Trivy panics when ignoring specific resource in a module #9601

felipeng · 2025-10-06T20:07:42Z

felipeng
Oct 6, 2025

Description

Trivy panics when trying to ignore a specific resource from a module when using for_each

Desired Behavior

Ignore the specific resource from a module

Actual Behavior

Error: panic: value is unknown

Reproduction Steps

locals {
  aws-s3 = {
    bucket1 = {
      attach_policy = true
      policy        = data.aws_iam_policy_document.policy1["dev"].json
    }
    bucket2 = {
      attach_policy = true
      policy        = data.aws_iam_policy_document.policy2.json
    }
  }
}

data "aws_iam_policy_document" "policy1" {
  for_each = toset(["dev", "uat"])

  statement {
    sid    = ""
    effect = "Allow"
    actions = ["s3:GetObject"]
    resources = ["arn:aws:s3:::bucket1/*"]
  }
}

data "aws_iam_policy_document" "policy2" {
  statement {
    sid    = ""
    effect = "Allow"
    actions = ["s3:GetObject"]
    resources = ["arn:aws:s3:::bucket2/*"]
  }
}

#trivy:ignore:AVD-AWS-0090[bucket=mybucket-bucket1]
module "aws-s3" {
  source   = "terraform-aws-modules/s3-bucket/aws"
  version  = "~> 4.11.0"
  for_each = local.aws-s3

  bucket = "mybucket-${each.key}"
}

I found that making only one of the following changes, then trivy won't panic:

if not specify the bucket name in ignore (#trivy:ignore:AVD-AWS-0090), then works
or, removing the "mybucket-" from (bucket = "${each.key}"), then works
or, removing bucket2 (commenting/deleting) in locals.aws-s3, then works
or, using for_each on the bucket2 policy, (policy = data.aws_iam_policy_document.policy1["uat"].json), then works



