Closed Constantin07 closed 1 month ago
https://github.com/bridgecrewio/checkov/issues/6307
bug or feature?
As mentioned in the comments of #6307 I see this clearly as a missing feature. Terraform itself encourages people to use the version
field to specify how to pin the module. Then this check should also consider this field and not only a ref=
reference in the source
field.
Just to mention this up front. This shouldn't be a discussion if CKV_TF_1
or CKV_TF_2
is more secure or not. Right now we have disabled both as the follow the recommended way of Terraform to define a version
field and we don't plan to move to the ref=
part in the source
field.
Also we use https://github.com/renovatebot/renovate/ to keep up-to-date with our dependencies like upstream terraform modules and I'm not sure if renovate would be able to work with the ref=
part of the source
field.
Also I personally find the dedicated version
field more humand readable then having to scan he source
string to find some kind of version/tag/commit-hash reference.
I don't disagree, merely pointing out that this seems to be by design rather than a bug.
It was a miss on our side. We'll fix it.
Describe the issue Despite for terraform registry modules use a pinned version(tag) the
CKV_TF_2
check fails:Examples
Version (please complete the following information):
3.2.98
Additional context Using Terraform Registry modules https://developer.hashicorp.com/terraform/registry/modules/use#using-modules.