Trivy Terraform validation logs confusing module download errors when using cached modules

[skasti]

Problem

When running Trivy for Terraform validation, the following confusing errors appear in the logs:

2026-06-04T06:40:45Z	ERROR	[module resolver] Failed to find a token for the registry	module="root" hostname="spacelift.io" err="no token was found for the registry at spacelift.io"
2026-06-04T06:40:46Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	module="root" loc="main.tf:69-76" err="unexpected status code for versions endpoint: 404"
2026-06-04T06:40:46Z	ERROR	[module resolver] Failed to find a token for the registry	module="root" hostname="spacelift.io" err="no token was found for the registry at spacelift.io"
2026-06-04T06:40:46Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	module="root" loc="monitoring.tf:183-190" err="unexpected status code for versions endpoint: 404"

Trivy is trying to download Terraform modules during validation, even in contexts where no spacelift token is available. However, in practice Trivy falls back to using cached modules (which works as designed).

Proposal

• Investigate if Trivy/Terraform is intended to rely primarily on cached modules in this workflow.
• Check if there is a configuration that prevents Trivy from attempting to download modules in these contexts, and instead only use the cache.
• Suppress or clarify the error output if this behavior is expected and benign, to reduce confusion for users.

Context

• The actual workflow appears to succeed since the cache is used, but the logs may mislead users into thinking validation is broken.
• If there’s a recommended way to configure Trivy (or underlying terraform) to avoid noisy errors in this scenario, it would improve the developer experience.

Example run log

2026-06-04T07:13:19.8611419Z Current runner version: '2.334.0'
...
2026-06-04T07:13:44.2453458Z 234.65 KiB / 234.65 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2026-06-04T07:13:44Z	INFO	[terraform scanner] Scanning root module	file_path="."
2026-06-04T07:13:44.2657834Z 2026-06-04T07:13:44Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="credentials, environment, location, project_id, region, zone"
2026-06-04T07:13:44.3741453Z 2026-06-04T07:13:44Z	ERROR	[module resolver] Failed to find a token for the registry	module="root" hostname="spacelift.io" err="no token was found for the registry at spacelift.io"
2026-06-04T07:13:44.4711192Z 2026-06-04T07:13:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	module="root" loc="main.tf:69-76" err="unexpected status code for versions endpoint: 404"
2026-06-04T07:13:44.4712733Z 2026-06-04T07:13:44Z	ERROR	[module resolver] Failed to find a token for the registry	module="root" hostname="spacelift.io" err="no token was found for the registry at spacelift.io"
2026-06-04T07:13:44.5291596Z 2026-06-04T07:13:44Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	module="root" loc="monitoring.tf:183-190" err="unexpected status code for versions endpoint: 404"
2026-06-04T07:13:45.1618915Z 2026-06-04T07:13:45Z	INFO	[terraform executor] Ignore finding	rule="google-storage-enable-bucket-versioning" range="buckets.tf:4-31"
2026-06-04T07:13:45.1620753Z 2026-06-04T07:13:45Z	INFO	[terraform executor] Ignore finding	rule="google-storage-enable-bucket-versioning" range="buckets.tf:42-64"
2026-06-04T07:13:45.1634036Z 2026-06-04T07:13:45Z	INFO	Detected config files	num=2
2026-06-04T07:13:45.1634957Z 
2026-06-04T07:13:45.1635652Z 📣 �[34mNotices:�[0m
2026-06-04T07:13:45.1636494Z   - Version 0.71.0 of Trivy is now available, current version is 0.69.3
2026-06-04T07:13:45.1637198Z 
2026-06-04T07:13:45.1637786Z To suppress version checks, run Trivy scans with the --skip-version-check flag
2026-06-04T07:13:45.1638555Z 
2026-06-04T07:13:45.2703330Z Temporary disabling native trivy until https://github.com/aquasecurity/trivy-action/ is fixed
2026-06-04T07:13:45.4919366Z 2026-06-04T07:13:45Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-06-04T07:13:45.4921567Z 2026-06-04T07:13:45Z	INFO	[checks-client] Using existing checks from cache	path="/root/.cache/trivy/policy/content"
2026-06-04T07:13:46.9163272Z 2026-06-04T07:13:46Z	INFO	[terraform scanner] Scanning root module	file_path="."
2026-06-04T07:13:46.9171693Z 2026-06-04T07:13:46Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="project_id, secret_accessors, secrets"
2026-06-04T07:13:46.9248077Z 2026-06-04T07:13:46Z	INFO	Detected config files	num=1
2026-06-04T07:13:46.9257877Z 
2026-06-04T07:13:46.9258367Z 📣 �[34mNotices:�[0m
2026-06-04T07:13:46.9259253Z   - Version 0.71.0 of Trivy is now available, current version is 0.69.3
2026-06-04T07:13:46.9260880Z 
2026-06-04T07:13:46.9261351Z To suppress version checks, run Trivy scans with the --skip-version-check flag
2026-06-04T07:13:46.9261928Z 
2026-06-04T07:14:03.4941648Z Using docker only until https://github.com/aquasecurity/trivy-action/ is fixedRunninng initTerraform infrastructure/terraform/secret-access
2026-06-04T07:14:03.4943273Z terraform binary not found. Falling back to running the docker version
2026-06-04T07:14:05.5412174Z terraform binary not found. Falling back to running the docker version
2026-06-04T07:14:05.5425251Z terraform binary not found. Falling back to running the docker version
2026-06-04T07:14:05.5535159Z terraform binary not found. Falling back to running the docker version
2026-06-04T07:14:06.1657426Z tflint binary not found. Falling back to running the docker version
2026-06-04T07:14:06.1993049Z Unable to find image 'ghcr.io/terraform-linters
...
2026-06-04T07:14:13.8846646Z Cleaning up orphan processes