### Target

Filesystem

### Scanner

Misconfiguration

### Output Format

None

### Mode

Standalone

### Debug Output

```bash
trivy config . --debug
2025-10-06T12:56:41-07:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-06T12:56:41-07:00       DEBUG   Cache dir       dir="/Users/felipe.gonzalez/Library/Caches/trivy"
2025-10-06T12:56:41-07:00       DEBUG   Cache dir       dir="/Users/felipe.gonzalez/Library/Caches/trivy"
2025-10-06T12:56:41-07:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-06T12:56:41-07:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-10-06T12:56:41-07:00       DEBUG   [notification] Running version check
2025-10-06T12:56:41-07:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-10-06T12:56:41-07:00       DEBUG   [notification] Version check completed  latest_version="0.67.0"
2025-10-06T12:56:41-07:00       DEBUG   [rego] Overriding filesystem for checks
2025-10-06T12:56:41-07:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-10-06T12:56:41-07:00       DEBUG   [rego] Embedded checks are loaded       count=519
2025-10-06T12:56:41-07:00       DEBUG   [rego] Checks from disk are loaded      count=536
2025-10-06T12:56:41-07:00       DEBUG   [rego] Overriding filesystem for data
2025-10-06T12:56:42-07:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-10-06T12:56:42-07:00       DEBUG   Initializing scan cache...      type="memory"
2025-10-06T12:56:42-07:00       DEBUG   [fs] Analyzing...       root="."
2025-10-06T12:56:42-07:00       DEBUG   Created process-specific temp directory path="/var/folders/rh/cz877djs1mbcvbn998mvgbzr0000gn/T/trivy-25241"
2025-10-06T12:56:42-07:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform"
2025-10-06T12:56:42-07:00       DEBUG   [terraform scanner] Scanning directory  file_path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing      module="root" file_path="aws-s3-locals.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added file   module="root" file_path="aws-s3-locals.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing      module="root" file_path="aws-s3-policy-frontend-cdn.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added file   module="root" file_path="aws-s3-policy-frontend-cdn.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing      module="root" file_path="aws-s3.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added file   module="root" file_path="aws-s3.tf"
2025-10-06T12:56:42-07:00       INFO    [terraform scanner] Scanning root module        file_path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing      module="root" file_path="aws-s3-locals.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added file   module="root" file_path="aws-s3-locals.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing      module="root" file_path="aws-s3-policy-frontend-cdn.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added file   module="root" file_path="aws-s3-policy-frontend-cdn.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing      module="root" file_path="aws-s3.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added file   module="root" file_path="aws-s3.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Loading module       module="root" module="root"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=4 ignores=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/Users/felipe.gonzalez/Downloads/test"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting module evaluation...     module="root" path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=2
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=2
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" block="data.aws_iam_policy_document.policy1" clones=2
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Locating non-initialized module   module="root" source="terraform-aws-modules/s3-bucket/aws"
2025-10-06T12:56:42-07:00       DEBUG   [module resolver] Resolving module      module="root" name="module.aws-s3" source="terraform-aws-modules/s3-bucket/aws"
2025-10-06T12:56:42-07:00       DEBUG   [module resolver] Trying to resolve module via cache    module="root" key="cabae4b38b640d27c91d6f951d895a8a"
2025-10-06T12:56:42-07:00       DEBUG   [module resolver] Module resolved from cache    module="root" key="cabae4b38b640d27c91d6f951d895a8a"
2025-10-06T12:56:42-07:00       DEBUG   [module resolver] Module resolved       module="root" file_path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Module resolved   module="root" block="module.aws-s3" source="terraform-aws-modules/s3-bucket/aws" prefix="terraform-aws-modules/s3-bucket/aws" file_path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing FS   module="root" module="aws-s3" file_path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing      module="root" module="aws-s3" file_path="main.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added file   module="root" module="aws-s3" file_path="main.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing      module="root" module="aws-s3" file_path="outputs.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added file   module="root" module="aws-s3" file_path="outputs.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing      module="root" module="aws-s3" file_path="variables.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added file   module="root" module="aws-s3" file_path="variables.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Parsing      module="root" module="aws-s3" file_path="versions.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added file   module="root" module="aws-s3" file_path="versions.tf"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Loaded module     module="root" name="aws-s3" file_path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Loading module       module="root" module="aws-s3" module="aws-s3"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" module="aws-s3" blocks=116 ignores=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Added input variables from module definition module="root" module="aws-s3" count=4
