False positive for AZU-0012 if deny set on azurerm_storage_account_network_rules instead of azurerm_storage_account

[ricohomewood]

IDs

AVD-AZU-0012

Description

We set a default_action = "Deny" on a azurerm_storage_account_network_rules resource for the storage account not on the actual azurerm_storage_account resource. However, trivy seems to ignore this fact and falsely assume we have not set it at all as it scans the azurerm_storage_account but not understanding this is set on the azurerm_storage_account_network_rules.

Reproduction Steps

1. Create a azurerm_storage_account with the following properties set:

resource "azurerm_storage_account" "function_storage" {

  name                            = "asdasdasdasdasd"
  resource_group_name             = "some-rg"
  location                        = "westeurope"
  account_kind                    = "StorageV2"
  account_tier                    = "Standard"
  account_replication_type        = "ZRS"
  allow_nested_items_to_be_public = false
  shared_access_key_enabled       = false
  default_to_oauth_authentication = true
  https_traffic_only_enabled      = true
  min_tls_version                 = "TLS1_2"
  public_network_access_enabled   = true
}

2. Configure network rules via azurerm_storage_account_network_rules, for example:

resource "azurerm_storage_account_network_rules" "function_storage" {

  storage_account_id = azurerm_storage_account.function_storage.id

  default_action = "Deny"
  bypass                     = ["AzureServices"]
}

3. Run a trivy scan using latest checks bundle and AZU-0012 gets flagged on the azurerm_storage_account resource, which it shouldn't becuse it should detects its set via the azurerm_storage_account_network_rules resource for that storage account:
   trivy config . --checks-bundle-repository mirror.gcr.io/aquasec/trivy-checks:2.1.1
   ...

Target

Filesystem

Scanner

Misconfiguration

Target OS

No response

Debug Output

2026-02-02T11:13:47Z    DEBUG   No plugins loaded
2026-02-02T11:13:47Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2026-02-02T11:13:47Z    DEBUG   Cache dir       dir="C:\\Users\\richardh\\AppData\\Local\\trivy"
2026-02-02T11:13:47Z    DEBUG   Cache dir       dir="C:\\Users\\richardh\\AppData\\Local\\trivy"
2026-02-02T11:13:47Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2026-02-02T11:13:47Z    INFO    [misconfig] Misconfiguration scanning is enabled
2026-02-02T11:13:47Z    DEBUG   [notification] Running version check
2026-02-02T11:13:47Z    INFO    [checks-client] Using existing checks from cache        path="C:\\Users\\richardh\\AppData\\Local\\trivy\\policy\\content"
2026-02-02T11:13:47Z    DEBUG   [misconfig] Checks successfully loaded from disk
2026-02-02T11:13:47Z    DEBUG   [notification] Version check completed  latest_version="0.69.0"
2026-02-02T11:13:47Z    DEBUG   [rego] Overriding filesystem for checks
2026-02-02T11:13:47Z    DEBUG   [rego] Embedded libraries are loaded    count=17
2026-02-02T11:13:47Z    DEBUG   [rego] Embedded checks are loaded       count=563
2026-02-02T11:13:47Z    DEBUG   [rego] Checks from disk are loaded      count=580
2026-02-02T11:13:47Z    DEBUG   [rego] Overriding filesystem for data
2026-02-02T11:13:47Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot ansible]
2026-02-02T11:13:47Z    DEBUG   Initializing scan cache...      type="memory"
2026-02-02T11:13:47Z    DEBUG   [fs] Analyzing...       root="."
2026-02-02T11:13:47Z    DEBUG   Created process-specific temp directory path="C:\\Users\\richardh\\AppData\\Local\\Temp\\trivy-17740"
2026-02-02T11:13:47Z    DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Ansible"
2026-02-02T11:13:47Z    DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform"
2026-02-02T11:13:47Z    DEBUG   [terraform scanner] Scanning directory  file_path="."
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2026-02-02T11:13:47Z    INFO    [terraform scanner] Scanning root module        file_path="."
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Loading module       module="root" module="root"
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=4 ignores=0
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="C:\\training\\Terraform\\test"
2026-02-02T11:13:47Z    DEBUG   [terraform evaluator] Starting module evaluation...     module="root" path="."
2026-02-02T11:13:47Z    DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2026-02-02T11:13:47Z    DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2026-02-02T11:13:47Z    DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=2
2026-02-02T11:13:47Z    DEBUG   [terraform evaluator] Context unchanged module="root" iteration=2
2026-02-02T11:13:47Z    DEBUG   [terraform evaluator] Starting post-submodules evaluation...    module="root"
2026-02-02T11:13:47Z    DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2026-02-02T11:13:47Z    DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2026-02-02T11:13:47Z    DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2026-02-02T11:13:47Z    DEBUG   [terraform evaluator] Module evaluation complete.       module="root"
2026-02-02T11:13:47Z    DEBUG   [terraform parser] Finished parsing module      module="root"
2026-02-02T11:13:47Z    DEBUG   [terraform executor] Adapting modules...
2026-02-02T11:13:47Z    DEBUG   [terraform executor] Adapted module(s) into state data. count=1
2026-02-02T11:13:47Z    DEBUG   [terraform executor] Scan state data
2026-02-02T11:13:47Z    DEBUG   [rego] Scanning inputs  count=1
2026-02-02T11:13:47Z    DEBUG   [terraform executor] Finished applying checks
2026-02-02T11:13:47Z    DEBUG   [terraform executor] Applying ignores...
2026-02-02T11:13:47Z    DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:25"
2026-02-02T11:13:47Z    DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:18-32"
2026-02-02T11:13:47Z    DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:18-32"
2026-02-02T11:13:47Z    DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:18-32"
2026-02-02T11:13:47Z    DEBUG   OS is not detected.
2026-02-02T11:13:47Z    INFO    Detected config files   num=2
2026-02-02T11:13:47Z    DEBUG   Scanned config file     file_path="."
2026-02-02T11:13:47Z    DEBUG   Scanned config file     file_path="main.tf"
2026-02-02T11:13:47Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2026-02-02T11:13:47Z    DEBUG   [vex] VEX filtering is disabled

Version

Version: 0.69.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

Hi @ricohomewood !

Thanks for the report. Track #10160