forked from antonbabenko/pre-commit-terraform
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Added
terraform_checkov
(run per folder), deprecated `checkov…
…` hook (antonbabenko#290)
- Loading branch information
1 parent
b35dc17
commit e3a9834
Showing
3 changed files
with
93 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
#!/usr/bin/env bash | ||
set -eo pipefail | ||
|
||
# globals variables | ||
# hook ID, see `- id` for details in .pre-commit-hooks.yaml file | ||
# shellcheck disable=SC2034 # Unused var. | ||
readonly HOOK_ID='terraform_checkov' | ||
# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines | ||
readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")" | ||
# shellcheck source=_common.sh | ||
. "$SCRIPT_DIR/_common.sh" | ||
|
||
function main { | ||
common::initialize "$SCRIPT_DIR" | ||
common::parse_cmdline "$@" | ||
# shellcheck disable=SC2153 # False positive | ||
common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}" | ||
} | ||
|
||
####################################################################### | ||
# Unique part of `common::per_dir_hook`. The function is executed in loop | ||
# on each provided dir path. Run wrapped tool with specified arguments | ||
# Arguments: | ||
# args (string with array) arguments that configure wrapped tool behavior | ||
# dir_path (string) PATH to dir relative to git repo root. | ||
# Can be used in error logging | ||
# Outputs: | ||
# If failed - print out hook checks status | ||
####################################################################### | ||
function per_dir_hook_unique_part { | ||
# common logic located in common::per_dir_hook | ||
local -r args="$1" | ||
# shellcheck disable=SC2034 # Unused var. | ||
local -r dir_path="$2" | ||
|
||
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]") | ||
checkov -d . ${args[@]} | ||
|
||
# return exit code to common::per_dir_hook | ||
local exit_code=$? | ||
return $exit_code | ||
} | ||
|
||
####################################################################### | ||
# Unique part of `common::per_dir_hook`. The function is executed one time | ||
# in the root git repo | ||
# Arguments: | ||
# args (string with array) arguments that configure wrapped tool behavior | ||
####################################################################### | ||
function run_hook_on_whole_repo { | ||
local -r args="$1" | ||
|
||
# pass the arguments to hook | ||
# shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]") | ||
checkov -d "$(pwd)" ${args[@]} | ||
|
||
# return exit code to common::per_dir_hook | ||
local exit_code=$? | ||
return $exit_code | ||
} | ||
|
||
[[ ${BASH_SOURCE[0]} != "$0" ]] || main "$@" |