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Working directory for module evaluation      module="root" module="aws-s3" file_path="/Users/felipe.gonzalez/Downloads/test"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting submodules evaluation... module="root"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Evaluating submodule      module="root" name="aws-s3"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting module evaluation...     module="root" module="aws-s3" path="."
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=2
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=3
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=4
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Context unchanged module="root" module="aws-s3" iteration=4
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket.this" clones=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_accelerate_configuration.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_acl.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_cors_configuration.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_lifecycle_configuration.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_logging.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_object_lock_configuration.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_ownership_controls.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_policy.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_public_access_block.this" clones=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_replication_configuration.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_request_payment_configuration.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_server_side_encryption_configuration.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_versioning.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_website_configuration.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_directory_bucket.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_canonical_user_id.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.access_log_delivery" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.cloudtrail_log_delivery" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.combined" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.deny_incorrect_encryption_headers" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.deny_incorrect_kms_key_sse" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.deny_insecure_transport" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.deny_ssec_encrypted_object_uploads" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.deny_unencrypted_object_uploads" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.elb_log_delivery" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.inventory_and_analytics_destination_policy" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.lb_log_delivery" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.require_latest_tls" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.waf_log_delivery" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_analytics_configuration.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_intelligent_tiering_configuration.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_inventory.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_metric.this" clones=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting post-submodules evaluation...    module="root" module="aws-s3"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Context unchanged module="root" module="aws-s3" iteration=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Module evaluation complete.       module="root" module="aws-s3"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_arn" value="cty.StringVal(\"arn:aws:s3:::\")"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_bucket_domain_name" value="cty.StringVal(\"\")"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_bucket_regional_domain_name" value="cty.StringVal(\"\")"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_hosted_zone_id" value="cty.StringVal(\"\")"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_id" value="cty.DynamicVal"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_lifecycle_configuration_rules" value="cty.StringVal(\"\")"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_policy" value="cty.StringVal(\"\")"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_region" value="cty.StringVal(\"\")"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_website_domain" value="cty.StringVal(\"\")"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_website_endpoint" value="cty.StringVal(\"\")"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_directory_bucket_arn" value="cty.DynamicVal"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_directory_bucket_name" value="cty.DynamicVal"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=2
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=2
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Submodule inputs unchanged        module="root" name="aws-s3"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] All submodules are evaluated      module="root" loop=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting post-submodule evaluation...     module="root"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Finished processing submodule(s). module="root" count=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting post-submodules evaluation...    module="root"
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform evaluator] Module evaluation complete.       module="root"
2025-10-06T12:56:42-07:00       DEBUG   [terraform parser] Finished parsing module      module="root"
2025-10-06T12:56:42-07:00       DEBUG   [terraform executor] Adapting modules...
2025-10-06T12:56:42-07:00       DEBUG   [terraform executor] Adapted module(s) into state data. count=2
2025-10-06T12:56:42-07:00       DEBUG   [terraform executor] Scan state data
2025-10-06T12:56:42-07:00       DEBUG   [rego] Scanning inputs  count=1
2025-10-06T12:56:42-07:00       DEBUG   [terraform executor] Finished applying checks
2025-10-06T12:56:42-07:00       DEBUG   [terraform executor] Applying ignores...
2025-10-06T12:56:42-07:00       DEBUG   Cleaning up temp directory      path="/var/folders/rh/cz877djs1mbcvbn998mvgbzr0000gn/T/trivy-25241"
panic: value is unknown

