Empty artifactLocation in SARIF file for AVD-AZU-0013 misconfiguration check (GitHub's upload-sarif job errors) #7905
Replies: 3 comments 7 replies
-
Hello @PhilipAtCisco This is related with empty ➜ trivy -q fs --scanners misconfig . -f json | grep Target
"Target": "",
"Target": ".",
"Target": "t.tf",
➜ trivy -q fs --scanners misconfig ./t.tf -f json | grep Target
"Target": "",
"Target": ".",
"Target": "t.tf", @nikpivkin can you take a look? |
Beta Was this translation helpful? Give feedback.
-
@nikpivkin @DmitriyLewen Thanks so much for looking into the report and determining it will be fixed soon, really appreciate it! I found the issue by scanning https://github.com/bridgecrewio/terragoat/blob/master/terraform/azure/key_vault.tf by the way, and didn't see any other checks triggered by terragoat impacted by the bug. |
Beta Was this translation helpful? Give feedback.
-
Hey Folks, I've experience the same error with rules:
|
Beta Was this translation helpful? Give feedback.
-
Description
The AVD-AZU-0013 misconfiguration check when it fires results in an empty artifactLocation uri when Trivy is configured to output SARIF.
GitHub's upload-sarif@v3 action outputs this fatal error when it finds an empty artifact location, and no vulnerability findings are surfaced from the file.
Here's a snippit of the SARIF output (see steps to reproduce below)
Desired Behavior
Populate the file location for the artifactLocation in the SARIF
Actual Behavior
The SARIF doesn't contain the artifactLocation
Reproduction Steps
...
Operating System
macOS Sonoma 14.7
Version
Checklist
trivy clean --all
Beta Was this translation helpful? Give feedback.
All reactions