Host key verification issue with private terraform modules

[lward-lucid]

Hi

Can this action be extended (or would you accept a PR) that allowed the known_host file to be set when running this action? Or have the action pre-loaded with at least githubs host keys - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints

Currently the default openssh (and via this git) has the StrictHostKeyChecking enabled (rightly so), however due to this the terrascan action cannot checkout a terraform module hosted in a private git repository (not sure if this would also apply to public git repo as well)

We use private modules that are accessed via git like so

module "module_foo" {
  name    = "foo-bar"
  source  = "git::[email protected]:some-org-name/terraform-modules//some-module-name?ref=v15.0.2"
}

The terrascan action allows us to set the scm_token param to checkout these module (private repos) but it fails on host key verification

terrascan scan  -d . -i terraform -t aws -c .github/linters/terrascan.toml --repo-url https://github.com/some-org-name/terraform.git --repo-ref refs/pull/1234/merge
2022-10-06T18:10:27.685Z	error	downloader/getter.go:105	failed to download "git::ssh://[email protected]/some-otg-name/terraform-modules?ref=v18.0.0". error: 'error downloading 'ssh://[email protected]/some-org-name/terraform-modules?ref=v18.0.0': /usr/bin/git exited with 128: Cloning into '/tmp/asdasd'...
Host key verification failed.
fatal: Could not read from remote repository.

Thanks

[lward-lucid]

Just realised after posting this the scm_token is only going to be used on https git checkouts and would not be used in the code example above that is using git:: protocol. So even if host key support is added we would end up having an issue with passing ssh creds to the action in order to git checkout the modules.