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x10801c100?, 0x106c1de88?}}, {0x1073c3b40?, 0x14002189200?}})
        github.com/zclconf/[email protected]/cty/value_ops.go:1438 +0xfc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor.ignoreByParams(0x14005d25350, {0x14002691290, 0x2, 0x1015568e0?}, 0x14001091738)
        github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor/executor.go:209 +0x2c8
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor.(*Executor).Execute.attributeIgnorer.func3({{{0x14005678430, 0x10}, 0x23, 0x29, {0x0, 0x0}, 0x0, {0x0, 0x0}, {0x140040f2140, ...}}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor/executor.go:247 +0x48
github.com/aquasecurity/trivy/pkg/iac/ignore.Rule.ignore({{{0x14005d1c330, 0x10}, 0x22, 0x22, {0x0, 0x0}, 0x0, {0x0, 0x0}, {0x0, ...}}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/iac/ignore/rule.go:69 +0x390
github.com/aquasecurity/trivy/pkg/iac/scan.(*Results).Ignore.Rules.Ignore.func1(...)
        github.com/aquasecurity/trivy/pkg/iac/ignore/rule.go:22
slices.IndexFunc[...](...)
        slices/slices.go:109
slices.ContainsFunc[...](...)
        slices/slices.go:124
github.com/aquasecurity/trivy/pkg/iac/ignore.Rules.Ignore(...)
        github.com/aquasecurity/trivy/pkg/iac/ignore/rule.go:21
github.com/aquasecurity/trivy/pkg/iac/scan.(*Results).Ignore(0x14001092540, {0x14003a2f5e0, 0x1, 0x6?}, 0x14001092b08)
        github.com/aquasecurity/trivy/pkg/iac/scan/result.go:279 +0x428
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor.(*Executor).Execute(0x140048e6ec0, {0x108019ab8, 0x14005cfe510}, {0x14002691290, 0x2, 0x2}, {0x106c1d9b0, 0x1})
        github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor/executor.go:84 +0x8e8
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0x14005aa6240, {0x108019ab8, 0x14005cfe510}, {0x107f97c40, 0x140045721b0}, {0x106c1d9b0, 0x1})
        github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/scanner.go:139 +0x82c
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0x14005cfd000, {0x108019b60, 0x14000dfa4d0}, {0x107f97c40, 0x14004572108})
        github.com/aquasecurity/trivy/pkg/misconf/scanner.go:149 +0x208
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0x14005c8f620, {0x108019b60?, 0x14000dfa4d0?}, {{0x107f97c40, 0x14004572108}, {0x0, 0x0, 0x0}, {0x0, 0x0}})
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/config.go:44 +0x44
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0x14005cf2a50, {0x14005c8f520, 0x2, 0x2}, {0x1400243f680, 0x8, 0x8}, 0x14005cf7140, {0x0, 0x0}}, ...)
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/analyzer.go:519 +0x318
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x16f2373b5, 0x1}, 0x14005cf31f0, {0x13840d760, 0x140010e0480}, {0x107f97b80, 0x10bb74d28}, {0x14005cf2a50, {0x14005c8f520, 0x2, ...}, ...}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/fanal/artifact/local/fs.go:228 +0x5d4
github.com/aquasecurity/trivy/pkg/scan.Service.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0x0, 0x0, 0x0}, {0x0, ...}, ...})
        github.com/aquasecurity/trivy/pkg/scan/service.go:46 +0xa0
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x1058d987a, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:691 +0x2f0
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x1058d987a, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:289 +0x9c
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x1058d987a, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:234 +0xac
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x1058d987a, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:214 +0x1bc
github.com/aquasecurity/trivy/pkg/commands/artifact.run({_, _}, {{{0x1058d987a, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0x140000bd110, ...}, ...}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:437 +0x66c
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x1058d987a, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0x140000bd110, ...}, ...}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:396 +0x1d8
github.com/aquasecurity/trivy/pkg/commands.NewConfigCommand.func2(0x1400107a608, {0x14000362340, 0x1, 0x2})
        github.com/aquasecurity/trivy/pkg/commands/app.go:740 +0x29c
github.com/spf13/cobra.(*Command).execute(0x1400107a608, {0x140003622e0, 0x2, 0x2})
        github.com/spf13/[email protected]/command.go:1015 +0x7d4
github.com/spf13/cobra.(*Command).ExecuteC(0x140001bac08)
        github.com/spf13/[email protected]/command.go:1148 +0x350
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/[email protected]/command.go:1071
github.com/spf13/cobra.(*Command).ExecuteContext(...)
        github.com/spf13/[email protected]/command.go:1064
github.com/aquasecurity/trivy/pkg/commands.Run({0x108019ea8, 0x14000c50cc0})
        github.com/aquasecurity/trivy/pkg/commands/run.go:23 +0x5c
main.run()
        github.com/aquasecurity/trivy/cmd/trivy/main.go:50 +0x14c
main.main()
        github.com/aquasecurity/trivy/cmd/trivy/main.go:19 +0x20

Operating System

macOS Tahoe

Version

trivy --version
Version: 0.67.0
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-10-06 19:30:24.633299 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

simar7 · 2025-10-07T04:49:40Z

simar7
Oct 7, 2025
Maintainer

@nikpivkin I can reproduce it on the latest main as well - could you take a look into it?

2 replies

felipeng Nov 17, 2025
Author

any update on this topic?

simar7 Nov 17, 2025
Maintainer

ping @nikpivkin

nikpivkin · 2025-11-20T13:53:35Z

nikpivkin
Nov 20, 2025
Maintainer

Track #9834

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Trivy panics when ignoring specific resource in a module #9601

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Trivy panics when ignoring specific resource in a module #9601

Uh oh!

felipeng Oct 6, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Operating System

Version

Checklist

Replies: 2 comments · 2 replies

Uh oh!

simar7 Oct 7, 2025 Maintainer

Uh oh!

felipeng Nov 17, 2025 Author

Uh oh!

simar7 Nov 17, 2025 Maintainer

Uh oh!

nikpivkin Nov 20, 2025 Maintainer

felipeng
Oct 6, 2025

Replies: 2 comments 2 replies

simar7
Oct 7, 2025
Maintainer

felipeng Nov 17, 2025
Author

simar7 Nov 17, 2025
Maintainer

nikpivkin
Nov 20, 2025
Maintainer