Scanning terraform modules in sonarqube

We are using SonarQube 9.2.4 and the latest version of sonar-scanner-cli to scan terraform projects (aws provider).

We want to scan modules which are referenced in the project as well as the parent project which references them, however we have noticed that only the parent project is scanned and not the modules because the parent is referencing a git source for these modules.

How do we ensure that the project and referenced modules are thoroughly downloaded and scanned by the cli? Is it possible to configure this as a single sonarqube project or would we need to scan all modules separately?


Analysis doesn’t do any ‘downloading’. It assumes you’ve already checked out everything relevant and that it’s being started from the root directory of your project.

Is that the case? Have you checked out the parent & the submodules before you kick off analysis?


Terraform handles everything. I only have to checkout the main project and run terraform init / plan / apply and whatever is in the modules will be downloaded accordingly as part of the init.

I suppose I could look at getting the .tf code for modules downloaded from the ‘terraform init’ step and looking in the .terraform/modules directory that is generated, but this generates a lot of additional code which needs to be ignored from analysis.

Is this documented anywhere?


Sorry, but I’m not sure what “this” means. :joy:

Analysis is documented here.


‘This’ refers to the problem in this thread: e.g. scanning terraform projects. Examples would be useful, especially examples with modules. We’ve consulted the link you have provided previously, it doesn’t help.

See also:

1 Like


As I said earlier, analysis doesn’t do any downloading. The assumption is that analysis is being triggered from the project root directory and that all relevant code is available in the current directory or in child directories.