Update version and comment for SHA-pinned Terraform modules #10926
Labels
L: github:actions
GitHub Actions
L: terraform
Terraform packages
T: feature-request
Requests for new features
Comments
github-actions
bot
added
L: github:actions
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Feature description
Similarly to GitHub Actions versions that are recommended to point to a full commit SHA instead of a Git tag or branch name, Terraform modules are susceptible to a similar kind of supply chain attack, and an identical solution is recommended by security tools (e.g., Checkov).
Currently, Dependabot seems to skip SHA-pinned versions in Terraform module references, only considering semantic versions.
I would essentially like to request porting #5951 for Terraform module dependencies, including both the update of the commit hash itself as well as the human-readable version comment.
Thank you very much for considering this!
The text was updated successfully, but these errors were encountered: