fix(misconf): handle tofu files in module detection (#9486)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2026-01-31 13:53:14 +08:00 · 2025-09-29 20:41:59 +06:00
parent e4af279b29
commit bfd2f6ba69
2 changed files with 25 additions and 2 deletions
--- a/pkg/iac/scanners/terraform/scanner.go
+++ b/pkg/iac/scanners/terraform/scanner.go
@@ -225,9 +225,13 @@ func (s *Scanner) isRootModule(target fs.FS, dir string) bool {
 		s.logger.Error("Failed to read dir", log.FilePath(dir), log.Err(err))
 		return false
 	}
+	suffixes := []string{".tf", ".tf.json", ".tofu", ".tofu.json"}
+
 	for _, file := range files {
-		if strings.HasSuffix(file.Name(), ".tf") || strings.HasSuffix(file.Name(), ".tf.json") {
-			return true
+		for _, suf := range suffixes {
+			if strings.HasSuffix(file.Name(), suf) {
+				return true
+			}
 		}
 	}
 	return false
--- a/pkg/iac/scanners/terraform/scanner_test.go
+++ b/pkg/iac/scanners/terraform/scanner_test.go
@@ -1257,3 +1257,22 @@ deny contains res if {

 	assert.Len(t, failed, 1)
 }
+
+func Test_ScanTofuFiles(t *testing.T) {
+	fsys := testutil.CreateFS(t, map[string]string{
+		"code/main.tofu":   `resource "aws_s3_bucket" "this" {}`,
+		"rules/check.rego": emptyBucketCheck,
+	})
+
+	scanner := New(
+		rego.WithPolicyNamespaces("user"),
+		rego.WithPolicyDirs("rules"),
+		rego.WithPolicyFilesystem(fsys),
+	)
+
+	results, err := scanner.ScanFS(t.Context(), fsys, "code")
+	require.NoError(t, err)
+
+	assert.Len(t, results, 1)
+	assert.Len(t, results.GetFailed(), 1)
+}