Trivy doesn't scan all modules in Terraform #9543

heindrickdumdum0217 · 2025-09-29T09:34:02Z

heindrickdumdum0217
Sep 29, 2025

Description

trivy config --tf-vars ${STAGE}.tfvars --severity CRITICAL --debug ./

I'm using the above command to scan infra project.
But it doesn't scan all modules in the infra project.

2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing FS	module="root" module="rds" file_path="modules/rds"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/iam.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/iam.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/local.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/local.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/main.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/main.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/outputs.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/outputs.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/subnet_group.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/subnet_group.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/variables.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/variables.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform evaluator] Using module from Terraform cache .terraform/modules	module="root" source="./modules/rds"
2025-09-29T17:01:20+08:00	DEBUG	[terraform evaluator] Loaded module	module="root" name="rds" file_path="modules/rds"

As you can see in the above log, it added rds module, but it's not evaluated by trivy

Here is report summary.

┌─────────────────────────────────────────────────────────────────────────────┬────────────┬───────────────────┐
│                                   Target                                    │    Type    │ Misconfigurations │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ .                                                                           │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ .terraform/modules/cluster.eks/examples/eks-auto-mode/deployment.yaml       │ kubernetes │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ .terraform/modules/cluster.eks/examples/karpenter/inflate.yaml              │ kubernetes │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ .terraform/modules/cluster.eks/examples/karpenter/karpenter.yaml            │ kubernetes │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/xxxx/iam.tf                                                       │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/ci_cd/codebuild.tf                                                  │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/ci_cd/s3.tf                                                         │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/cluster/eks-cluster.tf                                              │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/cluster/iam.tf                                                      │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/cluster/s3.tf                                                       │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/codebuild_slack_notifier/slack-notifier.tf                          │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ terraform-aws-modules/eks/aws/.terraform/modules/cluster.eks/main.tf        │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ terraform-aws-modules/eks/aws/.terraform/modules/cluster.eks/node_groups.tf │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ terraform-aws-modules/vpc/aws/.terraform/modules/cluster.vpc/main.tf        │ terraform  │         0         │
└─────────────────────────────────────────────────────────────────────────────┴────────────┴───────────────────┘

Desired Behavior

rds module must be evaluated and mentioned in report summary.
If I set egress rule to 0.0.0.0/0, trivy doesn't detect as it doesn't evaluate rds module.
But if I scan with tfsec, it detects security problem.

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  modules/rds/main.tf:37
   via main.tf:94-111 (module.rds)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   21    resource "aws_security_group" "main" {
   ..  
   37  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   41    }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

Actual Behavior

It doesn't evalulate rds module, doesn't detect problem in egress

Reproduction Steps

I can't share my infra project here.

Here are commands which I use.

trivy config --tf-vars dev.tfvars --severity CRITICAL --debug ./



### Target

None

### Scanner

Misconfiguration

### Output Format

None

### Mode

Standalone

### Debug Output

```bash
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing FS	module="root" file_path="modules/rds"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" file_path="modules/rds/iam.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" file_path="modules/rds/iam.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" file_path="modules/rds/local.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" file_path="modules/rds/local.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" file_path="modules/rds/main.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" file_path="modules/rds/main.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" file_path="modules/rds/outputs.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" file_path="modules/rds/outputs.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" file_path="modules/rds/subnet_group.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" file_path="modules/rds/subnet_group.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" file_path="modules/rds/variables.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" file_path="modules/rds/variables.tf"

...

2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing FS	module="root" module="rds" file_path="modules/rds"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/iam.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/iam.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/local.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/local.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/main.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/main.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/outputs.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/outputs.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/subnet_group.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/subnet_group.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Parsing	module="root" module="rds" file_path="modules/rds/variables.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform parser] Added file	module="root" module="rds" file_path="modules/rds/variables.tf"
2025-09-29T17:01:20+08:00	DEBUG	[terraform evaluator] Using module from Terraform cache .terraform/modules	module="root" source="./modules/rds"
2025-09-29T17:01:20+08:00	DEBUG	[terraform evaluator] Loaded module	module="root" name="rds" file_path="modules/rds"

...

Report Summary

┌─────────────────────────────────────────────────────────────────────────────┬────────────┬───────────────────┐
│                                   Target                                    │    Type    │ Misconfigurations │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ .                                                                           │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ .terraform/modules/cluster.eks/examples/eks-auto-mode/deployment.yaml       │ kubernetes │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ .terraform/modules/cluster.eks/examples/karpenter/inflate.yaml              │ kubernetes │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ .terraform/modules/cluster.eks/examples/karpenter/karpenter.yaml            │ kubernetes │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/xxxx/iam.tf                                                       │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/ci_cd/codebuild.tf                                                  │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/ci_cd/s3.tf                                                         │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/cluster/eks-cluster.tf                                              │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/cluster/iam.tf                                                      │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/cluster/s3.tf                                                       │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ modules/codebuild_slack_notifier/slack-notifier.tf                          │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ terraform-aws-modules/eks/aws/.terraform/modules/cluster.eks/main.tf        │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ terraform-aws-modules/eks/aws/.terraform/modules/cluster.eks/node_groups.tf │ terraform  │         0         │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ terraform-aws-modules/vpc/aws/.terraform/modules/cluster.vpc/main.tf        │ terraform  │         0         │
└─────────────────────────────────────────────────────────────────────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-09-29T17:01:21+08:00	DEBUG	Cleaning up temp directory	path="/tmp/trivy-23762"



### Operating System

Ubuntu 24.04

### Version

```bash
Version: 0.66.0
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-09-29 09:17:57.132010225 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

simar7 · 2025-09-30T01:53:30Z

simar7
Sep 30, 2025
Maintainer

I can't share my infra project here.

Can you share a minimal example which will trigger this?

Furthermore, which check in Trivy do you expect to see get flagged today that isn't?

0 replies

heindrickdumdum0217 · 2025-09-30T06:17:20Z

heindrickdumdum0217
Sep 30, 2025
Author

@simar7
It's egress with 0.0.0.0/0 in security group.
tfsec detects problem, but trivy doesn't.

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  modules/rds/main.tf:37
   via main.tf:94-111 (module.rds)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   21    resource "aws_security_group" "main" {
   ..  
   37  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   41    }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

1 reply

heindrickdumdum0217 Sep 30, 2025
Author

I have another security group with egress 0.0.0.0/0 and triby detected it, so I had to add a comment to ignore.
It means trivy doesn't scan rds module in my infra project.
Also rds module is not mentioned in trivy final report.

Here is a comment which I added in my cluster module to ignore egress check from trivy.

# trivy:ignore:AVD-AWS-0041

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Trivy doesn't scan all modules in Terraform #9543

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Trivy doesn't scan all modules in Terraform #9543

Uh oh!

Uh oh!

heindrickdumdum0217 Sep 29, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Checklist

Replies: 2 comments · 1 reply

Uh oh!

simar7 Sep 30, 2025 Maintainer

Uh oh!

heindrickdumdum0217 Sep 30, 2025 Author

Uh oh!

heindrickdumdum0217 Sep 30, 2025 Author

heindrickdumdum0217
Sep 29, 2025

Replies: 2 comments 1 reply

simar7
Sep 30, 2025
Maintainer

heindrickdumdum0217
Sep 30, 2025
Author

heindrickdumdum0217 Sep 30, 2025
Author