-
-
Notifications
You must be signed in to change notification settings - Fork 541
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: have option for terraform_tfsec.sh to only run in relevant modified directories #135
Conversation
@nkazarian-spokeo I hadn't considered using $files as a means to specify which sub-directories to run in (even if it will then run recursively), so this looks okay to me. |
Thank you for your reply @jon-proietti-nutrien. I took |
Okay, I have updated this PR with the |
Here is an example of me modifying a single file and |
The only oddity I noticed (and this might be a bug with
Whereas when the first argument is a valid directory, the behavior is correct and expected:
The workaround is easy enough, just Either way I believe this change is an enhancement because it won't fall back to always running recursively. In the proposed change, if more than one (unique) directory is modified, it will be a separate call to |
1. `terraform_tfsec` will consume modified files that pre-commit | ||
passes to it, so you can perform whitelisting of directories | ||
or files to run against via [files](https://pre-commit.com/#config-files) | ||
pre-commit flag |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a quick example of how this will look in the config file, similar to the other examples in the readme, and then callout how the example will change which directories will be scanned by tfsec?
hooks:
- id: terraform_tfsec
files: 'prd-infra/'
Will instruct tfsec to recursively scan the ./prd-infra
folder, but will ignore any other folders at the root level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done! Please review when you get a moment.
I do wish that tfsec could adhere a bit more closely to how pre-commit works, which is to say that it would be nice if we could pass in to it a list of files we'd like to have scanned. It is also an open source project if you're feeling ambitious today :D Thanks again for the PR. I'll leave it here for @antonbabenko |
Yes, this! They managed to implement a blacklist with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@antonbabenko can we get your blessings on this? Our internal team wants to move forward with using Thanks a bunch. |
@antonbabenko can you look at this again? I have resolved conflicts resulting from recent PR that involved changes to this file and back-ported my changes on top of it. |
@nkazarian-spokeo Thanks for this PR and final rebase! v1.36.0 has been just released. |
Awesome!!! Appreciate it @antonbabenko. Thanks for looking. |
* Added terraform-docs integration (#13) * Add hook to create readme * Updated README * Run terraform_docs only if README.md is present * Run terraform_docs only if README.md is present * Fixes use of md5 for tempfile name (#16) * Replace terraform_docs use of GNU sed with perl (#15) * Fix ShellCheck warning 2219 https://github.com/koalaman/shellcheck/wiki/SC2219 * Replace GNU sed commands with perl This replaces the sed commands which required GNU sed be installed with perl versions. This should make this script more universally usable (e.g., on macOS) without installing additional tools. * Only run validate if .tf files exist in the directory. (antonbabenko#20) * Only run validate if .tf files exist in the directory. * Same fix, different script :) * Updated README * Added license file (fixed antonbabenko#21) * Add feature to pass options to terraform-docs. * Added followup after antonbabenko#25 * Add new hook for running terraform-docs with replacing README.md from doc in main.tf * Address requested changes * Add `--dest` argument * Address requested changes * fix typo * Fix bug not letting terraform_docs_replace work in the root directory of a repo * Require terraform-docs runs in serial to avoid pre-commit doing parallel operations on similar file paths * Added chglog (hi @robinbowes :)) * Added CHANGELOG.md * Add exit code for 'terraform validate' so pre-commit check fails (antonbabenko#34) * Bump new version * fix check for errors at the end (antonbabenko#35) * Updated changelog * Update README.md (antonbabenko#36) * Fixed broken "maintained badge" * Added note about incompatibility of terraform-docs with Terraform 0.12 (antonbabenko#41) * Updated CHANGELOG * Added support for terraform_docs for Terraform 0.12 (antonbabenko#45) * Updated CHANGELOG * Upgraded to work with Terraform >= 0.12 (antonbabenko#44) * Updated CHANGELOG * Fix version in README.md (antonbabenko#46) * Fixed awk script for terraform-docs (kudos @cytopia) and mktemp on Mac (closes antonbabenko#47, antonbabenko#48, antonbabenko#49) * Updated CHANGELOG * Add slash to mktemp dir (fixed antonbabenko#50) * Updated CHANGELOG * Fix typo in README (antonbabenko#51) * Fixed enquoted types in terraform_docs (fixed antonbabenko#52) * Updated CHANGELOG * Formatter for Terragrunt HCL files (antonbabenko#60) * Formatter for Terragrunt HCL files * Adding Terragrunt documentation * Updated README with terragrunt_fmt hook * Updated CHANGELOG * Added support for TFLint with --deep parameter (antonbabenko#53) Added support for TFLint (https://github.com/wata727/tflint). Signed-off-by: Costin Galan <costin.galan@mambu.com> * Updated README with terraform_tflint hook * Updated CHANGELOG * Update rev in README.md (antonbabenko#70) Updating the version in the README. In order for `terraform_tflint`, the rev must be at least `v1.19.0`. * Improve installation instructions and make README more readable (antonbabenko#72) * Added FUNDING.yml * Fixes antonbabenko#65: terraform-docs should not fail if complex types contain 'description' keyword (antonbabenko#73) * Updated CHANGELOG * use getopt for args in the tflint hook, following the approach in terraform-docs (antonbabenko#75) * Updated CHANGELOG * move terraform-docs args after markdown command (antonbabenko#83) * Updated CHANGELOG * Added support for terraform-docs 0.8.0 with proper support for Terraform 0.12 syntax (bye-bye awk) (antonbabenko#85) * Updated CHANGELOG * Added shfmt to autoformat shell scripts (antonbabenko#86) * Updated CHANGELOG * Fixed tflint hook to iterate over files (antonbabenko#77) * Updated CHANGELOG * Fixed exit code for terraform 0.11 branch in terraform_docs (antonbabenko#94) * Updated pre-commit-hooks * Updated CHANGELOG * corrected tflint documentation (antonbabenko#95) * Updated CHANGELOG * Update installation instructions (antonbabenko#79) - Fix package name misspell - TFlint migrate to another organization * Allow passing multiple args to terraform-docs (antonbabenko#98) * Updated CHANGELOG * fix: Change terraform_validate hook functionality for subdirectories with terraform files (antonbabenko#100) * Update terraform_validate.sh: -Change to the directory before running terraform validate to use the Terraform configuration for the appropriate working directory. * Neglected to change the terraform validate call to use the default of the current directory. * Several changes to improve functionality: - Switch to checking the path for '*.tf' instead of always checking the current directory. - Try to find a '.terraform' directory (which indicates a `terraform init`) and change to that directory before running `terraform validate`. * Fix the description for the terraform_validate hook to reflect changes that were made in: antonbabenko@35e0356 * - Clean up comments. - Adjust variable names to better reflect what they are holding. * Updated CHANGELOG * feat: Support for TFSec (antonbabenko#103) * Updated pre-commit deps * Updated CHANGELOG * docs: Added coreutils as requirements in README.md (antonbabenko#105) * docs: Fixed the docs to use the latest config syntax(antonbabenko#106) * fix: Updated formatting in README (closes antonbabenko#113) * Updated CHANGELOG * feat: add terragrunt validate hook (antonbabenko#134) * Updated CHANGELOG * docs: Update terraform-docs link pointing to new organization (antonbabenko#130) * fix: Pass args and env vars to terraform validate (antonbabenko#125) * Updated CHANGELOG * chore: Use lib_getopt for all hooks and some style tweaks (antonbabenko#137) * Updated CHANGELOG * fix: Squash terraform_docs bug (antonbabenko#138) * Updated CHANGELOG * feat: have option for terraform_tfsec hook to only run in relevant modified directories (antonbabenko#135) * Updated CHANGELOG * fix: make terraform_tfsec.sh executable (antonbabenko#140) * Updated CHANGELOG * fix: Correctly handle arrays in terraform_docs.sh (antonbabenko#141) * Updated CHANGELOG * feat: Add checkov support (antonbabenko#143) * Updated CHANGELOG * feat: Add possibility to share tflint config file for subdirs (antonbabenko#149) * Updated CHANGELOG * fix: terraform-docs version 0.10 removed with-aggregate-type-defaults (antonbabenko#150) * Updated CHANGELOG * fix: make terraform_docs Windows compatible (antonbabenko#129) * Updated CHANGELOG * fix: Fix regex considering terraform-docs v0.10.0 old (antonbabenko#151) * Updated CHANGELOG * feat: Make terraform_validate to run init if necessary (antonbabenko#158) * Updated CHANGELOG * fix: Correct deprecated parameter to terraform-docs (antonbabenko#156) * Updated CHANGELOG * update to upstream hooks * just report, do not error * fix: Terraform validate for submodules (antonbabenko#172) * Updated CHANGELOG * docs: updates installs for macOS and ubuntu (antonbabenko#175) * fix: remove sed postprocessing from the terraform_docs_replace hook to fix compatibility with terraform-docs 0.11.0+ (antonbabenko#176) * Updated CHANGELOG * docs: Added checkov install (antonbabenko#182) * chore: add dockerfile (antonbabenko#183) * Updated CHANGELOG * Update README.md * chore: Fix mistake on command (antonbabenko#185) * fix: Fix and pin versions in Dockerfile (antonbabenko#193) * Updated CHANGELOG * feat: Adds support for Terrascan (antonbabenko#195) * Updated CHANGELOG * chore: Update Ubuntu install method (antonbabenko#198) * docs: Initial docs improvement (antonbabenko#218) * fix: Dockerized pre-commit-terraform (antonbabenko#219) Co-authored-by: Anton Babenko <anton@antonbabenko.com> * feat: Add mixed line ending check to prevent possible errors (antonbabenko#221) * feat: Add GH checks and templates (antonbabenko#222) * chore: Updated GH stale action config (antonbabenko#223) * fix: label auto-adding after label rename (antonbabenko#226) * fix: trigger terraform-docs on changes in lock files (antonbabenko#228) * Updated CHANGELOG * fix: remove dead code from terraform-docs script (antonbabenko#229) * chore: Add shfmt to workflow (antonbabenko#231) * docs: Describe hooks usage and improve examples (antonbabenko#232) Co-authored-by: Anton Babenko <anton@antonbabenko.com> * fix: Dockerfile if INSTALL_ALL is not defined (antonbabenko#233) * feat: Add PATH outputs when TFLint found any problem (antonbabenko#234) * fix: terraform_tflint hook executes in a serial way to run less often (antonbabenko#211) * docs: Add contributing guide and docs about performance tests (antonbabenko#235) * docs: Make contributors more visible (antonbabenko#236) * docs: Document terraform_tfsec args usage (antonbabenko#238) * feat: Add new hook for `terraform providers lock` operation (antonbabenko#173) * Updated CHANGELOG * chore: Do not mark issues and PR's in milestone as stale (antonbabenko#241) * fix: TFSec outputs the same results multiple times (antonbabenko#237) * docs: Add terraform_fmt usage instructions and how-to debug script with args (antonbabenko#242) * feat: Allow passing of args to terraform_fmt (antonbabenko#147) * docs: Document hooks dependencies (antonbabenko#247) * feat: Add support for specify terraform-docs config file (antonbabenko#244) * fix: terrafrom_tflint ERROR output for files located in repo root (antonbabenko#243) * feat: Add `terraform_docs` hook settings (antonbabenko#245) * docs: fix deps (antonbabenko#249) * fix: execute tflint once in no errors (antonbabenko#250) * fix: command not found (antonbabenko#251) * docs: Add missing space in terrascan install cmd (antonbabenko#253) * feat: add __GIT_WORKING_DIR__ to tfsec (antonbabenko#255) * docs: fix protocol to prevent MITM (antonbabenko#257) * feat: Set up PR reviewers automatically (antonbabenko#258) * feat: Add infracost_breakdown hook (antonbabenko#252) * docs: Clarify docs for terraform_tfsec hook (antonbabenko#266) * docs: Pre-release 1.53 (antonbabenko#267) * Updated CHANGELOG * fix: Fixed args expand in terraform_docs (antonbabenko#260) * docs: Added notes about sponsors (antonbabenko#268) * feat: Add support for quoted values in `infracost_breakdown` `--hook-config` (antonbabenko#269) * Updated CHANGELOG * fix: Fixed 1.54.0 where `terraform_docs` was broken (antonbabenko#272) * Updated CHANGELOG * chore: Updated messages shown in terraform_tflint hook (antonbabenko#274) * feat: Updated