Erroneous rule id in SARIF output for a filesystem/fs misconfiguration scan

[stemann]

Description

When running a trivy misconfiguration scan for a filesystem with some terraform/aws/eks code, and outputting to SARIF, the SARIF report includes rule id aws-vpc-no-public-egress-sgr instead of the expected rule id AVD-AWS-0104: https://avd.aquasec.com/misconfig/aws-vpc-no-public-egress-sgr alias https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0104

As a consequence, the SARIF report cannot be matched with the corresponding trivyignore.yaml-file.

Desired Behavior

Expected rule ids (AVD-AWS-0104):

$ jq '.runs[0].tool.driver.rules.[] | { id: .id }' report.sarif.json 

{
  "id": "AVD-AWS-0040"
}
{
  "id": "AVD-AWS-0041"
}
{
  "id": "AVD-AWS-0104"
}

Actual Behavior

Actual rule ids (aws-vpc-no-public-egress-sgr):

$ jq '.runs[0].tool.driver.rules.[] | { id: .id }' report.sarif.json 

{
  "id": "AVD-AWS-0040"
}
{
  "id": "AVD-AWS-0041"
}
{
  "id": "aws-vpc-no-public-egress-sgr"
}

report.sarif.json

Reproduction Steps

1. trivy config:

cat <<EOT > .trivy/fs.yaml
scan:
  scanners:
    - misconfig
    - secret

  skip-dirs:
    - .devcontainer
    - "**/.terraform"

severity:
  - HIGH
  - CRITICAL
EOT

2. trivy run:

trivy --config .trivy/fs.yaml --format sarif --output report.sarif.json fs .

Target

Filesystem

Scanner

Misconfiguration

Output Format

SARIF

Mode

Standalone

Debug Output

$ trivy --debug --config .trivy/fs.yaml --format sarif --output report.sarif.json fs .
2025-12-04T13:31:55Z    DEBUG   No plugins loaded
2025-12-04T13:31:55Z    INFO    Loaded  file_path=".trivy/fs.yaml"
2025-12-04T13:31:55Z    DEBUG   Cache dir       dir="/home/vscode/.cache/trivy"
2025-12-04T13:31:55Z    DEBUG   Cache dir       dir="/home/vscode/.cache/trivy"
2025-12-04T13:31:55Z    DEBUG   Parsed severities       severities=[HIGH CRITICAL]
2025-12-04T13:31:55Z    DEBUG   Ignore statuses statuses=[]
2025-12-04T13:31:55Z    DEBUG   [pkg] Package types     types=[os library]
2025-12-04T13:31:55Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-12-04T13:31:55Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-12-04T13:31:55Z    DEBUG   [misconfig] Failed to open the check metadata   err="open /home/vscode/.cache/trivy/policy/metadata.json: no such file or directory"
...

trivy_debug.err.log

Operating System

Debian GNU/Linux 13 (trixie)

Version

$ trivy --version
Version: 0.68.1
Check Bundle:
  Digest: sha256:0491169789b867ae5a7353381220c1d4d97b3a0d6d9dfd84a25d06f0ba68aa93
  DownloadedAt: 2025-12-04 13:31:56.442207217 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Hi @stemann !

We are currently implementing changes to the system for managing check IDs, which will be included in the next release and will resolve this existing issue. Issue to track: #9064