This question is more related to TF best practices and insight how others are doing module audits. In our IaC we are using local modules and also modules from providers on tf module registry.
How are you managing in your IaC repos and code, allowing only white listed modules (that have already passed vulnerability audit) to be used in your deployments?
Probably want to have multipler layers - one thing is that a lot of the scanning tools (things like tfsec (now deprecated), trivvy, etc) will scan the module code itself.
At a certain size / scale, and in a paraonoid enough environment, you may need to vendor in all the modules and manually vet updates, though I’d tend to just pin the version, and then review the changelog of updates (I typically use Renovate to help keep pinned versions up to date and somewhat automate the toil of manually bumping versions)
Also, if a module is sufficiently simple, it may be easier to either pull the code into a simplified local version (assuming license permits), or define the resources resource-like.
Also, I believe there are some tools that can let you allowlist modules by github org, module name, or registry, but haven’t used any.
I believe you could use rego policies to do this - some examples of doing something similar for provider allowlist / denylist if you google around.