Does trivy support symlinks for misconfiguration scanning?

[h-l-b]

Question

We are migrating from tfsec to trivy and trivy is not scanning most of the nested terraform modules in one of our projects - the number of config files detected is fewer than expected and expected misconfigurations are not flagged. The reason for this seems to be that they are called in a loop based on a variable defined in a symlinked file (simplified version of our project structure below)

main.tf in root module

module "networks" {
  source   = "../../modules/0_network"
  for_each = var.virtual_environments

  virtual_environment                   = each.key
}

virtual_environments is defined in the variables file, which is actually a symlink from the root module directory
variables.tf -> ../../shared/variables.tf

The actual value for virtual_environments for an environment is in a tfvars file which is passed in as an argument to the trivy config command.

If I replace the symlink to variables.tf with an actual variables.tf file with exactly the same content, then the number of config files detected is greater and ../../modules/0_network is actually scanned, so it looks like it is the symlink that is causing the issue. We use the symlink to a shared file because we have multiple layers in the project which use the same variables, so this way we only have to update them in one place. tfsec works fine with this.

I've found #4184 which says that symlinks are not supported, but it's from last year and was wondering if it is still the case, and if there are any plans to add support?

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

None

Operating System

macOS Sonoma

Version

% trivy --version
Version: 0.51.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-07 12:13:50.7744497 +0000 UTC
  NextUpdate: 2024-06-07 18:13:50.774449409 +0000 UTC
  DownloadedAt: 2024-06-07 13:31:05.815831 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-28 14:16:07.350996 +0000 UTC

[nikpivkin]

Hi @h-l-b !

Trivy does not currently support symlinks .

[h-l-b]

Are there any plans to support them in future? As from the tfsec documentation they want to encourage people to migrate to trivy, but this is something that tfsec supports that trivy doesn't.

[simar7]

At the moment I've created #7456 to track but it needs some thinking. I appreciate the feedback.