AVD-AZU-0012 finding when scanning any terraform code #9619

Malcolm-GetAHead · 2025-10-08T13:09:46Z

Malcolm-GetAHead
Oct 8, 2025

IDs

AVD-AZU-0012

Description

When running a config scan against any terraform code and receive false-positive AVD-AZU-0012 finding:

$ rm -rf ~/.cache/trivy/
$ ls -la
total 4
drwxr-xr-x 3 code code  96 Oct  8 12:59 .
drwxr-xr-x 8 code code 256 Oct  8 12:58 ..
-rw-r--r-- 1 code code  34 Oct  8 12:59 output.tf
$ cat *
output "test" {
  value = "test"
}
 
$ trivy config .
2025-10-08T13:07:01Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-10-08T13:07:01Z    INFO    [misconfig] Need to update the checks bundle
2025-10-08T13:07:01Z    INFO    [misconfig] Downloading the checks bundle...
215.56 KiB / 215.56 KiB [----------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-10-08T13:07:02Z    INFO    [terraform scanner] Scanning root module        file_path="."
2025-10-08T13:07:02Z    INFO    Detected config files   num=2

Report Summary

┌────────┬───────────┬───────────────────┐
│ Target │   Type    │ Misconfigurations │
├────────┼───────────┼───────────────────┤
│        │ terraform │         1         │
├────────┼───────────┼───────────────────┤
│ .      │ terraform │         0         │
└────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


 (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

AVD-AZU-0012 (CRITICAL): No network rules defined and default action allows access.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The default_action for network rules should come into effect when no other rules are matched.
The default action should be set to Deny.


See https://avd.aquasec.com/misconfig/avd-azu-0012
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


