When using --download-external-modules, checkov fails git cone terraform modules from non-main branch

[BartoszRojek]

Checkov fails when parsing TF source syntax (//) that results wrong clone address.

TF code:

module "windows_vm" {
  source                     = "git::ssh://git@ssh.dev.azure.com/v3/Company/Company-Terraform-Module-Library/cat-tf-modules//AzureRM4/modules/virtual-machine-windows?ref=1014016-chekov-branch-bug"
  instance_name              = "vm-001"
...

Modules repo structure:

cat-tf-modules\AzureRM4\modules\

Error:

Using config file: .checkov.yaml ...
2026-05-20 12:40:27,407 [MainThread  ] [WARNI]
  failed to get git::ssh://git@ssh.dev.azure.com/v3/Company/Company-Terraform-Module-Library/cat-tf-modules?ref=1014016-chekov-branch-bug in git loader because of
 Cmd('git') failed due to: exit code(128)
  cmdline:
 git clone -v --no-checkout -- ssh://*****@ssh.dev.azure.com/v3/Company/Company-Terraform-Module-Library/cat-tf-modules-chekov-branch-bug /agent/_work/1/s/terraform/.external_modules/git@ssh.dev.azure.com/v3/Company/Company-Terraform-Module-Library/cat-tf-modules/1014016-chekov-branch-bug

  stderr: 'Cloning into '/agent/_work/1/s/terraform/.external_modules/git@ssh.dev.azure.com/v3/Company/Company-Terraform-Module-Library/cat-tf-modules/1014016-chekov-branch-bug'...

remote: TF401019: The Git repository with name or identifier cat-tf-modules-chekov-branch-bug does not exist or you do not have permissions for the operation you are attempting.

client_loop: send disconnect: Broken pipe

fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.

[BartoszRojek]

Last working version without the bug is: 3.2.527

[Gbolahan-Aziz]

@BartoszRojek The PR above adds (?:&|$) to the COMMIT_ID_PATTERN, so it only matches a ref value that is purely hexadecimal with nothing following it. Branch/tag names that start with hex characters now fall through to TAG_PATTERN and are cloned correctly.