Trivy run twice when using `terraform trivy`

[esciara]

Describe the bug

When running terraform_trivy, trivy is run twice: a first time without taking into account .trivyignore, another time taking it into account

How can we reproduce it?

# .pre-commit-config.yaml

default_install_hook_types: [commit-msg, pre-commit, pre-push]
default_stages:
  - "pre-commit"
repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: "v1.99.4"
    hooks:
      - id: terraform_trivy

# .trivyignore
AVD-GCP-0066

# examples/main.tf

resource "google_storage_bucket" "default" {
  name     = "cloudrun-service"
  location = "europe-west1"

  uniform_bucket_level_access = true
}

$ pre-commit run -a
Terraform validate with trivy............................................Failed
- hook id: terraform_trivy
- exit code: 1

2025-07-03T00:18:43+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-07-03T00:18:43+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-07-03T00:18:44+02:00       INFO    [terraform scanner] Scanning root module        file_path="."
2025-07-03T00:18:44+02:00       INFO    Detected config files   num=2

Report Summary

┌─────────┬───────────┬───────────────────┐
│ Target  │   Type    │ Misconfigurations │
├─────────┼───────────┼───────────────────┤
│ .       │ terraform │         0         │
├─────────┼───────────┼───────────────────┤
│ main.tf │ terraform │         1         │
└─────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

AVD-GCP-0066 (LOW): Storage bucket encryption does not use a customer-managed key.
════════════════════════════════════════
Using unmanaged keys makes rotation and general management difficult.


See https://avd.aquasec.com/misconfig/avd-gcp-0066
────────────────────────────────────────
 main.tf:17-22
────────────────────────────────────────
  17 ┌ resource "google_storage_bucket" "default" {
  18 │   name     = "cloudrun-service"
  19 │   location = "europe-west1"
  20 │ 
  21 │   uniform_bucket_level_access = true
  22 └ }
────────────────────────────────────────



📣 Notices:
  - Version 0.64.0 of Trivy is now available, current version is 0.63.0

To suppress version checks, run Trivy scans with the --skip-version-check flag

2025-07-03T00:18:44+02:00       INFO    [terraform scanner] Scanning root module        file_path="examples"
2025-07-03T00:18:44+02:00       INFO    Detected config files   num=3

Report Summary

┌───────────────────┬────────────┬───────────────────┐
│      Target       │    Type    │ Misconfigurations │
├───────────────────┼────────────┼───────────────────┤
│ catalog-info.yaml │ kubernetes │         0         │
├───────────────────┼────────────┼───────────────────┤
│ examples          │ terraform  │         0         │
├───────────────────┼────────────┼───────────────────┤
│ examples/main.tf  │ terraform  │         0         │
└───────────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


📣 Notices:
  - Version 0.64.0 of Trivy is now available, current version is 0.63.0

To suppress version checks, run Trivy scans with the --skip-version-check flag

Environment information

• OS: MacOS

• uname -a and/or systeminfo | Select-String "^OS" output:

$ uname -a
Darwin XXXXXXXXX 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:54:49 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6000 arm64 arm Darwin

• Tools availability and versions:

GNU bash, version 5.2.37(1)-release (aarch64-apple-darwin24.5.0)
pre-commit 4.2.0
bash: line 3: tofu: command not found
Terraform v1.12.2
Python 3.13.4
Python 3.13.4
checkov 3.2.443
infracost SKIPPED
terraform-docs version v0.20.0 darwin/arm64
terragrunt SKIPPED
terrascan SKIPPED
TFLint version 0.58.0
+ ruleset.google (0.34.0)
+ ruleset.opa (0.8.0)
+ ruleset.terraform (0.12.0-bundled)
tfsec v1.28.6
trivy Version: 0.63.0
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-07-02 20:15:41.987305 +0000 UTC
tfupdate 0.9.1
hcledit SKIPPED

• .pre-commit-config.yaml:

(see above)

[MaxymVlasov]

1. Regarding failure - p.4 in https://github.com/antonbabenko/pre-commit-terraform#terraform_trivy

    - id: terraform_trivy
      args:
        - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore

2. I can't reproduce 2 trivy runs during 1 hook execution which you're reported, so please provide minimum reproducible repository, or/and post full result of PCT_LOG=trace pre-commit run -a here.

[esciara]

I found why. Add the following file at the root of the project :

# variables.tf

variable "foo" {
  type        = string
}

result of PCT_LOG=trace pre-commit run -a in https://gist.github.com/esciara/9f11702e3bce3c893a9838791671a3a5 .

If still not reproducing I will create a full repo.

[esciara]

Beware, the main.tf file is in a directory (examples/).

[MaxymVlasov]

Aha, I see https://github.com/pre-commit-terraform/GH-908-repoduce

So it's execute per_dir_hook_unique_part function, even when it's run on whole repo. Interesting

I still can't reproduce it with .trivyignore, but w/o it I get both, as trivy runs recursively, and for some reason it executes per_dir_hook_unique_part not run_hook_on_whole_repo

Something offset with

pre-commit-terraform/hooks/_common.sh

Lines 154 to 189 in 6c84595

	#######################################################################
	# This is a workaround to improve performance when all files are passed
	# See: https://github.com/antonbabenko/pre-commit-terraform/issues/309
	# Arguments:
	# hook_id (string) hook ID, see `- id` for details in .pre-commit-hooks.yaml file
	# files (array) filenames to check
	# Outputs:
	# Return 0 if `-a|--all` arg was passed to `pre-commit`
	#######################################################################
	function common::is_hook_run_on_whole_repo {
	local -r hook_id="$1"
	shift
	local -a -r files=("$@")
	# get directory containing `.pre-commit-hooks.yaml` file
	local -r root_config_dir="$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)")"
	# get included and excluded files from .pre-commit-hooks.yaml file
	local -r hook_config_block=$(sed -n "/^- id: $hook_id$/,/^$/p" "$root_config_dir/.pre-commit-hooks.yaml")
	local -r included_files=$(awk '$1 == "files:" {print $2; exit}' <<< "$hook_config_block")
	local -r excluded_files=$(awk '$1 == "exclude:" {print $2; exit}' <<< "$hook_config_block")
	# sorted string with the files passed to the hook by pre-commit
	local -r files_to_check=$(printf '%s\n' "${files[@]}" | sort | tr '\n' ' ')
	# git ls-files sorted string
	local all_files_that_can_be_checked
	if [ -z "$excluded_files" ]; then
	all_files_that_can_be_checked=$(git ls-files | sort | grep -e "$included_files" | tr '\n' ' ')
	else
	all_files_that_can_be_checked=$(git ls-files | sort | grep -e "$included_files" | grep -v -e "$excluded_files" | tr '\n' ' ')
	fi
	if [ "$files_to_check" == "$all_files_that_can_be_checked" ]; then
	return 0
	else
	return 1
	fi
	}

or (which is mostly impossible) with:

pre-commit-terraform/.pre-commit-hooks.yaml

Line 126 in 6c84595

files: \.(tf|tofu|tfvars)$

Need to check.

[MaxymVlasov]

Try next, it should fix it:

repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: bafa6635606e8f6f5bd81fe99a391a2b12245768
    hooks:
      - id: terraform_trivy