### Reproduction Steps

```bash
1. Create an empty directory and create a file with any terraform code
2. Run a trivy config scan

Target

AWS

Scanner

Misconfiguration

Target OS

N/A

Debug Output

$ trivy config . --debug
2025-10-08T13:08:36Z    DEBUG   No plugins loaded
2025-10-08T13:08:36Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-08T13:08:36Z    DEBUG   Cache dir       dir="/home/code/.cache/trivy"
2025-10-08T13:08:36Z    DEBUG   Cache dir       dir="/home/code/.cache/trivy"
2025-10-08T13:08:36Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-08T13:08:36Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-10-08T13:08:36Z    DEBUG   [notification] Running version check
2025-10-08T13:08:36Z    DEBUG   [misconfig] Checks successfully loaded from disk
2025-10-08T13:08:37Z    DEBUG   [notification] Version check completed  latest_version="0.67.0"
2025-10-08T13:08:37Z    DEBUG   [rego] Overriding filesystem for checks
2025-10-08T13:08:37Z    DEBUG   [rego] Embedded libraries are loaded    count=17
2025-10-08T13:08:37Z    DEBUG   [rego] Embedded checks are loaded       count=519
2025-10-08T13:08:37Z    DEBUG   [rego] Checks from disk are loaded      count=559
2025-10-08T13:08:37Z    DEBUG   [rego] Overriding filesystem for data
2025-10-08T13:08:37Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-10-08T13:08:37Z    DEBUG   Initializing scan cache...      type="memory"
2025-10-08T13:08:37Z    DEBUG   [fs] Analyzing...       root="."
2025-10-08T13:08:37Z    DEBUG   Created process-specific temp directory path="/tmp/trivy-7240"
2025-10-08T13:08:37Z    DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform"
2025-10-08T13:08:37Z    DEBUG   [terraform scanner] Scanning directory  file_path="."
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Parsing      module="root" file_path="output.tf"
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Added file   module="root" file_path="output.tf"
2025-10-08T13:08:37Z    INFO    [terraform scanner] Scanning root module        file_path="."
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Parsing      module="root" file_path="output.tf"
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Added file   module="root" file_path="output.tf"
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Loading module       module="root" module="root"
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=1 ignores=0
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/workspaces/terraform-stacks/deployments/web/dns/temp"
2025-10-08T13:08:37Z    DEBUG   [terraform evaluator] Starting module evaluation...     module="root" path="."
2025-10-08T13:08:37Z    DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-10-08T13:08:37Z    DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-10-08T13:08:37Z    DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2025-10-08T13:08:37Z    DEBUG   [terraform evaluator] Starting post-submodules evaluation...    module="root"
2025-10-08T13:08:37Z    DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-10-08T13:08:37Z    DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-10-08T13:08:37Z    DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2025-10-08T13:08:37Z    DEBUG   [terraform evaluator] Module evaluation complete.       module="root"
2025-10-08T13:08:37Z    DEBUG   [terraform parser] Finished parsing module      module="root"
2025-10-08T13:08:37Z    DEBUG   [terraform executor] Adapting modules...
2025-10-08T13:08:37Z    DEBUG   [terraform executor] Adapted module(s) into state data. count=1
2025-10-08T13:08:37Z    DEBUG   [terraform executor] Scan state data
2025-10-08T13:08:37Z    DEBUG   [rego] Scanning inputs  count=1
2025-10-08T13:08:37Z    DEBUG   [terraform executor] Finished applying checks
2025-10-08T13:08:37Z    DEBUG   [terraform executor] Applying ignores...
2025-10-08T13:08:37Z    DEBUG   [terraform executor] No matching Terraform block found  cause_range=""
2025-10-08T13:08:37Z    DEBUG   OS is not detected.
2025-10-08T13:08:37Z    INFO    Detected config files   num=2
2025-10-08T13:08:37Z    DEBUG   Scanned config file     file_path=""
2025-10-08T13:08:37Z    DEBUG   Scanned config file     file_path="."
2025-10-08T13:08:37Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-10-08T13:08:37Z    DEBUG   [vex] VEX filtering is disabled

Report Summary

┌────────┬───────────┬───────────────────┐
│ Target │   Type    │ Misconfigurations │
├────────┼───────────┼───────────────────┤
