feat(misconf): add fingerprint support for findings

[nikpivkin]

Description

This PR introduces a stable fingerprint mechanism for findings (misconfigurations) to ensure reliable suppression across scans.

Fingerprint

Each fingerprint consists of:

• Hash – computed SHA256 hash of the FindingID.
• FindingID – a stable identifier constructed from the file path, rule ID, and logical cause path.

Example:

"Fingerprint": {
  "Hash": "sha256:c3ca436d9e2078883c2f66252f46eb1ecb64a0b239a631f24da7537b238f83dd",
  "FindingID": "main.tf@[email protected]_security_group.example.egress[0/1].cidr_blocks"
}

FindingID

The FindingID is constructed as:

[filePath]@[CheckID]@[CausePath]

• filePath – path to the file (CloudFormation, Terraform, Dockerfile, etc.)

• CheckID – check identifier

• CausePath – logical path from the top-level resource/block down to the attribute or sub-block that triggered the finding

This ensures each finding is uniquely identified within a file and rule.

Stability and Behavior

• Stable across structural changes:
  Moving, adding, or removing child blocks or attributes does not change the fingerprint. This ensures that suppression remains valid even if the structure is modified or new blocks/attributes are added.

• Disambiguation of repeated blocks:
  For blocks of the same type (e.g., multiple egress blocks in Terraform), each block is assigned a stable index based on its order of appearance and the total count of blocks of that type.
  This allows distinguishing between repeated blocks while keeping fingerprints consistent when unrelated parts of the configuration change.
  Example:

   resource "aws_security_group" "example" {
     egress {
       from_port   = 80
       to_port     = 80
       protocol    = "tcp"
       cidr_blocks = ["0.0.0.0/0"]
     }
   
     egress {
       from_port   = 443
       to_port     = 443
       protocol    = "tcp"
       cidr_blocks = ["0.0.0.0/0"]
     }
   }

  In this case, there are two egress blocks. Each one gets a unique FindingID derived from:

  • the resource path (aws_security_group.example)
  • the block type (egress)
  • its index (e.g., 0 and 1)
  • and the total count of such blocks (2 in this case).

  If one of the blocks is removed or a new one is added, the total count changes, which means the FindingID for the remaining blocks will also change.

• Limitation:
  If blocks of the same type are swapped, the fingerprint remains the same. This may be a limitation in rare cases where positional uniqueness is important.

Related issues

• Close #XXX

Related PRs:

• refactor(misconf): add ManifestFromYAML for unified manifest parsing #9680
• refactor(misconf): type-safe parser results in generic scanner #9685
• feat(misconf): include map key in manifest snippet for diagnostics #9681

TODO:

• dockerfile
• arm
• helm
• k8s
• tf
• cf
• check that tf blocks are always stored in the order they appear in the file for determinism

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[github-actions]

📊 API Changes Detected

Semver impact: major

github.com/aquasecurity/trivy/pkg/commands/cloud
  Incompatible changes:
  - CheckTrivyCloudStatus: removed
  - EditConfig: removed
  - GroupCloud: removed
  - Login: removed
  - Logout: removed
  - ShowConfig: removed

github.com/aquasecurity/trivy/pkg/commands
  Incompatible changes:
  - NewCloudCommand: removed
  - NewLoginCommand: removed
  - NewLogoutCommand: removed

github.com/aquasecurity/trivy/pkg/log
  Incompatible changes:
  - PrefixCloud: removed

github.com/aquasecurity/trivy/pkg/scan/local
  Compatible changes:
  - FingerprintAlgorithm: added
  - FingerprintVersion: added

github.com/aquasecurity/trivy/pkg/cloud/hooks
  Incompatible changes:
  - CloudPlatformResultsHook: removed
  - NewResultsHook: removed

github.com/aquasecurity/trivy/pkg/sbom/core
  Incompatible changes:
  - PropertyArch: removed
  - PropertyContentSet: removed
  - PropertyNVR: removed

github.com/aquasecurity/trivy/pkg/flag
  Incompatible changes:
  - CloudApiUrlFlag: removed
  - CloudFlagGroup: removed
  - CloudLoginCredentials: removed
  - CloudOptions: removed
  - CloudTokenFlag: removed
  - CloudTrivyServerUrlFlag: removed
  - NewCloudFlagGroup: removed
  - Options.ApiUrl: removed
  - Options.CloudOptions: removed
  - Options.LoginCredentials: removed
  - Options.TrivyServerUrl: removed

github.com/aquasecurity/trivy/pkg/cloud
  Incompatible changes:
  - Clear: removed
  - Config: removed
  - DefaultApiUrl: removed
  - DefaultTrivyServerUrl: removed
  - Load: removed
  - OpenConfigForEditing: removed
  - ServiceName: removed
  - ShowConfig: removed
  - TokenKey: removed

github.com/aquasecurity/trivy/pkg/iac/types
  Compatible changes:
  - Range.Match: added

github.com/aquasecurity/trivy/pkg/fanal/types
  Compatible changes:
  - MisconfResult.FindingID: added

github.com/aquasecurity/trivy/pkg/iac/scanners/cloudformation/parser
  Compatible changes:
  - (*Resource).Properties: added

github.com/aquasecurity/trivy/pkg/types
  Incompatible changes:
  - Report.ReportID: removed
  Compatible changes:
  - DetectedMisconfiguration.Fingerprint: added
  - Fingerprint: added

github.com/aquasecurity/trivy/pkg/iac/scan
  Compatible changes:
  - (*Result).WithCausePath: added
  - FlatResult.CausePath: added