We are using SonarQube 9.2.4 and the latest version of sonar-scanner-cli to scan terraform projects (aws provider).
We want to scan modules which are referenced in the project as well as the parent project which references them, however we have noticed that only the parent project is scanned and not the modules because the parent is referencing a git source for these modules.
How do we ensure that the project and referenced modules are thoroughly downloaded and scanned by the cli? Is it possible to configure this as a single sonarqube project or would we need to scan all modules separately?
Analysis doesnât do any âdownloadingâ. It assumes youâve already checked out everything relevant and that itâs being started from the root directory of your project.
Is that the case? Have you checked out the parent & the submodules before you kick off analysis?
Terraform handles everything. I only have to checkout the main project and run terraform init / plan / apply and whatever is in the modules will be downloaded accordingly as part of the init.
I suppose I could look at getting the .tf code for modules downloaded from the âterraform initâ step and looking in the .terraform/modules directory that is generated, but this generates a lot of additional code which needs to be ignored from analysis.
âThisâ refers to the problem in this thread: e.g. scanning terraform projects. Examples would be useful, especially examples with modules. Weâve consulted the link you have provided previously, it doesnât help.
As I said earlier, analysis doesnât do any downloading. The assumption is that analysis is being triggered from the project root directory and that all relevant code is available in the current directory or in child directories.