│        │ terraform │         1         │
├────────┼───────────┼───────────────────┤
│ .      │ terraform │         0         │
└────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


 (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

AVD-AZU-0012 (CRITICAL): No network rules defined and default action allows access.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The default_action for network rules should come into effect when no other rules are matched.
The default action should be set to Deny.


See https://avd.aquasec.com/misconfig/avd-azu-0012
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


2025-10-08T13:08:37Z    DEBUG   Cleaning up temp directory      path="/tmp/trivy-7240"

Version

$ trivy --version
Version: 0.67.0

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

Skaronator · 2025-10-08T13:17:39Z

Skaronator
Oct 8, 2025

Just debugged the same problem. Was about the write the same issue.

Problem is the new 1.12.0 ruleset.

When you use the old ruleset it works again:
trivy config . --checks-bundle-repository mirror.gcr.io/aquasec/trivy-checks:1.11
Make sure to delete the cache (rm -rf $HOME/.cache/trivy)

0 replies

Malcolm-GetAHead · 2025-10-08T15:26:25Z

Malcolm-GetAHead
Oct 8, 2025
Author

It looks like this is resolved now:

$ rm -rf ~/.cache/trivy/
$ trivy config . --debug
2025-10-08T15:25:21Z    DEBUG   No plugins loaded
2025-10-08T15:25:21Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-08T15:25:21Z    DEBUG   Cache dir       dir="/home/code/.cache/trivy"
2025-10-08T15:25:21Z    DEBUG   Cache dir       dir="/home/code/.cache/trivy"
2025-10-08T15:25:21Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-08T15:25:21Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-10-08T15:25:21Z    DEBUG   [misconfig] Failed to open the check metadata   err="open /home/code/.cache/trivy/policy/metadata.json: no such file or directory"
2025-10-08T15:25:21Z    INFO    [misconfig] Need to update the checks bundle
2025-10-08T15:25:21Z    INFO    [misconfig] Downloading the checks bundle...
2025-10-08T15:25:21Z    DEBUG   [misconfig] Loading check bundle        repository="mirror.gcr.io/aquasec/trivy-checks:1"
2025-10-08T15:25:21Z    DEBUG   [notification] Running version check
2025-10-08T15:25:21Z    DEBUG   [notification] Version check completed  latest_version="0.67.0"
2025-10-08T15:25:22Z    DEBUG   Created process-specific temp directory path="/tmp/trivy-15359"
215.56 KiB / 215.56 KiB [----------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-10-08T15:25:22Z    DEBUG   [misconfig] Digest of the built-in checks       digest="sha256:a6dab0ee0b117e3996773177db88cb35788da55385186e1fc6aace3c3a64d9dd"
2025-10-08T15:25:22Z    DEBUG   [misconfig] Checks successfully loaded from disk
2025-10-08T15:25:22Z    DEBUG   [rego] Overriding filesystem for checks
2025-10-08T15:25:22Z    DEBUG   [rego] Embedded libraries are loaded    count=17
2025-10-08T15:25:22Z    DEBUG   [rego] Embedded checks are loaded       count=519
2025-10-08T15:25:22Z    DEBUG   [rego] Checks from disk are loaded      count=559
2025-10-08T15:25:22Z    DEBUG   [rego] Overriding filesystem for data
2025-10-08T15:25:22Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-10-08T15:25:22Z    DEBUG   Initializing scan cache...      type="memory"
2025-10-08T15:25:22Z    DEBUG   [fs] Analyzing...       root="."
2025-10-08T15:25:22Z    DEBUG   OS is not detected.
2025-10-08T15:25:22Z    INFO    Detected config files   num=0
2025-10-08T15:25:22Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-10-08T15:25:22Z    DEBUG   [vex] VEX filtering is disabled
2025-10-08T15:25:22Z    WARN    [report] Supported files for scanner(s) not found.      scanners=[misconfig]

Report Summary

┌────────┬──────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├────────┼──────┼───────────────────┤
│   -    │  -   │         -         │
└────────┴──────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-10-08T15:25:22Z    DEBUG   Cleaning up temp directory      path="/tmp/trivy-15359"

3 replies

Skaronator Oct 8, 2025

Still not working for me:

➜  trivy git:(main) ✗ rm -rf /home/niklas/.cache/trivy
➜  trivy git:(main) ✗ trivy config . --debug
2025-10-08T17:38:15+02:00       DEBUG   No plugins loaded
2025-10-08T17:38:15+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-08T17:38:15+02:00       DEBUG   Cache dir       dir="/home/niklas/.cache/trivy"
2025-10-08T17:38:15+02:00       DEBUG   Cache dir       dir="/home/niklas/.cache/trivy"
