adaptDefaultTags.

Stack Trace

panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x6611310?, 0xc000277089?}}, {0x0?, 0x0?}})
	/home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1413 +0x10b
github.com/aquasecurity/trivy/pkg/iac/adapters/terraform/aws/provider.adaptDefaultTags.(*Attribute).AsMapValue.func1.1
...

Environment

• Trivy version: 0.65.0 (based on [email protected])
• Running in: GitHub Actions
• Terraform configuration: AWS provider with module-based default_tags

Workaround

Currently using skip-dirs to bypass the problematic module:

- uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
  with:
    scan-type: 'config'
    skip-dirs: 'terraform/modules/default_tags'

Expected Behavior

adaptDefaultTags should gracefully handle null values in tag maps, either by:

1. Skipping null values during tag processing
2. Warning about null values instead of panicking
3. Treating unevaluated data sources as unknowns rather than nulls