feat: Added terraform_checkov (run per folder), deprecated checkov hook (antonbabenko#290)

bmbferreira · web-flow · commit e3a98345bb3b · 2022-04-15T19:26:33.000+02:00
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
@@ -93,7 +93,7 @@
   language: script
 
 - id: checkov
-  name: Checkov
+  name: checkov (deprecated, use "terraform_checkov")
   description: Runs checkov on Terraform templates.
   entry: checkov -d .
   language: python
@@ -103,6 +103,16 @@
   exclude: \.terraform\/.*$
   require_serial: true
 
+- id: terraform_checkov
+  name: Checkov
+  description: Runs checkov on Terraform templates.
+  entry: hooks/terraform_checkov.sh
+  language: script
+  always_run: false
+  files: \.tf$
+  exclude: \.terraform\/.*$
+  require_serial: true
+
 - id: terrascan
   name: terrascan
   description: Runs terrascan on Terraform templates.
diff --git a/README.md b/README.md
@@ -36,7 +36,7 @@ If you are using `pre-commit-terraform` already or want to support its developme
   * [4. Run](#4-run)
 * [Available Hooks](#available-hooks)
 * [Hooks usage notes and examples](#hooks-usage-notes-and-examples)
-  * [checkov](#checkov)
+  * [checkov (deprecated) and terraform_checkov](#checkov-deprecated-and-terraform_checkov)
   * [infracost_breakdown](#infracost_breakdown)
   * [terraform_docs](#terraform_docs)
   * [terraform_docs_replace (deprecated)](#terraform_docs_replace-deprecated)
@@ -220,11 +220,11 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform
 <!-- markdownlint-disable no-inline-html -->
 | Hook name                                              | Description                                                                                                                                                                                                                                  | Dependencies<br><sup>[Install instructions here](#1-install-dependencies)</sup>      |
 | ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
-| `checkov`                                              | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. [Hook notes](#checkov)                                                                                          | `checkov`<br>Ubuntu deps: `python3`, `python3-pip`                                   |
+| `checkov` and `terraform_checkov`                      | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. [Hook notes](#checkov-deprecated-and-terraform_checkov)                                                                    | `checkov`<br>Ubuntu deps: `python3`, `python3-pip`                                   |
 | `infracost_breakdown`                                  | Check how much your infra costs with [infracost](https://github.com/infracost/infracost). [Hook notes](#infracost_breakdown)                                                                                                                 | `infracost`, `jq`, [Infracost API key](https://www.infracost.io/docs/#2-get-api-key) |
+| `terraform_docs`                                       | Inserts input and output documentation into `README.md`. Recommended. [Hook notes](#terraform_docs)                                                                                                                                          | `terraform-docs`                                                                     |
 | `terraform_docs_replace`                               | Runs `terraform-docs` and pipes the output directly to README.md. **DEPRECATED**, see [#248](https://github.com/antonbabenko/pre-commit-terraform/issues/248). [Hook notes](#terraform_docs_replace-deprecated)                              | `python3`, `terraform-docs`                                                          |
 | `terraform_docs_without_`<br>`aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. Hook notes same as for [terraform_docs](#terraform_docs)                                                                                            | `terraform-docs`                                                                     |
-| `terraform_docs`                                       | Inserts input and output documentation into `README.md`. Recommended. [Hook notes](#terraform_docs)                                                                                                                                          | `terraform-docs`                                                                     |
 | `terraform_fmt`                                        | Reformat all Terraform configuration files to a canonical format. [Hook notes](#terraform_fmt)                                                                                                                                               | -                                                                                    |
 | `terraform_providers_lock`                             | Updates provider signatures in [dependency lock files](https://www.terraform.io/docs/cli/commands/providers/lock.html). [Hook notes](#terraform_providers_lock)                                                                              | -                                                                                    |
 | `terraform_tflint`                                     | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). [Available TFLint rules](https://github.com/terraform-linters/tflint/tree/master/docs/rules#rules). [Hook notes](#terraform_tflint). | `tflint`                                                                             |
@@ -240,9 +240,24 @@ Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blo
 
 ## Hooks usage notes and examples
 
-### checkov
+### checkov (deprecated) and terraform_checkov
+
+> `checkov` hook is deprecated, please use `terraform_checkov`.
+
+Note that `terraform_checkov` runs recursively during `-d .` usage. That means, for example, if you change `.tf` file in repo root, all existing `.tf` files in repo will be checked.
+
+1. You can specify custom arguments. E.g.:
+
+    ```yaml
+    - id: terraform_checkov
+      args:
+        - --args=--quiet
+        - --args=--skip-check CKV2_AWS_8
+    ```
+
+    Check all available arguments [here](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html).
 
-For [checkov](https://github.com/bridgecrewio/checkov) you need to specify each argument separately:
+For deprecated hook you need to specify each argument separately:
 
 ```yaml
 - id: checkov
diff --git a/hooks/terraform_checkov.sh b/hooks/terraform_checkov.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+# shellcheck disable=SC2034 # Unused var.
+readonly HOOK_ID='terraform_checkov'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+  common::initialize "$SCRIPT_DIR"
+  common::parse_cmdline "$@"
+  # shellcheck disable=SC2153 # False positive
+  common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed in loop
+# on each provided dir path. Run wrapped tool with specified arguments
+# Arguments:
+#   args (string with array) arguments that configure wrapped tool behavior
+#   dir_path (string) PATH to dir relative to git repo root.
+#     Can be used in error logging
+# Outputs:
+#   If failed - print out hook checks status
+#######################################################################
+function per_dir_hook_unique_part {
+  # common logic located in common::per_dir_hook
+  local -r args="$1"
+  # shellcheck disable=SC2034 # Unused var.
+  local -r dir_path="$2"
+
+  # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+  checkov -d . ${args[@]}
+
+  # return exit code to common::per_dir_hook
+  local exit_code=$?
+  return $exit_code
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed one time
+# in the root git repo
+# Arguments:
+#   args (string with array) arguments that configure wrapped tool behavior
+#######################################################################
+function run_hook_on_whole_repo {
+  local -r args="$1"
+
+  # pass the arguments to hook
+  # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+  checkov -d "$(pwd)" ${args[@]}
+
+  # return exit code to common::per_dir_hook
+  local exit_code=$?
+  return $exit_code
+}
+
+[[ ${BASH_SOURCE[0]} != "$0" ]] || main "$@"