2025-10-08T17:38:15+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-08T17:38:15+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-10-08T17:38:15+02:00       DEBUG   [misconfig] Failed to open the check metadata   err="open /home/niklas/.cache/trivy/policy/metadata.json: no such file or directory"
2025-10-08T17:38:15+02:00       INFO    [misconfig] Need to update the checks bundle
2025-10-08T17:38:15+02:00       INFO    [misconfig] Downloading the checks bundle...
2025-10-08T17:38:15+02:00       DEBUG   [misconfig] Loading check bundle        repository="mirror.gcr.io/aquasec/trivy-checks:1"
2025-10-08T17:38:15+02:00       DEBUG   [notification] Running version check
2025-10-08T17:38:15+02:00       DEBUG   [notification] Version check completed  latest_version="0.67.0"
2025-10-08T17:38:15+02:00       DEBUG   Created process-specific temp directory path="/tmp/trivy-217846"
215.56 KiB / 215.56 KiB [---------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-10-08T17:38:15+02:00       DEBUG   [misconfig] Digest of the built-in checks       digest="sha256:a6dab0ee0b117e3996773177db88cb35788da55385186e1fc6aace3c3a64d9dd"
2025-10-08T17:38:15+02:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-10-08T17:38:16+02:00       DEBUG   [rego] Overriding filesystem for checks
2025-10-08T17:38:16+02:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-10-08T17:38:16+02:00       DEBUG   [rego] Embedded checks are loaded       count=519
2025-10-08T17:38:16+02:00       DEBUG   [rego] Checks from disk are loaded      count=559
2025-10-08T17:38:16+02:00       DEBUG   [rego] Overriding filesystem for data
2025-10-08T17:38:16+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-10-08T17:38:16+02:00       DEBUG   Initializing scan cache...      type="memory"
2025-10-08T17:38:16+02:00       DEBUG   [fs] Analyzing...       root="."
2025-10-08T17:38:16+02:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform"
2025-10-08T17:38:16+02:00       DEBUG   [terraform scanner] Scanning directory  file_path="."
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2025-10-08T17:38:16+02:00       INFO    [terraform scanner] Scanning root module        file_path="."
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Loading module       module="root" module="root"
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=1 ignores=0
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2025-10-08T17:38:16+02:00       WARN    [terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.      module="root" variables="test"
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/home/niklas/Workspace/DevOps/debug-files/trivy"
2025-10-08T17:38:16+02:00       DEBUG   [terraform evaluator] Starting module evaluation...     module="root" path="."
2025-10-08T17:38:16+02:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-10-08T17:38:16+02:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-10-08T17:38:16+02:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2025-10-08T17:38:16+02:00       DEBUG   [terraform evaluator] Starting post-submodules evaluation...    module="root"
2025-10-08T17:38:16+02:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-10-08T17:38:16+02:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-10-08T17:38:16+02:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2025-10-08T17:38:16+02:00       DEBUG   [terraform evaluator] Module evaluation complete.       module="root"
2025-10-08T17:38:16+02:00       DEBUG   [terraform parser] Finished parsing module      module="root"
2025-10-08T17:38:16+02:00       DEBUG   [terraform executor] Adapting modules...
2025-10-08T17:38:16+02:00       DEBUG   [terraform executor] Adapted module(s) into state data. count=1
2025-10-08T17:38:16+02:00       DEBUG   [terraform executor] Scan state data
2025-10-08T17:38:16+02:00       DEBUG   [rego] Scanning inputs  count=1
2025-10-08T17:38:16+02:00       DEBUG   [terraform executor] Finished applying checks
2025-10-08T17:38:16+02:00       DEBUG   [terraform executor] Applying ignores...
2025-10-08T17:38:16+02:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range=""
2025-10-08T17:38:16+02:00       DEBUG   OS is not detected.
2025-10-08T17:38:16+02:00       INFO    Detected config files   num=2
2025-10-08T17:38:16+02:00       DEBUG   Scanned config file     file_path=""
2025-10-08T17:38:16+02:00       DEBUG   Scanned config file     file_path="."
