Checkov fails to download external modules when ref is a Git commit hash #7267
Description
Describe the issue
Checkov fails to download Terraform modules when the source uses a Git commit hash (ref=<hash>) instead of a branch or tag.
Examples
For module with such a source:
module "my_route53_dnssec" {
source = "git::https://github.com/rynkowsg/tf-modules.git//module/route53-dnssec?ref=f6a8868"
...
}Running Checkov with:
checkov --download-external-modules .checkov-external-modules --directory .Results in the following error:
2025-08-06 13:19:38,194 [MainThread ] [WARNI] failed to get git::https://github.com/rynkowsg/tf-modules?ref=f6a8868 in git loader because of Cmd('git') failed due to: exit code(128)
cmdline: git clone -v --depth=1 -b f6a8868 -- https://github.com/rynkowsg/tf-modules <my-repo-full-path>/.external_modules/github.com/rynkowsg/tf-modules/f6a8868
stderr: 'Cloning into '<my-repo-full-path>/.external_modules/github.com/rynkowsg/tf-modules/f6a8868'...
POST git-upload-pack (356 bytes)
fatal: Remote branch f6a8868 not found in upstream origin
The error suggests Checkov is treating the ref as a branch name, but it's actually a commit hash.
Expected behavior
Checkov should detect that the ref is a commit hash and clone the repository accordingly, rather than treating it as a branch. This likely means that a shallow clone (--depth=1) cannot be used, and a full clone of the default branch followed by a checkout of the specific commit is necessary.
Version (please complete the following information):
- Checkov Version 3.2.457