From b49ca0c9ce126e074d725e3dcbd80ac3f0bc7694 Mon Sep 17 00:00:00 2001
From: nikpivkin <nikita.pivkin@smartforce.io>
Date: Tue, 16 Sep 2025 19:57:38 +0600
Subject: [PATCH] fix(misconf): handle tofu files in module detection

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
---
 pkg/iac/scanners/terraform/scanner.go      |  8 ++++++--
 pkg/iac/scanners/terraform/scanner_test.go | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/pkg/iac/scanners/terraform/scanner.go b/pkg/iac/scanners/terraform/scanner.go
index d3fdea112079..53bcd9ab61cb 100644
--- a/pkg/iac/scanners/terraform/scanner.go
+++ b/pkg/iac/scanners/terraform/scanner.go
@@ -225,9 +225,13 @@ func (s *Scanner) isRootModule(target fs.FS, dir string) bool {
 		s.logger.Error("Failed to read dir", log.FilePath(dir), log.Err(err))
 		return false
 	}
+	suffixes := []string{".tf", ".tf.json", ".tofu", ".tofu.json"}
+
 	for _, file := range files {
-		if strings.HasSuffix(file.Name(), ".tf") || strings.HasSuffix(file.Name(), ".tf.json") {
-			return true
+		for _, suf := range suffixes {
+			if strings.HasSuffix(file.Name(), suf) {
+				return true
+			}
 		}
 	}
 	return false
diff --git a/pkg/iac/scanners/terraform/scanner_test.go b/pkg/iac/scanners/terraform/scanner_test.go
index 002232fd9a73..d4a5e153bc13 100644
--- a/pkg/iac/scanners/terraform/scanner_test.go
+++ b/pkg/iac/scanners/terraform/scanner_test.go
@@ -1257,3 +1257,22 @@ deny contains res if {
 
 	assert.Len(t, failed, 1)
 }
+
+func Test_ScanTofuFiles(t *testing.T) {
+	fsys := testutil.CreateFS(t, map[string]string{
+		"code/main.tofu":   `resource "aws_s3_bucket" "this" {}`,
+		"rules/check.rego": emptyBucketCheck,
+	})
+
+	scanner := New(
+		rego.WithPolicyNamespaces("user"),
+		rego.WithPolicyDirs("rules"),
+		rego.WithPolicyFilesystem(fsys),
+	)
+
+	results, err := scanner.ScanFS(t.Context(), fsys, "code")
+	require.NoError(t, err)
+
+	assert.Len(t, results, 1)
+	assert.Len(t, results.GetFailed(), 1)
+}