Trivy Filter Functionality Scanning CloudFormation Template.

[Cumming5412]

Description

When scanning Terraform, I can add an inline comment e.g.
#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053

to ignore a specific block of HCL.

Trying to do the same thing in CloudFormation it seems the inline comment is ignored/not supported.

I have a bucket created via CloudFormation that uses AES256:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256

The scanner reports the below:

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132

Desired Behavior

When I add
#trivy:ignore:AVD-AWS-0132

I expect the warning to be ignored.

e.g.
#trivy:ignore:AVD-AWS-0132
S3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:

Actual Behavior

The warning is repeated. I have tried adding the inline comment directly above and alongside the AES256 entry but there is no difference.

Reproduction Steps

1. Create an S3 bucket with AES256 via CloudFormation, e.g.:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties: 
      AccessControl: BucketOwnerFullControl
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketName: some-bucket
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
2. Run trivy config --debug --severity HIGH,CRITICAL --exit-code 0 template.yaml
3. Observe filtered issue still being reported.
...

Target

AWS

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

trivy config --debug --severity HIGH,CRITICAL --exit-code 0 cfn.yaml
========================== Starting Command Output ===========================
/usr/bin/bash --noprofile --norc /home/vsts/work/_temp/db534a3e-94de-4063-9a98-e83fe4d8e267.sh
2024-02-27T10:31:05.067Z	DEBUG	Severities: ["HIGH" "CRITICAL"]
2024-02-27T10:31:05.068Z	DEBUG	cache dir:  /home/vsts/.cache/trivy
2024-02-27T10:31:05.068Z	INFO	Misconfiguration scanning is enabled
2024-02-27T10:31:05.068Z	DEBUG	Policies successfully loaded from disk
2024-02-27T10:31:05.068Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-27T10:31:05.075Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-02-27T10:31:05.092Z	DEBUG	Walk the file tree rooted at 'cfn.yaml' in series
2024-02-27T10:31:05.092Z	DEBUG	Scanning Helm files for misconfigurations...
2024-02-27T10:31:05.097Z	DEBUG	Scanning CloudFormation files for misconfigurations...
2024-02-27T10:31:05.103Z	DEBUG	[misconf] 31:05.103171841 cloudformation.scanner.rego      Overriding filesystem for policies!
2024-02-27T10:31:05.169Z	DEBUG	[misconf] 31:05.169723030 cloudformation.scanner.rego      Loaded 190 policies from disk.
2024-02-27T10:31:05.170Z	DEBUG	[misconf] 31:05.170301128 cloudformation.scanner.rego      Overriding filesystem for data!
2024-02-27T10:31:05.833Z	DEBUG	[misconf] 31:05.833971131 cloudformation.scanner           Found 18 results for AVD-AWS-0057
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834051531 cloudformation.scanner           Found 1 results for AVD-AWS-0086
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834061731 cloudformation.scanner           Found 1 results for AVD-AWS-0087
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834070331 cloudformation.scanner           Found 1 results for AVD-AWS-0088
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834077431 cloudformation.scanner           Found 1 results for AVD-AWS-0090
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834085831 cloudformation.scanner           Found 1 results for AVD-AWS-0132
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834091831 cloudformation.scanner           Found 1 results for AVD-AWS-0091
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834098431 cloudformation.scanner           Found 1 results for AVD-AWS-0092
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834104631 cloudformation.scanner           Found 1 results for AVD-AWS-0093
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834110731 cloudformation.scanner           Found 1 results for AVD-AWS-0094
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834122431 cloudformation.scanner           Found 2 results for AVD-AWS-0095
2024-02-27T10:31:05.834Z	DEBUG	[misconf] 31:05.834130231 cloudformation.scanner           Found 2 results for AVD-AWS-0136
2024-02-27T10:31:05.835Z	DEBUG	[misconf] 31:05.835764125 cloudformation.scanner.rego      Scanning 1 inputs...
2024-02-27T10:31:05.896Z	DEBUG	OS is not detected.
2024-02-27T10:31:05.897Z	INFO	Detected config files: 1
2024-02-27T10:31:05.897Z	DEBUG	Scanned config file: cfn.yaml

cfn.yaml (cloudformation)
===================================================
Tests: 18 (SUCCESSES: 14, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cfn.yaml:184-226
────────────────────────────────────────
 184 ┌   TFStateS3Bucket:
 185 │     Type: AWS::S3::Bucket
 186 │     DeletionPolicy: Retain
 187 │     Properties: 
 188 │       AccessControl: BucketOwnerFullControl #BucketOwnerFullControl | Private | PublicRead | PublicReadWrite | AuthenticatedRead | LogDeliveryWrite | BucketOwnerRead | 
 189 │       PublicAccessBlockConfiguration:
 190 │         BlockPublicAcls: true
 191 │         BlockPublicPolicy: true
 192 └         IgnorePublicAcls: true
 ...   
────────────────────────────────────────

Operating System

Ubuntu

Version

Version: 0.49.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[nikpivkin]

Hi @Cumming5412 !

Ignoring by inline comments is not supported for CloudFormation templates, so it's not a bug.

[Cumming5412]

Thank you for the confirmation.

[nikpivkin]

@simar7 Should we update the documentation and specify that ignore by inline comments is only supported for terraform?

[Cumming5412]

Yes please, but it would be a great feature so I can have parity between terraform and cloudformation. Is there anyway to do an ignore in a cloudformation template ?

[simar7]

@nikpivkin yes we should update the docs.

As for the feature parity, I'll convert this into an issue @Cumming5412 to track the improvement but we don't have any ETA on when we will support it.

[simar7]

Tracking here #6237