ghouscht
commented
1 week ago Hey, I saw a discussion on reddit (https://www.reddit.com/r/Terraform/comments/1g9go7p/what_do_you_use_to_generate_sbom_for_terraform/) and I'd like to look into this topic. I already have a working PoC for providers 🙂
However, tracking module dependencies might be a bit tricker as they don't seem to be tracked by the terraform lock file. See https://developer.hashicorp.com/terraform/language/files/dependency-lock#dependency-lock-file
At present, the dependency lock file tracks only provider dependencies. Terraform does not remember version selections for remote modules, and so Terraform will always select the newest available module version that meets the specified version constraints. You can use an exact version constraint to ensure that Terraform will always select the same module version.
What would you like to be added:
terraform modules and providers included in the SBOM components list
Why is this needed:
Would be nice to have terraform modules included in an SBOM, since they're technically 3rd party software that is used to build an application.
Additional context:
Checkcov has done a little work on this in the past https://bridgecrew.io/blog/hacktoberfest-iac-software-bill-of-materials-checkov-cyclonedx/