Docker image from Ubuntu to Alpine (antonbabenko#278) * Updated CHANGELOG * chore: Add deprecation notice to `terraform_docs_replace` (antonbabenko#280) * fix: typo in arg name for terraform-docs (antonbabenko#283) * Updated CHANGELOG * chore: Fix master merge to working branch on pre-commit autofixes (antonbabenko#286) * chore: Publish container image on release (antonbabenko#285) * Updated CHANGELOG * fix: Fixed docker build (antonbabenko#288) * Updated CHANGELOG * fix: pre-build docker image (antonbabenko#292) * Updated CHANGELOG * fix: analyse all folders with tflint and don't stop on first execution (antonbabenko#289) * feat: Pass custom arguments to terraform init in `terraform_validate` hook (antonbabenko#293) * Updated CHANGELOG * feat: Added semantic release (antonbabenko#296) * chore(release): version 1.62.0 [skip ci] # [1.62.0](antonbabenko/pre-commit-terraform@v1.61.0...v1.62.0) (2021-12-12) ### Features * Added semantic release ([antonbabenko#296](antonbabenko#296)) ([1bcca44](antonbabenko@1bcca44)) * chore: Validate PR title (antonbabenko#297) * chore: Updated validation PR title types (antonbabenko#298) * chore: Fixed allowed types for PR titles * chore: Publish container image only after the release * fix(terraform_tflint): Restore current working directory behavior (antonbabenko#302) * chore: Use valid token for the Release GHA * chore(release): version 1.62.1 [skip ci] ## [1.62.1](antonbabenko/pre-commit-terraform@v1.62.0...v1.62.1) (2021-12-18) ### Bug Fixes * **terraform_tflint:** Restore current working directory behavior ([antonbabenko#302](antonbabenko#302)) ([93029dc](antonbabenko@93029dc)) * fix: Properly exclude .terraform directory with checkov hook (antonbabenko#306) * fix: Speedup `terrascan` hook up to x3 times in big repos (antonbabenko#307) * chore: Release action should track hooks configuration changes (antonbabenko#308) * chore(release): version 1.62.2 [skip ci] ## [1.62.2](antonbabenko/pre-commit-terraform@v1.62.1...v1.62.2) (2021-12-21) ### Bug Fixes * Properly exclude .terraform directory with checkov hook ([antonbabenko#306](antonbabenko#306)) ([b431a43](antonbabenko@b431a43)) * Speedup `terrascan` hook up to x3 times in big repos ([antonbabenko#307](antonbabenko#307)) ([2e8dcf9](antonbabenko@2e8dcf9)) * fix: Check all directories with changes and pass all args in terrascan hook (antonbabenko#305) * chore(release): version 1.62.3 [skip ci] ## [1.62.3](antonbabenko/pre-commit-terraform@v1.62.2...v1.62.3) (2021-12-22) ### Bug Fixes * Check all directories with changes and pass all args in terrascan hook ([antonbabenko#305](antonbabenko#305)) ([66401d9](antonbabenko@66401d9)) * chore: Refactor all hooks (antonbabenko#310) * chore: Cleanup file with test data (antonbabenko#311) * chore: Add shellcheck and make checks passing (antonbabenko#315) Co-authored-by: Anton Babenko <anton@antonbabenko.com> * chore: Improved code structure (moved hooks into a separate dir) (antonbabenko#316) * chore: Specify what we exactly mean (antonbabenko#320) * chore: Document functions (based on google style guide) (antonbabenko#317) * chore: Add hadolint check for Dockerfiles (antonbabenko#322) Co-authored-by: Balazs Hamorszky <balihb@gmail.com> * chore: Add Github Actions Workflow to build if Dockerfile updated (antonbabenko#318) Co-authored-by: Maksym Vlasov <MaxymVlasov@users.noreply.github.com> * docs: Add workaround for configuration_aliases tf bug (antonbabenko#332) * chore: fix bug intoduced in antonbabenko#316 (antonbabenko#335) * feat: Improve performance during `pre-commit --all (-a)` run (antonbabenko#327) * chore(release): version 1.63.0 [skip ci] # [1.63.0](antonbabenko/pre-commit-terraform@v1.62.3...v1.63.0) (2022-02-10) ### Features * Improve performance during `pre-commit --all (-a)` run ([antonbabenko#327](antonbabenko#327)) ([7e7c916](antonbabenko@7e7c916)) * feat: Improved speed of `pre-commit run -a` for multiple hooks (antonbabenko#338) * chore(release): version 1.64.0 [skip ci] # [1.64.0](antonbabenko/pre-commit-terraform@v1.63.0...v1.64.0) (2022-02-10) ### Features * Improved speed of `pre-commit run -a` for multiple hooks ([antonbabenko#338](antonbabenko#338)) ([579dc45](antonbabenko@579dc45)) * chore: Fix docker test workflow (antonbabenko#340) * chore: Add Docker latest and nightly tag (antonbabenko#343) Co-authored-by: Anton Babenko <anton@antonbabenko.com> Co-authored-by: jeremy avnet <162998+brainsik@users.noreply.github.com> Co-authored-by: Robin Bowes <robin.bowes@yo61.com> Co-authored-by: Martin Etmajer <metmajer@getcloudnative.io> Co-authored-by: rothandrew <roth.andy@gmail.com> Co-authored-by: Chris Gilmer <chris@truss.works> Co-authored-by: Josiah Halme <josiahhalme@users.noreply.github.com> Co-authored-by: Tyler Christiansen <code@tylerc.me> Co-authored-by: Guido Dobboletta <guidodobboletta@gmail.com> Co-authored-by: Paweł Szczepaniak <krzyzakp@users.noreply.github.com> Co-authored-by: Leonhardt Wille <lwille@users.noreply.github.com> Co-authored-by: Eric Gonzales <eric-gonzales@users.noreply.github.com> Co-authored-by: Scott Crooks <sc250024@users.noreply.github.com> Co-authored-by: Costin GALAN <info@cogala.eu> Co-authored-by: Dave Gallant <davegallant@gmail.com> Co-authored-by: Maksym Vlasov <MaxymVlasov@users.noreply.github.com> Co-authored-by: cytopia <cytopia@everythingcli.org> Co-authored-by: chopped pork <solidek@gmail.com> Co-authored-by: Thierno IB. BARRY <ibrahima.br@gmail.com> Co-authored-by: Konstantin Kirpichnikov <56006844+konstantin-recurly@users.noreply.github.com> Co-authored-by: Robson Roberto Souza Peixoto <124390+robsonpeixoto@users.noreply.github.com> Co-authored-by: Martin Coxall <martincoxall@bmlltech.com> Co-authored-by: Sergei Ivanov <sergei-ivanov@users.noreply.github.com> Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> Co-authored-by: Jon Proietti <45764555+jon-proietti-nutrien@users.noreply.github.com> Co-authored-by: gchappell99 <44392051+gchappell99@users.noreply.github.com> Co-authored-by: snolan-uturn <50503078+snolan-uturn@users.noreply.github.com> Co-authored-by: Prahalad Ramji <prahaladramji@gmail.com> Co-authored-by: Khosrow Moossavi <khos2ow@gmail.com> Co-authored-by: nkazarian-spokeo <51686594+nkazarian-spokeo@users.noreply.github.com> Co-authored-by: Matias Zilli <matiaszilli@gmail.com> Co-authored-by: Evan Stoddard <evanstoddard23@gmail.com> Co-authored-by: Shawn <shawn.tolidano@gmail.com> Co-authored-by: Manuel Vogel <mavogel@posteo.de> Co-authored-by: Sergio Kef <sergios.kefalas@blacklane.com> Co-authored-by: Cesar Rodriguez <cesar@accurics.com> Co-authored-by: Lorenz Vanthillo <lorenz.vanthillo@outlook.com> Co-authored-by: balihb <balihb@gmail.com> Co-authored-by: Javier Collado <javier.collado@tutanota.com> Co-authored-by: Dan Arnold <dan-arnold@users.noreply.github.com> Co-authored-by: gravitybacklight <2327204+gravitybacklight@users.noreply.github.com> Co-authored-by: Milos Jajac <milosjajac13@gmail.com> Co-authored-by: Birger J. Nordølum <contact@mindtooth.no> Co-authored-by: sg70 <sven.geisler@gmail.com> Co-authored-by: Bruno Ferreira <bmibferreira@gmail.com> Co-authored-by: Maxime Brunet <max@brnt.mx> Co-authored-by: semantic-release-bot <semantic-release-bot@martynus.net> Co-authored-by: Maxime Brunet <maxime.brunet@paytm.com> Co-authored-by: Carlos Miguel Bustillo Rodríguez <20931458+carlosbustillordguez@users.noreply.github.com> Co-authored-by: Mohit Saxena <76725454+mohitsaxenaknoldus@users.noreply.github.com> Co-authored-by: Mark Bainter <mbainter+github@gmail.com> Co-authored-by: Pasquale De Vita <59291437+pasqualedevita@users.noreply.github.com>
This will allow fine-grain control in
.pre-commit-config.yml
for those who implement the hook to specifytfsec
to run in only certain directories like so:Maybe someone can point me to the rationale behind the comment stating that "
$files
should be ignored sincetfsec
will run recursively anyway" since I was able to get a working example with these changes. Perhaps there was a time whentfsec
only ran in a recursive fashion no matter what?@jon-proietti-nutrien would like your input on this, as I noticed that you are the only contributor to this file on this repository.
Thanks.
EDIT: actually I believe this is more of an enhancement, as leaving out
files:
key will havetfsec
run recursively, but now we have the option to filter it down since there's no--include
type flag that you can pass totfsec
itself (they just offer--exclude-dir
). I changed the title to appropriately reflect my intent.