github/pre-commit-opentofu
1
0
Fork 1
mirror of https://github.com/tofuutils/pre-commit-opentofu.git synced 2025-10-15 17:38:54 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

feat: Added terraform_checkov (run per folder), deprecated checkov hook (#290)

Browse source
This commit is contained in:
Bruno Ferreira 2022-04-15 18:26:33 +01:00 committed by GitHub
commit e3a98345bb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 93 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.pre-commit-hooks.yaml
View file

@ -93,7 +93,7 @@
language: script language: script
- id: checkov - id: checkov
name: Checkov name: checkov (deprecated, use "terraform_checkov")
description: Runs checkov on Terraform templates. description: Runs checkov on Terraform templates.
entry: checkov -d . entry: checkov -d .
language: python language: python
@ -103,6 +103,16 @@
exclude: \.terraform\/.*$ exclude: \.terraform\/.*$
require_serial: true require_serial: true
- id: terraform_checkov
name: Checkov
description: Runs checkov on Terraform templates.
entry: hooks/terraform_checkov.sh
language: script
always_run: false
files: \.tf$
exclude: \.terraform\/.*$
require_serial: true
- id: terrascan - id: terrascan
name: terrascan name: terrascan
description: Runs terrascan on Terraform templates. description: Runs terrascan on Terraform templates.

25
README.md
View file

@ -36,7 +36,7 @@ If you are using `pre-commit-terraform` already or want to support its developme
* [4. Run](#4-run) * [4. Run](#4-run)
* [Available Hooks](#available-hooks) * [Available Hooks](#available-hooks)
* [Hooks usage notes and examples](#hooks-usage-notes-and-examples) * [Hooks usage notes and examples](#hooks-usage-notes-and-examples)
* [checkov](#checkov) * [checkov (deprecated) and terraform_checkov](#checkov-deprecated-and-terraform_checkov)
* [infracost_breakdown](#infracost_breakdown) * [infracost_breakdown](#infracost_breakdown)
* [terraform_docs](#terraform_docs) * [terraform_docs](#terraform_docs)
* [terraform_docs_replace (deprecated)](#terraform_docs_replace-deprecated) * [terraform_docs_replace (deprecated)](#terraform_docs_replace-deprecated)
@ -220,11 +220,11 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform
<!-- markdownlint-disable no-inline-html --> <!-- markdownlint-disable no-inline-html -->
| Hook name | Description | Dependencies<br><sup>[Install instructions here](#1-install-dependencies)</sup> | | Hook name | Description | Dependencies<br><sup>[Install instructions here](#1-install-dependencies)</sup> |
| ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | | ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
| `checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. [Hook notes](#checkov) | `checkov`<br>Ubuntu deps: `python3`, `python3-pip` | | `checkov` and `terraform_checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. [Hook notes](#checkov-deprecated-and-terraform_checkov) | `checkov`<br>Ubuntu deps: `python3`, `python3-pip` |
| `infracost_breakdown` | Check how much your infra costs with [infracost](https://github.com/infracost/infracost). [Hook notes](#infracost_breakdown) | `infracost`, `jq`, [Infracost API key](https://www.infracost.io/docs/#2-get-api-key) | | `infracost_breakdown` | Check how much your infra costs with [infracost](https://github.com/infracost/infracost). [Hook notes](#infracost_breakdown) | `infracost`, `jq`, [Infracost API key](https://www.infracost.io/docs/#2-get-api-key) |
| `terraform_docs` | Inserts input and output documentation into `README.md`. Recommended. [Hook notes](#terraform_docs) | `terraform-docs` |
| `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md. **DEPRECATED**, see [#248](https://github.com/antonbabenko/pre-commit-terraform/issues/248). [Hook notes](#terraform_docs_replace-deprecated) | `python3`, `terraform-docs` | | `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md. **DEPRECATED**, see [#248](https://github.com/antonbabenko/pre-commit-terraform/issues/248). [Hook notes](#terraform_docs_replace-deprecated) | `python3`, `terraform-docs` |
| `terraform_docs_without_`<br>`aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. Hook notes same as for [terraform_docs](#terraform_docs) | `terraform-docs` | | `terraform_docs_without_`<br>`aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. Hook notes same as for [terraform_docs](#terraform_docs) | `terraform-docs` |
| `terraform_docs` | Inserts input and output documentation into `README.md`. Recommended. [Hook notes](#terraform_docs) | `terraform-docs` |
| `terraform_fmt` | Reformat all Terraform configuration files to a canonical format. [Hook notes](#terraform_fmt) | - | | `terraform_fmt` | Reformat all Terraform configuration files to a canonical format. [Hook notes](#terraform_fmt) | - |
| `terraform_providers_lock` | Updates provider signatures in [dependency lock files](https://www.terraform.io/docs/cli/commands/providers/lock.html). [Hook notes](#terraform_providers_lock) | - | | `terraform_providers_lock` | Updates provider signatures in [dependency lock files](https://www.terraform.io/docs/cli/commands/providers/lock.html). [Hook notes](#terraform_providers_lock) | - |
| `terraform_tflint` | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). [Available TFLint rules](https://github.com/terraform-linters/tflint/tree/master/docs/rules#rules). [Hook notes](#terraform_tflint). | `tflint` | | `terraform_tflint` | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). [Available TFLint rules](https://github.com/terraform-linters/tflint/tree/master/docs/rules#rules). [Hook notes](#terraform_tflint). | `tflint` |
@ -240,9 +240,24 @@ Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blo
## Hooks usage notes and examples ## Hooks usage notes and examples
### checkov ### checkov (deprecated) and terraform_checkov
For [checkov](https://github.com/bridgecrewio/checkov) you need to specify each argument separately: > `checkov` hook is deprecated, please use `terraform_checkov`.
Note that `terraform_checkov` runs recursively during `-d .` usage. That means, for example, if you change `.tf` file in repo root, all existing `.tf` files in repo will be checked.
1. You can specify custom arguments. E.g.:
```yaml
- id: terraform_checkov
args:
- --args=--quiet
- --args=--skip-check CKV2_AWS_8
```
Check all available arguments [here](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html).
For deprecated hook you need to specify each argument separately:
```yaml ```yaml
- id: checkov - id: checkov

62
hooks/terraform_checkov.sh Executable file
View file

@ -0,0 +1,62 @@
#!/usr/bin/env bash
set -eo pipefail
# globals variables
# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
# shellcheck disable=SC2034 # Unused var.
readonly HOOK_ID='terraform_checkov'
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
# shellcheck source=_common.sh
. "$SCRIPT_DIR/_common.sh"
function main {
common::initialize "$SCRIPT_DIR"
common::parse_cmdline "$@"
# shellcheck disable=SC2153 # False positive
common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
}
#######################################################################
# Unique part of `common::per_dir_hook`. The function is executed in loop
# on each provided dir path. Run wrapped tool with specified arguments
# Arguments:
# args (string with array) arguments that configure wrapped tool behavior
# dir_path (string) PATH to dir relative to git repo root.
# Can be used in error logging
# Outputs:
# If failed - print out hook checks status
#######################################################################
function per_dir_hook_unique_part {
# common logic located in common::per_dir_hook
local -r args="$1"
# shellcheck disable=SC2034 # Unused var.
local -r dir_path="$2"
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
checkov -d . ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
#######################################################################
# Unique part of `common::per_dir_hook`. The function is executed one time
# in the root git repo
# Arguments:
# args (string with array) arguments that configure wrapped tool behavior
#######################################################################
function run_hook_on_whole_repo {
local -r args="$1"
# pass the arguments to hook
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
checkov -d "$(pwd)" ${args[@]}
# return exit code to common::per_dir_hook
local exit_code=$?
return $exit_code
}
[[ ${BASH_SOURCE[0]} != "$0" ]] || main "$@"