feat(misconf): Support symlinks in misconfiguration scanning

[simar7]

This is part of a bigger discussion as to if Trivy should support on a global scanner level or not as seen here: #4184

Discussed in #7419

^{Originally posted by h-l-b August 29, 2024}

Question

We are migrating from tfsec to trivy and trivy is not scanning most of the nested terraform modules in one of our projects - the number of config files detected is fewer than expected and expected misconfigurations are not flagged. The reason for this seems to be that they are called in a loop based on a variable defined in a symlinked file (simplified version of our project structure below)

main.tf in root module

module "networks" {
  source   = "../../modules/0_network"
  for_each = var.virtual_environments

  virtual_environment                   = each.key
}

virtual_environments is defined in the variables file, which is actually a symlink from the root module directory
variables.tf -> ../../shared/variables.tf

The actual value for virtual_environments for an environment is in a tfvars file which is passed in as an argument to the trivy config command.

If I replace the symlink to variables.tf with an actual variables.tf file with exactly the same content, then the number of config files detected is greater and ../../modules/0_network is actually scanned, so it looks like it is the symlink that is causing the issue. We use the symlink to a shared file because we have multiple layers in the project which use the same variables, so this way we only have to update them in one place. tfsec works fine with this.

I've found #4184 which says that symlinks are not supported, but it's from last year and was wondering if it is still the case, and if there are any plans to add support?

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

None

Operating System

macOS Sonoma

Version

% trivy --version
Version: 0.51.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-07 12:13:50.7744497 +0000 UTC
  NextUpdate: 2024-06-07 18:13:50.774449409 +0000 UTC
  DownloadedAt: 2024-06-07 13:31:05.815831 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-28 14:16:07.350996 +0000 UTC

[Pesticles]

This one issue makes Trivy pretty much useless to us. We modularise pretty much everything and use symlinks to "attach" our modules folder into our stacks. This worked fine with TFSec, but with Trivy it means basically none of our resources are scanned.

[cswilliams]

Yeah, same issue here. We use symlinks quite a bit when we want to share a small piece of TF code across multiple projects (we also use modules for this, but sometimes that just feels a bit too heavy). As trivy has gotten smarter about resolving variables in recent versions, the lack of symlink support has caused us more and more false positives (since it appears to be unable to resolve variables that are defined in symlinked files.