Comment not relevant error when scanning specific folders

Question

Comment not relevant error when scanning specific folders

Opened this issue 3 years ago · 8 comments

Hi,

I have a PR open here: ministryofjustice/opg-lpa#541
which has an action with multiple tfsec scans on different specific folders. the action is based on the example in the readme, but with a matrix for the terraform_path.

On a violation I am seeing errors similar to the following.

Comment not written [Resource aws_s3_bucket.mailbox has no associated aws_s3_bucket_public_access_block.], not part of the current PR

The commit to remove the ignore is also in this PR branch. can you advise why this might be happening?
Please see example here in a run:

https://github.com/ministryofjustice/opg-lpa/pull/541/checks?check_run_id=3056251557#step:4:13

Any advice will be greatly appreciated.

Answer 1 · 2021-07-16T21:23:47.000Z

Hey @williamfalconeruk - this is an odd one. The error is informational, it's telling you that you don't have logging on the bucket yes, but it is dropping it on the floor because this PR isn't to blame for it.

The odd bit is that it is even raising an AWS002 when the ignore is in place.

Let me take a proper look and come back to you.

Answer 2 · 2021-07-17T08:11:11.000Z

I was completely misreading this - the ignores are being removed not added 🤦

The pr-commenter is not as sophisticated as you maybe hope, it can't recognise that the resource block is now failing and should be stopped - it can only tell you issues with lines that are specifically changed in the PR.

One option you have, with this being a public repo, is to use the tfsec-sarif-action which will report all issues across the branch of the PR and put them in the security scan block https://github.com/ministryofjustice/opg-lpa/security. As they do different tasks, I think both together would work around this.

In the meantime, I'll look at if we can make it more intelligent under #14

Answer 3 · 2021-07-19T09:22:44.000Z

Owen, Thanks for taking a look at this, really appreciated! I'll add the tfsec-sarif-action for now, keep me posted on any developments on the commenter. William Falconer

…

On Sat, 17 Jul 2021 at 09:11, Owen Rumney ***@***.***> wrote: I was completely misreading this - the ignores are being removed not added 🤦 The pr-commenter is not as sophisticated as you maybe hope, it can't recognise that the resource block is now failing and should be stopped - it can only tell you issues with lines that are specifically changed in the PR. One option you have, with this being a public repo, is to use the tfsec-sarif-action <https://github.com/aquasecurity/tfsec-sarif-action> which will report all issues across the branch of the PR and put them in the security scan block https://github.com/ministryofjustice/opg-lpa/security. As they do different tasks, I think both together would work around this. In the meantime, I'll look at if we can make it more intelligent under #14 <#14> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABDV6MXRJFHWDNI7ITMNFD3TYE3KVANCNFSM5AI5J4OA> .

Answer 4 · 2021-11-09T17:58:22.000Z

I too have run into this issue. I don't get the issue though with this tfsec action though so I'm continuing to use it (in private repos) until this gets sorted.

Answer 5 · 2021-11-15T23:58:50.000Z

I am having this issue as well. I've followed what @heathsnow mentioned, but I'd really like to be able to use the comment functionality that this action offers.

Answer 6 · 2021-11-16T15:07:48.000Z

Update on the above - I switched to https://github.com/reviewdog/action-tfsec and commenting works great.

Answer 7 · 2022-01-07T19:01:38.000Z

Hi,
I'm still running to these issues with violation errors & no comments even on the same PR. Any updates would be great, as I'm hoping to use aquasecurity official repos.
Thanks in advance.

Answer 8 · 2022-05-10T13:06:07.000Z

Is there any update on this issue ?