2025-10-08T17:38:16+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-10-08T17:38:16+02:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌────────┬───────────┬───────────────────┐
│ Target │   Type    │ Misconfigurations │
├────────┼───────────┼───────────────────┤
│        │ terraform │         1         │
├────────┼───────────┼───────────────────┤
│ .      │ terraform │         0         │
└────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


 (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

AVD-AZU-0012 (CRITICAL): No network rules defined and default action allows access.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The default_action for network rules should come into effect when no other rules are matched.
The default action should be set to Deny.


See https://avd.aquasec.com/misconfig/avd-azu-0012
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


2025-10-08T17:38:16+02:00       DEBUG   Cleaning up temp directory      path="/tmp/trivy-217846"

There is also no new ruleset published: https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks/versions

ludwig-mueller Oct 8, 2025

Same issue here. I created a new directory with only an empty variables.tf file. My cache directory is different but deleting it also didn't help.

❯ rm -rf /Users/ludwig/Library/Caches/trivy
❯ trivy conf . --debug                     
2025-10-08T18:12:41+02:00       DEBUG   No plugins loaded
2025-10-08T18:12:41+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-08T18:12:41+02:00       DEBUG   Cache dir       dir="/Users/ludwig/Library/Caches/trivy"
2025-10-08T18:12:41+02:00       DEBUG   Cache dir       dir="/Users/ludwig/Library/Caches/trivy"
2025-10-08T18:12:41+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-08T18:12:41+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-10-08T18:12:41+02:00       DEBUG   [notification] Running version check
2025-10-08T18:12:41+02:00       DEBUG   [misconfig] Failed to open the check metadata   err="open /Users/ludwig/Library/Caches/trivy/policy/metadata.json: no such file or directory"
2025-10-08T18:12:41+02:00       INFO    [misconfig] Need to update the checks bundle
2025-10-08T18:12:41+02:00       INFO    [misconfig] Downloading the checks bundle...
2025-10-08T18:12:41+02:00       DEBUG   [misconfig] Loading check bundle        repository="mirror.gcr.io/aquasec/trivy-checks:1"
2025-10-08T18:12:41+02:00       DEBUG   [notification] Version check completed  latest_version="0.67.0"
2025-10-08T18:12:42+02:00       DEBUG   Created process-specific temp directory path="/var/folders/tr/sx6kz3lj3zq_3rgyxgd9jjnc0000gn/T/trivy-43947"
215.56 KiB / 215.56 KiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 200ms
2025-10-08T18:12:42+02:00       DEBUG   [misconfig] Digest of the built-in checks       digest="sha256:a6dab0ee0b117e3996773177db88cb35788da55385186e1fc6aace3c3a64d9dd"
2025-10-08T18:12:42+02:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-10-08T18:12:42+02:00       DEBUG   [rego] Overriding filesystem for checks
2025-10-08T18:12:42+02:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-10-08T18:12:42+02:00       DEBUG   [rego] Embedded checks are loaded       count=519
2025-10-08T18:12:42+02:00       DEBUG   [rego] Checks from disk are loaded      count=559
2025-10-08T18:12:42+02:00       DEBUG   [rego] Overriding filesystem for data
2025-10-08T18:12:42+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-10-08T18:12:42+02:00       DEBUG   Initializing scan cache...      type="memory"
2025-10-08T18:12:42+02:00       DEBUG   [fs] Analyzing...       root="."
2025-10-08T18:12:42+02:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform"
2025-10-08T18:12:42+02:00       DEBUG   [terraform scanner] Scanning directory  file_path="."
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Parsing      module="root" file_path="variables.tf"
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Added file   module="root" file_path="variables.tf"
2025-10-08T18:12:42+02:00       INFO    [terraform scanner] Scanning root module        file_path="."
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Parsing      module="root" file_path="variables.tf"
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Added file   module="root" file_path="variables.tf"
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Loading module       module="root" module="root"
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=0 ignores=0
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/Users/ludwig/Desktop/trivy-demo"
