feat(cli): add --tf-exclude-downloaded-modules flag (#4810)

* feat(cli): add --tf-exclude-downloaded-modules flag

* fix typo

* generate docs

docs/docs/references/configuration/cli/trivy_aws.md

@@ -94,6 +94,7 @@ trivy aws [flags]
       --skip-policy-update              skip fetching rego policy updates
       --skip-service strings            Skip selected AWS Service(s) specified with this flag. Can specify multiple services using --skip-service A --skip-service B etc.
   -t, --template string                 output template
+      --tf-exclude-downloaded-modules   remove results for downloaded modules in .terraform folder
       --tf-vars strings                 specify paths to override the Terraform tfvars files
       --trace                           enable more verbose trace output for custom queries
       --update-cache                    Update the cache for the applicable cloud provider instead of using cached results.

docs/docs/references/configuration/cli/trivy_config.md

@@ -43,6 +43,7 @@ trivy config [flags] DIR
       --skip-files strings              specify the file paths to skip traversal
       --skip-policy-update              skip fetching rego policy updates
   -t, --template string                 output template
+      --tf-exclude-downloaded-modules   remove results for downloaded modules in .terraform folder
       --tf-vars strings                 specify paths to override the Terraform tfvars files
       --trace                           enable more verbose trace output for custom queries
       --username strings                username. Comma-separated usernames allowed.

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -76,6 +76,7 @@ trivy filesystem [flags] PATH
       --skip-policy-update               skip fetching rego policy updates
       --slow                             scan over time with lower CPU and memory utilization
   -t, --template string                  output template
+      --tf-exclude-downloaded-modules    remove results for downloaded modules in .terraform folder
       --tf-vars strings                  specify paths to override the Terraform tfvars files
       --token string                     for authentication in client/server mode
       --token-header string              specify a header name for token in client/server mode (default "Trivy-Token")

docs/docs/references/configuration/cli/trivy_image.md

@@ -97,6 +97,7 @@ trivy image [flags] IMAGE_NAME
       --skip-policy-update               skip fetching rego policy updates
       --slow                             scan over time with lower CPU and memory utilization
   -t, --template string                  output template
+      --tf-exclude-downloaded-modules    remove results for downloaded modules in .terraform folder
       --tf-vars strings                  specify paths to override the Terraform tfvars files
       --token string                     for authentication in client/server mode
       --token-header string              specify a header name for token in client/server mode (default "Trivy-Token")

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -86,6 +86,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --skip-policy-update                skip fetching rego policy updates
       --slow                              scan over time with lower CPU and memory utilization
   -t, --template string                   output template
+      --tf-exclude-downloaded-modules     remove results for downloaded modules in .terraform folder
       --tf-vars strings                   specify paths to override the Terraform tfvars files
       --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
       --trace                             enable more verbose trace output for custom queries

docs/docs/references/configuration/cli/trivy_repository.md

@@ -73,6 +73,7 @@ trivy repository [flags] REPO_URL
       --slow                             scan over time with lower CPU and memory utilization
       --tag string                       pass the tag name to be scanned
   -t, --template string                  output template
+      --tf-exclude-downloaded-modules    remove results for downloaded modules in .terraform folder
       --tf-vars strings                  specify paths to override the Terraform tfvars files
       --token string                     for authentication in client/server mode
       --token-header string              specify a header name for token in client/server mode (default "Trivy-Token")

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -77,6 +77,7 @@ trivy rootfs [flags] ROOTDIR
       --skip-policy-update               skip fetching rego policy updates
       --slow                             scan over time with lower CPU and memory utilization
   -t, --template string                  output template
+      --tf-exclude-downloaded-modules    remove results for downloaded modules in .terraform folder
       --tf-vars strings                  specify paths to override the Terraform tfvars files
       --token string                     for authentication in client/server mode
       --token-header string              specify a header name for token in client/server mode (default "Trivy-Token")

docs/docs/references/configuration/cli/trivy_vm.md

@@ -68,6 +68,7 @@ trivy vm [flags] VM_IMAGE
       --skip-java-db-update             skip updating Java index database
       --slow                            scan over time with lower CPU and memory utilization
   -t, --template string                 output template
+      --tf-exclude-downloaded-modules   remove results for downloaded modules in .terraform folder
       --tf-vars strings                 specify paths to override the Terraform tfvars files
       --token string                    for authentication in client/server mode
       --token-header string             specify a header name for token in client/server mode (default "Trivy-Token")

