Following official google documentation does cause false positives in trivy config scan.

[ervin-pactum]

IDs

AVD-GCP-0030, AVD-GCP-0042

Description

[AVD-GCP-0030] google: Disable project-wide SSH keys for all instances
and
[AVD-GCP-0042] google: OS Login should be enabled at project level
are dectected in sniplets that are copied over from google official documentation, because trivy expects inline boolean values (true or false) iacTypes.BoolExplicit(val.True(), for os-login and ssh-keys

official google documentation:
https://cloud.google.com/compute/docs/connect/restrict-ssh-keys#gcloud_3
https://cloud.google.com/compute/docs/samples/compute-project-for-oslogin-example

Reproduction Steps

1. go to https://cloud.google.com/compute/docs/connect/restrict-ssh-keys#during-vm-creation and observe that expected value is: `--metadata block-project-ssh-keys=TRUE`
2. go to https://cloud.google.com/compute/docs/samples/compute-project-for-oslogin-example and observe following example: 


resource "google_compute_project_metadata" "default" {
  metadata = {
    enable-oslogin = "TRUE"
  }
}

3. copy above example into new file in empty directory (say os_config.tf)
4. run `trivy fs --scanners=misconfig os_config.tf`
5. observe reported failure.

Target

Filesystem

Scanner

Misconfiguration

Target OS

No response

Debug Output

(not applicable, we can see code in repository causing failure)

Version

trivy --version
Version: 0.67.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-10-20 12:36:14.666244446 +0000 UTC
  NextUpdate: 2025-10-21 12:36:14.666244166 +0000 UTC
  DownloadedAt: 2025-10-20 15:38:11.180486 +0000 UTC
Check Bundle:
  Digest: sha256:0491169789b867ae5a7353381220c1d4d97b3a0d6d9dfd84a25d06f0ba68aa93
  DownloadedAt: 2025-10-27 09:42:45.184452 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[ervin-pactum]

maybe easier to read example for enable-oslogin (directly from official google cloud docs)

trivy-demo % cat os_config.tf; trivy fs --scanners=misconfig os_config.tf 
resource "google_compute_project_metadata" "default" {
  metadata = {
    enable-oslogin = "TRUE"
  }
}
2025-10-27T12:53:09+02:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-10-27T12:53:09+02:00	INFO	[terraform scanner] Scanning root module	file_path="."
2025-10-27T12:53:09+02:00	INFO	Number of language-specific files	num=0
2025-10-27T12:53:09+02:00	INFO	Detected config files	num=2

Report Summary

┌──────────────┬───────────┬───────────────────┐
│    Target    │   Type    │ Misconfigurations │
├──────────────┼───────────┼───────────────────┤
│ .            │ terraform │         0         │
├──────────────┼───────────┼───────────────────┤
│ os_config.tf │ terraform │         1         │
└──────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


os_config.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-GCP-0042 (MEDIUM): OS Login is disabled at project level.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked.


See https://avd.aquasec.com/misconfig/avd-gcp-0042
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 os_config.tf:1-5
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "google_compute_project_metadata" "default" {
   2 │   metadata = {
   3 │     enable-oslogin = "TRUE"
   4 │   }
   5 └ }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────