tfsec: Check results are duplicated multiple times for modules
Describe the bug Identical check findings are repeated multiple times. For example, this CRITICAL warning appears 37 times (I think, findings #32783 to #32819). Seems to affect all check types, not just this one.
#32783 CRITICAL Security group rule allows ingress from public internet.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
sno**************ing.tf Line 489
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
484 │ ingress {
485 │ from_port = 443
486 │ to_port = 443
487 │ protocol = "tcp"
488 │
489 │ cidr_blocks = ["0.0.0.0/0"] # Accessible via VPC or a peered VPC.
490 │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
ID aws-vpc-no-public-ingress-sgr
Impact Your port exposed to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
..........repeated many times.......
#32819 CRITICAL Security group rule allows ingress from public internet.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
sno**************ing.tf Line 489
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
484 │ ingress {
485 │ from_port = 443
486 │ to_port = 443
487 │ protocol = "tcp"
488 │
489 │ cidr_blocks = ["0.0.0.0/0"] # Accessible via VPC or a peered VPC.
490 │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
ID aws-vpc-no-public-ingress-sgr
Impact Your port exposed to the internet
Resolution Set a more restrictive cidr range
More Information
- https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
To Reproduce Steps to reproduce the behavior:
- I’m currently working on a simple shareable repro case.
Expected behavior
Each check is only reported once (or possible once for each expanded for_each occurrence.
Screenshots N/A
Desktop (please complete the following information):
- OS: MacOS Monterey 12.1
- Go: go1.17.6 darwin/arm64
- Terraform: 1.1.4
Additional context Add any other context about the problem here.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 15 (13 by maintainers)
I can confirm my issue has been fixed in RC7. Thanks!
@andrassy Thanks for digging into that. Yeah, I see that this output is far from ideal with respect to modules, especially when they become nested. I really like your idea of grouping results together, I’ll take a look into this 👍