FAQ | This is a LIVE service | Changelog

Add terraform module dependency scanning

The GitLab standard dependency scanning jobs do not support terraform module version scanning.

It is desirable to do this from a SMP perspective so that we can ensure that deployments are following current best practice at least as far as using the latest versions of our own modules. It also allows us to make informed decisions about deprecating use of some modules.

We can upload a CI job artifact containing custom SBOM results.

Terraform provides the list of modules and their versions accessible via, e.g., logan --quiet --workspace=development cat /terraform_data/modules/modules.json | tail -n 1.

Add a common pipeline CI job which

  • Only triggers if there is both a .logan.yaml file in the repo and a .terraform.lock.hcl file.
  • May be disabled via a TERRAFORM_MODULE_DEPENDENCY_SCANNING_DISABLED variable.
  • Runs terraform in a manner analogous to the current terraform jobs to extract modules.json.
  • Converts modules.json to a the CycloneDX suitable for use as a dependency scanning artifact report.
  • Uploads the CycloneDX report as a dependency scanning artifact.