-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Commenter returning "Ignoring - change not part of the current PR" for all comments #90
Comments
I noticed this recently as well. The worst part about it is that anyone could be having this issue and they will just assume everything is fine because the tfsec check passes and we trust it. |
Looked into this a little more today and was able to pull out the error that is triggering the ignore statement: tfsec-pr-commenter-action/vendor/github.com/owenrumney/go-github-pr-commenter/commenter/errors.go Lines 50 to 51 in 7a44c5d
Here is the results.json file and the errors: {
"results": [
{
"rule_id": "AVD-AWS-0099",
"long_id": "aws-ec2-add-description-to-security-group",
"rule_description": "Missing description for security group.",
"rule_provider": "aws",
"rule_service": "ec2",
"impact": "Descriptions provide context for the firewall rule reasons",
"resolution": "Add descriptions for all security groups",
"links": [
"https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/add-description-to-security-group/",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule"
],
"description": "Security group explicitly uses the default description.",
"severity": "LOW",
"warning": false,
"status": 0,
"resource": "aws_security_group.terratest-sg",
"location": {
"filename": "/github/workspace/terratest-poc/main.tf",
"start_line": 9,
"end_line": 18
}
},
{
"rule_id": "AVD-AWS-0124",
"long_id": "aws-ec2-add-description-to-security-group-rule",
"rule_description": "Missing description for security group rule.",
"rule_provider": "aws",
"rule_service": "ec2",
"impact": "Descriptions provide context for the firewall rule reasons",
"resolution": "Add descriptions for all security groups rules",
"links": [
"https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/add-description-to-security-group-rule/",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule"
],
"description": "Security group rule does not have a description.",
"severity": "LOW",
"warning": false,
"status": 0,
"resource": "aws_security_group.terratest-sg",
"location": {
"filename": "/github/workspace/terratest-poc/main.tf",
"start_line": 12,
"end_line": 17
}
},
{
"rule_id": "AVD-AWS-0131",
"long_id": "aws-ec2-enable-at-rest-encryption",
"rule_description": "Instance with unencrypted block device.",
"rule_provider": "aws",
"rule_service": "ec2",
"impact": "The block device could be compromised and read from",
"resolution": "Turn on encryption for all block devices",
"links": [
"https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/enable-at-rest-encryption/",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices"
],
"description": "Root block device is not encrypted.",
"severity": "HIGH",
"warning": false,
"status": 0,
"resource": "aws_instance.terratest-ec2-instance",
"location": {
"filename": "/github/workspace/terratest-poc/main.tf",
"start_line": 1,
"end_line": 7
}
},
{
"rule_id": "AVD-AWS-0028",
"long_id": "aws-ec2-enforce-http-token-imds",
"rule_description": "aws_instance should activate session tokens for Instance Metadata Service.",
"rule_provider": "aws",
"rule_service": "ec2",
"impact": "Instance metadata service can be interacted with freely",
"resolution": "Enable HTTP token requirement for IMDS",
"links": [
"https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/enforce-http-token-imds/",
"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options"
],
"description": "Instance does not require IMDS access to require a token",
"severity": "HIGH",
"warning": false,
"status": 0,
"resource": "aws_instance.terratest-ec2-instance",
"location": {
"filename": "/github/workspace/terratest-poc/main.tf",
"start_line": 1,
"end_line": 7
}
}
]
} starting the github commenter |
I'm seeing the same error, and to my horror realised recently it's been happening silently for a while and I've just been assuming all is good with the sec scan! |
+1 |
any updates on this? |
just add working_directory empty:
This works for me! |
I was also facing the same issue. Thanks @mario-fernandez-mm , it seems that adding an empty working_directory does works. |
The suggested fix of adding a blank |
@sysophost It seems to be working with |
@mandeeps13k I'm still getting the behaviour described by the OP.
With this action definition name: Run tfsec and comment on PR
on:
- pull_request
jobs:
tfsec:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: tfsec
uses: aquasecurity/tfsec-pr-commenter-action@main
with:
github_token: ${{ github.token }}
working_directory: ''
tfsec_args: --concise-output --config-file=.tfsec.yml --custom-check-dir=.tfsec --force-all-dirs
|
I am seeing the same issue, If you fix this that would be awesome. |
What version of the tfsec-commenter-action are you guys using? Try forcing the use of the A similar error was described here. |
Thanks for the suggestion @saerosV, I had tried pinning to an older version but was getting the same behaviour.
In this case my tf is in a totally separate dir to the module, but as the resource is referencing the template in |
I did not test with that version but checked out the repo and debugged it myself, the problem is with the library you are using for commenting on the pr, as I wrote in the comment if you have multiple changed parts in the file library only checks for first hunk and ignores the other changes because of that return |
Having the same this issue here. Certainly was working on these files in my PR.
My actions file:
|
I am also having this issue on v1.3.1. My workflow:
I downgraded to v1.2.0 and still got this error. |
+1 |
I am also experiencing this issue, even when using the |
+1 |
+1 |
+1 |
1 similar comment
+1 |
similar issue here
|
Thank you so much. Its save me week |
* There is a bug in tfsec, where it finds vulnerabilities, but just outputs 'Ignoring - change not part of the current PR' - Even though it is. This is causing the check to pass, when it should fail. * Adding `working_directory: ''` is a suggested fix * aquasecurity/tfsec-pr-commenter-action#90 (comment)
* There is a bug in tfsec, where it finds vulnerabilities, but just outputs 'Ignoring - change not part of the current PR' - Even though it is. This is causing the check to pass, when it should fail. * Adding `working_directory: ''` fixes the issue * aquasecurity/tfsec-pr-commenter-action#90 (comment)
* There is a bug in tfsec, where it finds vulnerabilities, but just outputs 'Ignoring - change not part of the current PR' - Even though it is. This is causing the check to pass, when it should fail. * Adding `working_directory: ''` is a suggested fix * aquasecurity/tfsec-pr-commenter-action#90 (comment)
Also hitting this issue. A fix has been suggested on the commenter action that is used but has not yet been merged owenrumney/go-github-pr-commenter#14 |
The repository |
I have a workflow (below) that correctly parses my .tf files in a PR, but never actually comments on it. Already looked into permissions issues - no problem here. I have also cycle through various arguments to see if they would yield the result I wanted, but again I've had no luck.
I just get this output at the end of my run
I can see where this error is coming from, but I am not able to see what the exact issue with the results.json file is.
Action command output
Based on this, it looks like there is an issue with my PR and the results.json file syncing up
The text was updated successfully, but these errors were encountered: