We want to ensure our terraform scans are coming back secure, without pointing to SHA, we get violations

CKV_TF_1: "Ensure Terraform module sources use a commit hash"

Using a git commit SHA in your private module registry with Terraform ensures the security and integrity of our modules

By providing a SHA checksum, we can ensure that the module downloaded from the registry matches the original version intended by the author. This prevents tampering or corruption during download.

The concern is if the module author simply deletes a module version in the Registry and re-publishes it after moving the version to a malicious one

This is what we are required to do to ensure the commit id SHA

https://developer.hashicorp.com/terraform/language/modules/sources#selecting-a-revision