Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[False positive] AVD-AWS-0010 in aws_cloudfront_distribution #8510

Closed
umbertix opened this issue Mar 7, 2025 · 1 comment
Closed

[False positive] AVD-AWS-0010 in aws_cloudfront_distribution #8510

umbertix opened this issue Mar 7, 2025 · 1 comment

Comments

@umbertix
Copy link

umbertix commented Mar 7, 2025

We are getting a false positive for a aws_cloudfront_distribution.

The code that is generating the error is:

resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name              = aws_s3_bucket_website_configuration.www.website_endpoint
    origin_id                = aws_s3_bucket.www.bucket
    origin_access_control_id = aws_cloudfront_origin_access_control.www_.id
  }

  enabled             = true
  is_ipv6_enabled     = true
  default_root_object = "index.html"
  web_acl_id          = var.waf_id

  aliases = [var.domain_name]


  logging_config {
    include_cookies = false
    bucket          = aws_s3_bucket.www_logs.bucket
    prefix          = "cloudfront/"
  }

  custom_error_response {
    error_caching_min_ttl = 0
    error_code            = 404
    response_code         = 200
    response_page_path    = "/404.html"
  }

  custom_error_response {
    error_caching_min_ttl = 0
    error_code            = 401
    response_code         = 200
    response_page_path    = "/401.html"
  }

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD", "OPTIONS", "POST"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = aws_s3_bucket.www.bucket

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
    compress               = true
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    acm_certificate_arn      = var.acm_certificate_arn
    ssl_support_method       = "sni-only"
    minimum_protocol_version = "TLSv1.2_2021"
  }
}

I have validated that the origin of the error is the file and line that is here represented.
Thanks for this great tool nevertheless.
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 7, 2025

Please see https://trivy.dev/latest/community/contribute/issue/

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@umbertix