Skip to content

bug(terraform): Trivy panics when an ignore marker value is unknown #9834

New issue
New issue
Closed
#9835
Closed
bug(terraform): Trivy panics when an ignore marker value is unknown#9834
#9835
Assignees
nikpivkin
Labels
kind/bugCategorizes issue or PR as related to a bug.scan/misconfigurationIssues relating to misconfiguration scanning
@nikpivkin

Description

@nikpivkin
nikpivkin
opened on Nov 20, 2025

Trivy panics when a value used as an ignore marker is either null or unknown.
Before performing any operations on such a value, we should validate that it is both non-null and known. If the value cannot be resolved at evaluation time, the rule should safely skip it instead of causing a panic.

Steps to reproduce

  1. Use the following Terraform configuration:

     #trivy:ignore:*[bucket=mybucket-bucket1]
 resource "aws_s3_bucket" "test" {
   bucket = "mybucket-${each.key}"
 }

  2. Run Trivy against this file.

Because the value used as the ignore marker (mybucket-${each.key}) is unknown during evaluation, Trivy attempts to process it and panics instead of handling it gracefully.

Discussed in #9601

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.scan/misconfigurationIssues relating to misconfiguration scanning

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions