fix: Check all directories with changes and pass all args in terrascan hook (#305)

2025-10-15 17:38:54 +02:00 · 2021-12-22 19:44:53 +01:00 · 2021-12-22 19:44:53 +01:00 · 66401d93f4
commit 66401d93f4
parent 04ecd10343
3 changed files with 49 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -43,6 +43,7 @@ If you are using `pre-commit-terraform` already or want to support its developme
  * [terraform_tflint](#terraform_tflint)
  * [terraform_tfsec](#terraform_tfsec)
  * [terraform_validate](#terraform_validate)
+  * [terrascan](#terrascan)
 * [Authors](#authors)
 * [License](#license)

@ -223,7 +224,7 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform
 | `terraform_validate`                                   | Validates all Terraform configuration files. [Hook notes](#terraform_validate)                                                                                                                                                               | -                                                                                    |
 | `terragrunt_fmt`                                       | Reformat all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format.                                                                                                                   | `terragrunt`                                                                         |
 | `terragrunt_validate`                                  | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`)                                                                                                                                         | `terragrunt`                                                                         |
-| `terrascan`                                            | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations.                                                                                                                                                | `terrascan`                                                                          |
+| `terrascan`                                            | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations. [Hook notes](#terrascan)                                                                                                                                               | `terrascan`                                                                          |
 <!-- markdownlint-enable no-inline-html -->

 Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook.
@ -550,6 +551,22 @@ Example:

    **Warning:** If you use Terraform workspaces, DO NOT use this workaround ([details](https://github.com/antonbabenko/pre-commit-terraform/issues/203#issuecomment-918791847)). Wait to [`force-init`](https://github.com/antonbabenko/pre-commit-terraform/issues/224) option implementation.

+### terrascan
+
+1. `terrascan` supports custom arguments so you can pass supported flags like `--non-recursive` and `--policy-type` to disable recursive inspection and set the policy type respectively:
+
+    ```yaml
+    - id: terrascan
+      args:
+        - --args=--non-recursive # avoids scan errors on subdirectories without Terraform config files
+        - --args=--policy-type=azure
+    ```
+
+    See the `terrascan run -h` command line help for available options.
+
+2. Use the `--args=--verbose` parameter to see the rule ID in the scaning output. Usuful to skip validations.
+3. Use `--skip-rules="ruleID1,ruleID2"` parameter to skip one or more rules globally while scanning (e.g.: `--args=--skip-rules="ruleID1,ruleID2"`).
+4. Use the syntax `#ts:skip=RuleID optional_comment` inside a resource to skip the rule for that resource.

 ## Authors