Bug after last release on aws/ec2/specify_ami_owners.rego:32: #9628

matdtr · 2025-10-09T07:26:50Z

matdtr
Oct 9, 2025

Description

Hi,

since yesterday on our pipelines the trivy (running v0.56.2) misconfiguration checks on terraform are failing due to:

fs scan error: scan error: scan failed: failed analysis: post analysis error: post analysis error: helm scan error: scan config error: failed to init rego scanner: 11 errors occurred:
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/aws/ec2/specify_ami_owners.rego:32: rego_type_error: undefined ref: input.aws.ec2.requestedamis[__local622__]
	input.aws.ec2.requestedamis[__local622__]
	              ^
	              have: "requestedamis"
	              want (one of): ["instances" "launchconfigurations" "launchtemplates" "networkacls" "securitygroups" "subnets" "volumes" "vpcs"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:36: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess.value
	subnetwork.privateipgoogleaccess.value
	           ^
	           have: "privateipgoogleaccess"
	           want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:37: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess.explicit
	subnetwork.privateipgoogleaccess.explicit
	           ^
	           have: "privateipgoogleaccess"
	           want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:40: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess
	subnetwork.privateipgoogleaccess
	           ^
	           have: "privateipgoogleaccess"
	           want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:46: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess.value
	subnetwork.privateipgoogleaccess.value
	           ^
	           have: "privateipgoogleaccess"
	           want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:47: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess.explicit
	subnetwork.privateipgoogleaccess.explicit
	           ^
	           have: "privateipgoogleaccess"
	           want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:50: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess
	subnetwork.privateipgoogleaccess
	           ^
	           have: "privateipgoogleaccess"
	           want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/iam/configure_audit_logging.rego:50: rego_type_error: undefined ref: project.auditconfigs[_]
	project.auditconfigs[_]
	        ^
	        have: "auditconfigs"
	        want (one of): ["__defsec_metadata" "autocreatenetwork" "bindings" "members"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/iam/configure_audit_logging.rego:63: rego_type_error: undefined ref: project.auditconfigs[_]
	project.auditconfigs[_]
	        ^
	        have: "auditconfigs"
	        want (one of): ["__defsec_metadata" "autocreatenetwork" "bindings" "members"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/storage/enable_bucket_logging.rego:37: rego_type_error: undefined ref: bucket.logging.logbucket.value
	bucket.logging.logbucket.value
	       ^
	       have: "logging"
	       want (one of): ["__defsec_metadata" "bindings" "enableuniformbucketlevelaccess" "encryption" "location" "members" "name"]
rego_compile_error: error limit reached

]```

### Desired Behavior

Work without issue

### Actual Behavior

Failing with

fs scan error: scan error: scan failed: failed analysis: post analysis error: post analysis error: helm scan error: scan config error: failed to init rego scanner: 11 errors occurred:
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/aws/ec2/specify_ami_owners.rego:32: rego_type_error: undefined ref: input.aws.ec2.requestedamis[local622]
input.aws.ec2.requestedamis[local622]
^
have: "requestedamis"
want (one of): ["instances" "launchconfigurations" "launchtemplates" "networkacls" "securitygroups" "subnets" "volumes" "vpcs"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:36: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess.value
subnetwork.privateipgoogleaccess.value
^
have: "privateipgoogleaccess"
want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:37: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess.explicit
subnetwork.privateipgoogleaccess.explicit
^
have: "privateipgoogleaccess"
want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:40: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess
subnetwork.privateipgoogleaccess
^
have: "privateipgoogleaccess"
want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:46: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess.value
subnetwork.privateipgoogleaccess.value
^
have: "privateipgoogleaccess"
want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:47: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess.explicit
subnetwork.privateipgoogleaccess.explicit
^
have: "privateipgoogleaccess"
want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/compute/enable_subnetwork_private_google_access.rego:50: rego_type_error: undefined ref: subnetwork.privateipgoogleaccess
subnetwork.privateipgoogleaccess
^
have: "privateipgoogleaccess"
want (one of): ["__defsec_metadata" "enableflowlogs" "name" "purpose"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/iam/configure_audit_logging.rego:50: rego_type_error: undefined ref: project.auditconfigs[]
project.auditconfigs[]
^
have: "auditconfigs"
want (one of): ["__defsec_metadata" "autocreatenetwork" "bindings" "members"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/iam/configure_audit_logging.rego:63: rego_type_error: undefined ref: project.auditconfigs[]
project.auditconfigs[]
^
have: "auditconfigs"
want (one of): ["__defsec_metadata" "autocreatenetwork" "bindings" "members"]
home/jenkins/.cache/trivy/policy/content/policies/cloud/policies/google/storage/enable_bucket_logging.rego:37: rego_type_error: undefined ref: bucket.logging.logbucket.value
bucket.logging.logbucket.value
^
have: "logging"
want (one of): ["__defsec_metadata" "bindings" "enableuniformbucketlevelaccess" "encryption" "location" "members" "name"]
rego_compile_error: error limit reached

]```

Reproduction Steps

1. Execute a scan 
2.
3.
...

Target

Filesystem

Scanner

Misconfiguration

Output Format

JSON

Mode

Standalone

Debug Output

N/A

Operating System

docker

Version

0.56.2

Checklist

Run trivy clean --all
Read the troubleshooting

nikpivkin · 2025-10-09T07:33:34Z

nikpivkin
Oct 9, 2025
Maintainer

Hi @matdtr !

Here I have provided an answer that will help you. #9628

3 replies

matdtr Oct 9, 2025
Author

Hi,
Thanks for the fast answer, but the link point to this issue

nikpivkin Oct 9, 2025
Maintainer

That's it #9624 (comment)

nikpivkin Oct 9, 2025
Maintainer

Are there any reasons why you are still using a version of Trivy that is over a year old?

nikpivkin · 2025-10-09T15:29:18Z

nikpivkin
Oct 9, 2025
Maintainer

Duplicate of #9624

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bug after last release on aws/ec2/specify_ami_owners.rego:32: #9628

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Bug after last release on aws/ec2/specify_ami_owners.rego:32: #9628

Uh oh!

matdtr Oct 9, 2025

Description

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 3 replies

Uh oh!

nikpivkin Oct 9, 2025 Maintainer

Uh oh!

matdtr Oct 9, 2025 Author

Uh oh!

nikpivkin Oct 9, 2025 Maintainer

Uh oh!

nikpivkin Oct 9, 2025 Maintainer

Uh oh!

nikpivkin Oct 9, 2025 Maintainer

matdtr
Oct 9, 2025

Replies: 2 comments 3 replies

nikpivkin
Oct 9, 2025
Maintainer

matdtr Oct 9, 2025
Author

nikpivkin Oct 9, 2025
Maintainer

nikpivkin Oct 9, 2025
Maintainer

nikpivkin
Oct 9, 2025
Maintainer