False positive on CKV_TF_2 using shallow clone

[mouellet]

Describe the issue

Introduced in #6213, CKV_TF_2 generates a false positive when using shallow clone.

Examples

module "bogus" {
  source = "git::https://example.com/bogus.git?depth=1&ref=v1.2.0"
}

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
    FAILED for resource: bogus
    File: /bogus.tf:28-59

Version (please complete the following information):

• Checkov Version 3.2.92

[mikeurbanski1]

Hey @mouellet - sorry about that. Thanks for raising it. We'll merge a fix shortly.

[mikeurbanski1]

Apologies for the delay - I am having an issue with an unrelated integration test that I want to make sure gets fixed.

[rubfcsilva]

Hello, does this fix also apply when you have the version after the source? I think my case is a false positive for this as well.

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number" FAILED for resource: module.key.module.keyring_label.label File: /common/label/main.tf:12-27 Calling File: /gcp/components/kms/key/main.tf:5-12 12 | module "label" { 13 | source = "cloudposse/label/null" 14 | version = "0.25.0"

[mikeurbanski1]

Hello, does this fix also apply when you have the version after the source? I think my case is a false positive for this as well.

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number" FAILED for resource: module.key.module.keyring_label.label File: /common/label/main.tf:12-27 Calling File: /gcp/components/kms/key/main.tf:5-12 12 | module "label" { 13 | source = "cloudposse/label/null" 14 | version = "0.25.0"

Hmm... Does CKV_TF_1 also fail?

[rubfcsilva]

Hmm... Does CKV_TF_1 also fail?

We are skipping that rule, as of now.