tfsec: Check results are duplicated multiple times for modules

Describe the bug Identical check findings are repeated multiple times. For example, this CRITICAL warning appears 37 times (I think, findings #32783 to #32819). Seems to affect all check types, not just this one.

 #32783 CRITICAL Security group rule allows ingress from public internet.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 sno**************ing.tf Line 489
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  484  │   ingress {
  485  │     from_port = 443
  486  │     to_port   = 443
  487  │     protocol  = "tcp"
  488  │ 
  489  │     cidr_blocks = ["0.0.0.0/0"] # Accessible via VPC or a peered VPC.
  490  │   }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
          ID aws-vpc-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

..........repeated many times.......


#32819 CRITICAL Security group rule allows ingress from public internet.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 sno**************ing.tf Line 489
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  484  │   ingress {
  485  │     from_port = 443
  486  │     to_port   = 443
  487  │     protocol  = "tcp"
  488  │ 
  489  │     cidr_blocks = ["0.0.0.0/0"] # Accessible via VPC or a peered VPC.
  490  │   }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
          ID aws-vpc-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/vpc/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

To Reproduce Steps to reproduce the behavior:

  1. I’m currently working on a simple shareable repro case.

Expected behavior Each check is only reported once (or possible once for each expanded for_each occurrence.

Screenshots N/A

Desktop (please complete the following information):

  • OS: MacOS Monterey 12.1
  • Go: go1.17.6 darwin/arm64
  • Terraform: 1.1.4

Additional context Add any other context about the problem here.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 15 (13 by maintainers)

Most upvoted comments

I can confirm my issue has been fixed in RC7. Thanks!

@andrassy Thanks for digging into that. Yeah, I see that this output is far from ideal with respect to modules, especially when they become nested. I really like your idea of grouping results together, I’ll take a look into this 👍