Trivy Secret Scanner Not Scanning Terraform Modules Recursively in CI Pipeline

[vct23]

Description

The Trivy security scanner in our GitHub Actions workflow is currently scanning the root directory "." for secrets and misconfigurations. However, for secrets it only appears to scan the top level and does not scan recursively.

Our command in the Github workflow is:

- name: Terraform Security checks
        if: github.event_name == 'pull_request'
        run: trivy version; trivy fs --scanners misconfig --scanners secret --format table --exit-code 1 --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL .

No further configuration file or rules are added.

Desired Behavior

To scan starting from . but only scanning modules that are being used by the current stack

Actual Behavior

Not scanning modules being used by the current stack

Reproduction Steps

1.
2.
3.
...

Target

Filesystem

Scanner

Secret

Output Format

Table

Mode

Standalone

Debug Output

Run trivy version; trivy -d fs --scanners misconfig --scanners secret --format table --exit-code 1 --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL .
Version: 0.67.0
2025-11-20T11:41:26Z	DEBUG	No plugins loaded
2025-11-20T11:41:26Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-11-20T11:41:26Z	DEBUG	Cache dir	dir="/home/runner/.cache/trivy"
2025-11-20T11:41:26Z	DEBUG	Cache dir	dir="/home/runner/.cache/trivy"
2025-11-20T11:41:26Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-11-20T11:41:26Z	DEBUG	Ignore statuses	statuses=[]
2025-11-20T11:41:26Z	DEBUG	[notification] Running version check
2025-11-20T11:41:26Z	DEBUG	[pkg] Package types	types=[os library]
2025-11-20T11:41:26Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-11-20T11:41:26Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-11-20T11:41:26Z	DEBUG	[misconfig] Failed to open the check metadata	err="open /home/runner/.cache/trivy/policy/metadata.json: no such file or directory"
2025-11-20T11:41:26Z	INFO	[misconfig] Need to update the checks bundle
2025-11-20T11:41:26Z	INFO	[misconfig] Downloading the checks bundle...
2025-11-20T11:41:26Z	DEBUG	[misconfig] Loading check bundle	repository="mirror.gcr.io/aquasec/trivy-checks:1"
2025-11-20T11:41:26Z	DEBUG	[notification] Version check completed	latest_version="0.67.2"
2025-11-20T11:41:26Z	DEBUG	Created process-specific temp directory	path="/tmp/trivy-200"
165.46 KiB / 165.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-11-20T11:41:26Z	DEBUG	[misconfig] Digest of the built-in checks	digest="sha256:0491169789b867ae5a7353381220c1d4d97b3a0d6d9dfd84a25d06f0ba68aa93"
2025-11-20T11:41:26Z	DEBUG	[misconfig] Checks successfully loaded from disk
2025-11-20T11:41:26Z	DEBUG	[rego] Overriding filesystem for checks
2025-11-20T11:41:26Z	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-11-20T11:41:26Z	DEBUG	[rego] Embedded checks are loaded	count=519
2025-11-20T11:41:26Z	DEBUG	[rego] Checks from disk are loaded	count=536
2025-11-20T11:41:26Z	DEBUG	[rego] Overriding filesystem for data
2025-11-20T11:41:26Z	INFO	[secret] Secret scanning is enabled
2025-11-20T11:41:26Z	INFO	[secret] If your scanning is slow, please try '--scanners misconfig' to disable secret scanning
2025-11-20T11:41:26Z	INFO	[secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-11-20T11:41:26Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-11-20T11:41:26Z	DEBUG	Initializing scan cache...	type="memory"
2025-11-20T11:41:26Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-11-20T11:41:26Z	DEBUG	[fs] Analyzing...	root="."
2025-11-20T11:41:26Z	DEBUG	[secret] Using streaming scanner	file_path="data.tf"
2025-11-20T11:41:26Z	DEBUG	[secret] scanStream called	file_path="data.tf" buffer_size=65536 overlap_size=4096
2025-11-20T11:41:26Z	DEBUG	[secret] scanChunk called	file_path="data.tf" content_len=694 num_rules=87
...

Operating System

Github runner with enough permissions

Version

0.67

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

hello @vct23
Thanks for your report!

Can you share an example of how we can reproduce your case?

Regards, Dmitriy

[vct23]

Yes, if you create the following directory

.
└── modules
    └── sample-module
        ├── test-module
        │   └── wallet2.key
        └── wallet.key

and run:

trivy version; trivy fs --scanners misconfig --scanners secret --format table --exit-code 1 --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL .

It can be seen that the wallet2.key does not seem to be scanned.

[DmitriyLewen]

Hello @vct23

Trivy skips secrets with test in path by default - https://trivy.dev/docs/latest/guide/scanner/secret/#secret-scanning:~:text=If%20your%20secret%20is%20not%20detected%20properly%2C%20please%20make%20sure%20that%20your%20file%20including%20the%20secret%20is%20not%20in%20the%20allowed%20paths.%20You%20can%20disable%20allow%20rules%20via%20disable%2Dallow%2Drules.

➜ tree .
.
├── modules
│   └── sample-module
│       ├── test-module
│       │   └── wallet2.key
│       └── wallet.key
└── trivy-secret-config.yaml

4 directories, 3 files

➜  cat trivy-secret-config.yaml 
disable-allow-rules:
  - tests   

➜ trivy -q fs --scanners secret .

Report Summary

┌──────────────────────────────────┬──────┬─────────┐
│              Target              │ Type │ Secrets │
├──────────────────────────────────┼──────┼─────────┤
│ modules/sample-module/wallet.key │ text │    1    │
└──────────────────────────────────┴──────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


modules/sample-module/wallet.key (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-secret-access-key)
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Secret Access Key
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 modules/sample-module/wallet.key:1 (offset: 18 bytes)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ 'AWS_secret_KEY'="****************************************"
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


➜ trivy -q fs --scanners secret --secret-config trivy-secret-config.yaml . 

Report Summary

┌───────────────────────────────────────────────┬──────┬─────────┐
│                    Target                     │ Type │ Secrets │
├───────────────────────────────────────────────┼──────┼─────────┤
│ modules/sample-module/test-module/wallet2.key │ text │    1    │
├───────────────────────────────────────────────┼──────┼─────────┤
│ modules/sample-module/wallet.key              │ text │    1    │
└───────────────────────────────────────────────┴──────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


modules/sample-module/test-module/wallet2.key (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-secret-access-key)
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Secret Access Key
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 modules/sample-module/test-module/wallet2.key:1 (offset: 18 bytes)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ 'AWS_secret_KEY'="****************************************"
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────



modules/sample-module/wallet.key (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-secret-access-key)
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Secret Access Key
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 modules/sample-module/wallet.key:1 (offset: 18 bytes)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ 'AWS_secret_KEY'="****************************************"
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

[vct23]

yes, you're right. I have changed the folder name and it detects it. However, this is still happening in our Github pipeline and we do not have any test folder there. I will try to make a reproducible example and post it here.

Thank you here