docs/docs/references/configuration/config-file.md

@@ -292,6 +292,11 @@ misconfiguration:
     vars:
       - dev-terraform.tfvars
       - common-terraform.tfvars
+  
+  # Same as '--tf-exclude-downloaded-modules'
+  # Default is false
+  terraform:
+    exclude-downloaded-modules: false
 ```
 
 ## Kubernetes Options

docs/docs/scanner/misconfiguration/index.md

@@ -356,6 +356,12 @@ You can pass `tf-vars` files to Trivy to override default values found in the Te
 trivy conf --tf-vars dev.terraform.tfvars ./infrastructure/tf
 ```
 
+### Exclude downloaded Terraform modules
+You can remove results for downloaded modules in `.terraform` folder.
+```bash
+trivy conf --tf-exclude-downloaded-modules ./configs
+```
+
 ### Helm value overrides
 There are a number of options for overriding values in Helm charts. When override values are passed to the Helm scanner, the values will be used during the Manifest rendering process and will become part of the scanned artifact.
 

pkg/commands/artifact/run.go

@@ -587,6 +587,7 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 			TerraformTFVars:         opts.TerraformTFVars,
 			K8sVersion:              opts.K8sVersion,
 			DisableEmbeddedPolicies: disableEmbedded,
+			TfExcludeDownloaded:     opts.TfExcludeDownloaded,
 		}
 	}
 

pkg/flag/misconf_flags.go

@@ -49,6 +49,12 @@ var (
 		Value:      []string{},
 		Usage:      "specify paths to override the Terraform tfvars files",
 	}
+	TerraformExcludeDownloaded = Flag{
+		Name:       "tf-exclude-downloaded-modules",
+		ConfigName: "misconfiguration.terraform.exclude-downloaded-modules",
+		Value:      false,
+		Usage:      "remove results for downloaded modules in .terraform folder",
+	}
 )
 
 // MisconfFlagGroup composes common printer flag structs used for commands providing misconfinguration scanning.
@@ -62,6 +68,7 @@ type MisconfFlagGroup struct {
 	HelmFileValues             *Flag
 	HelmStringValues           *Flag
 	TerraformTFVars            *Flag
+	TerraformExcludeDownloaded *Flag
 }
 
 type MisconfOptions struct {
@@ -74,6 +81,7 @@ type MisconfOptions struct {
 	HelmFileValues      []string
 	HelmStringValues    []string
 	TerraformTFVars     []string
+	TfExcludeDownloaded bool
 }
 
 func NewMisconfFlagGroup() *MisconfFlagGroup {
@@ -85,6 +93,7 @@ func NewMisconfFlagGroup() *MisconfFlagGroup {
 		HelmStringValues:           &HelmSetStringFlag,
 		HelmValueFiles:             &HelmValuesFileFlag,
 		TerraformTFVars:            &TfVarsFlag,
+		TerraformExcludeDownloaded: &TerraformExcludeDownloaded,
 	}
 }
 
@@ -101,6 +110,7 @@ func (f *MisconfFlagGroup) Flags() []*Flag {
 		f.HelmFileValues,
 		f.HelmStringValues,
 		f.TerraformTFVars,
+		f.TerraformExcludeDownloaded,
 	}
 }
 
@@ -113,5 +123,6 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
 		HelmFileValues:      getStringSlice(f.HelmFileValues),
 		HelmStringValues:    getStringSlice(f.HelmStringValues),
 		TerraformTFVars:     getStringSlice(f.TerraformTFVars),
+		TfExcludeDownloaded: getBool(f.TerraformExcludeDownloaded),
 	}, nil
 }

pkg/misconf/scanner.go

@@ -55,6 +55,7 @@ type ScannerOption struct {
 	HelmFileValues      []string
 	HelmStringValues    []string
 	TerraformTFVars     []string
+	TfExcludeDownloaded bool
 	K8sVersion          string
 }
 
@@ -262,6 +263,7 @@ func addTFOpts(opts []options.ScannerOption, scannerOption ScannerOption) []opti
 	}
 
 	opts = append(opts, tfscanner.ScannerWithAllDirectories(true))
+	opts = append(opts, tfscanner.ScannerWithSkipDownloaded(scannerOption.TfExcludeDownloaded))
 
 	return opts
 }