You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The module should not produce any Trivy security issues.
Terraform-Version
1.9
Relevant log output
Running trivy with options: trivy fs --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --scanners config,secret --severity CRITICAL,HIGH --skip-dirs examples/ --skip-dirs tests/ .
Global options:
2024-12-17T09:02:00Z WARN '--scanners config' is deprecated. Use '--scanners misconfig' instead. See https://github.com/aquasecurity/trivy/discussions/5586 for the detail.
2024-12-17T09:02:00Z INFO Misconfiguration scanning is enabled
2024-12-17T09:02:00Z INFO Need to update the built-in policies
2024-12-17T09:02:00Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-12-17T09:02:01Z INFO Secret scanning is enabled
2024-12-17T09:02:01Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-17T09:02:01Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-12-17T09:02:04Z INFO Detected config files num=3
git::https:/github.com/cloudeteer/terraform-azurerm-vm?ref=19edd4856dcca0c5128ea5c5116d94d00ec13813/r-vm.tf (terraform)
=======================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Linux virtual machine allows password authentication.
════════════════════════════════════════
Access to virtual machines should be authenticated using SSH keys. Removing the option of password authentication enforces more secure methods while removing the risks inherent with passwords.
See https://avd.aquasec.com/misconfig/avd-azu-0039
────────────────────────────────────────
git::https:/github.com/cloudeteer/terraform-azurerm-vm?ref=19edd4856dcca0c5128ea5c5116d94d00ec13813/r-vm.tf:23
via git::https:/github.com/cloudeteer/terraform-azurerm-vm?ref=19edd4856dcca0c5128ea5c5116d94d00ec13813/r-vm.tf:8-108 (azurerm_linux_virtual_machine.this[0])
via main.tf:52-89 (module.azurerm_virtual_machine)
────────────────────────────────────────
8 resource "azurerm_linux_virtual_machine""this" {
.
23 [ disable_password_authentication =!strcontains(var.authentication_type, "Password")
...
108 }
────────────────────────────────────────
Relevant Error Messages
HIGH: Linux virtual machine allows password authentication.
════════════════════════════════════════
Access to virtual machines should be authenticated using SSH keys. Removing the option of password authentication enforces more secure methods while removing the risks inherent with passwords.
Additional Information
No response
Privacy Statement
I agree
Code of Conduct
I agree to follow this repository's Code of Conduct
The text was updated successfully, but these errors were encountered:
rswrz
changed the title
[Bug]:
[Bug]: Trivy Security Issues in cloudeteer/terraform-azurerm-mssql-vm Module During Mobile CI Code Analysis
Dec 17, 2024
rswrz
changed the title
[Bug]: Trivy Security Issues in cloudeteer/terraform-azurerm-mssql-vm Module During Mobile CI Code Analysis
[Bug]: Trivy security issue during module-ci code analysis
Dec 17, 2024
Actually, # trivy:ignore:avd-azu-0039 is already added to the code, for the whole resource azurerm_linux_virtual_machine – here. But this is not considered during the Trivy scan on the mssql-vm module – which makes sense on terms of security.
Bug Description
Using this virtual machine module in https://github.com/cloudeteer/terraform-azurerm-mssql-vm module triggers an error in the code-analysis Mobile CI job (details below).
Expected Behavior
The module should not produce any Trivy security issues.
Terraform-Version
1.9
Relevant log output
Relevant Error Messages
HIGH: Linux virtual machine allows password authentication. ════════════════════════════════════════ Access to virtual machines should be authenticated using SSH keys. Removing the option of password authentication enforces more secure methods while removing the risks inherent with passwords.
Additional Information
No response
Privacy Statement
Code of Conduct
The text was updated successfully, but these errors were encountered: