diff --git a/scripts/ingest_sbom.py b/scripts/ingest_sbom.py
index 59ce949..c024ac8 100644
--- a/scripts/ingest_sbom.py
+++ b/scripts/ingest_sbom.py
@@ -180,12 +180,47 @@ def _parse_cargo_lock(path: Path) -> list[dict]:
     ]
 
 
+def _parse_terraform_lock_hcl(path: Path) -> list[dict]:
+    """Parse .terraform.lock.hcl — extract Terraform provider name + version."""
+    entries = []
+    current_name: str | None = None
+    current_version: str | None = None
+
+    for line in path.read_text().splitlines():
+        stripped = line.strip()
+        # e.g.: provider "registry.terraform.io/hetznercloud/hcloud" {
+        m = re.match(r'^provider\s+"([^"]+)"\s*\{', stripped)
+        if m:
+            # Use full provider address as package_name, short name as display
+            full = m.group(1)
+            current_name = full  # e.g. "registry.terraform.io/hetznercloud/hcloud"
+            current_version = None
+        elif current_name is not None:
+            vm = re.match(r'version\s*=\s*"([^"]+)"', stripped)
+            if vm:
+                current_version = vm.group(1)
+            elif stripped == "}":
+                entries.append({
+                    "package_name": current_name,
+                    "package_version": current_version,
+                    "ecosystem": "other",   # "terraform" not yet in ENUM; tracked as other
+                    "license_spdx": None,
+                    "is_direct": True,
+                    "is_dev": False,
+                })
+                current_name = None
+                current_version = None
+
+    return entries
+
+
 _LOCKFILE_PARSERS = {
     "uv.lock": _parse_uv_lock,
     "requirements.txt": _parse_requirements_txt,
     "package-lock.json": _parse_package_lock_json,
     "yarn.lock": _parse_yarn_lock,
     "Cargo.lock": _parse_cargo_lock,
+    ".terraform.lock.hcl": _parse_terraform_lock_hcl,
 }
 
 # Directories that never contain project-level lockfiles