2025-10-08T18:12:42+02:00       DEBUG   [terraform evaluator] Starting module evaluation...     module="root" path="."
2025-10-08T18:12:42+02:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-10-08T18:12:42+02:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-10-08T18:12:42+02:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2025-10-08T18:12:42+02:00       DEBUG   [terraform evaluator] Starting post-submodules evaluation...    module="root"
2025-10-08T18:12:42+02:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-10-08T18:12:42+02:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-10-08T18:12:42+02:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2025-10-08T18:12:42+02:00       DEBUG   [terraform evaluator] Module evaluation complete.       module="root"
2025-10-08T18:12:42+02:00       DEBUG   [terraform parser] Finished parsing module      module="root"
2025-10-08T18:12:42+02:00       DEBUG   [terraform executor] Adapting modules...
2025-10-08T18:12:42+02:00       DEBUG   [terraform executor] Adapted module(s) into state data. count=1
2025-10-08T18:12:42+02:00       DEBUG   [terraform executor] Scan state data
2025-10-08T18:12:42+02:00       DEBUG   [rego] Scanning inputs  count=1
2025-10-08T18:12:42+02:00       DEBUG   [terraform executor] Finished applying checks
2025-10-08T18:12:42+02:00       DEBUG   [terraform executor] Applying ignores...
2025-10-08T18:12:42+02:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range=""
2025-10-08T18:12:42+02:00       DEBUG   OS is not detected.
2025-10-08T18:12:42+02:00       INFO    Detected config files   num=2
2025-10-08T18:12:42+02:00       DEBUG   Scanned config file     file_path=""
2025-10-08T18:12:42+02:00       DEBUG   Scanned config file     file_path="."
2025-10-08T18:12:42+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-10-08T18:12:42+02:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌────────┬───────────┬───────────────────┐
│ Target │   Type    │ Misconfigurations │
├────────┼───────────┼───────────────────┤
│        │ terraform │         1         │
├────────┼───────────┼───────────────────┤
│ .      │ terraform │         0         │
└────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


 (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

AVD-AZU-0012 (CRITICAL): No network rules defined and default action allows access.
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The default_action for network rules should come into effect when no other rules are matched.
The default action should be set to Deny.


See https://avd.aquasec.com/misconfig/avd-azu-0012
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


2025-10-08T18:12:42+02:00       DEBUG   Cleaning up temp directory      path="/var/folders/tr/sx6kz3lj3zq_3rgyxgd9jjnc0000gn/T/trivy-43947"

Malcolm-GetAHead Oct 8, 2025
Author

You're all correct - I rebuilt my dev container and it failing again so it must have been something cached elsewhere in the container I was running.

nikpivkin · 2025-10-08T16:44:05Z

nikpivkin
Oct 8, 2025
Maintainer

Hi @Malcolm-GetAHead !

Thanks for the report, this bug has been introduced in one of the commits. It will be fixed soon. Related PR aquasecurity/trivy-checks#494

1 reply

Skaronator Oct 8, 2025

Awesome! Thanks for the quick fix. Let's hope for quick merge and release 🤞

simar7 · 2025-10-08T20:33:49Z

simar7
Oct 8, 2025
Maintainer

We've released v1.12.1 which should address this issue. It will be available shortly.

https://github.com/aquasecurity/trivy-checks/releases/tag/v1.12.1

0 replies

nikpivkin · 2025-10-09T15:31:20Z

nikpivkin
Oct 9, 2025
Maintainer

Fixed via aquasecurity/trivy-checks#494

0 replies

AVD-AZU-0012 finding when scanning any terraform code #9619

Uh oh!

Malcolm-GetAHead Oct 8, 2025

IDs

Description

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 5 comments · 4 replies

Uh oh!

Uh oh!

Skaronator Oct 8, 2025

Uh oh!

Malcolm-GetAHead Oct 8, 2025 Author

Uh oh!

Skaronator Oct 8, 2025

Uh oh!

ludwig-mueller Oct 8, 2025

Uh oh!

Malcolm-GetAHead Oct 8, 2025 Author

Uh oh!

nikpivkin Oct 8, 2025 Maintainer

Uh oh!

Skaronator Oct 8, 2025

Uh oh!

simar7 Oct 8, 2025 Maintainer

Uh oh!

nikpivkin Oct 9, 2025 Maintainer

Malcolm-GetAHead
Oct 8, 2025

Replies: 5 comments 4 replies

Skaronator
Oct 8, 2025

Malcolm-GetAHead
Oct 8, 2025
Author

Malcolm-GetAHead Oct 8, 2025
Author

nikpivkin
Oct 8, 2025
Maintainer

simar7
Oct 8, 2025
Maintainer

nikpivkin
Oct 9, 2025
Maintainer