Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Make checkov more flexible #329

Closed
wants to merge 1 commit into from
Closed

feat: Make checkov more flexible #329

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .pre-commit-hooks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,9 +95,9 @@
- id: checkov
name: Checkov
description: Runs checkov on Terraform templates.
entry: hooks/checkov -d .
language: python
pass_filenames: false
entry: hooks/checkov.sh
language: script
pass_filenames: true
always_run: false
files: \.tf$
exclude: \.terraform\/.*$
Expand Down
4 changes: 3 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,11 +238,13 @@ For [checkov](https://github.com/bridgecrewio/checkov) you need to specify each
```yaml
- id: checkov
args: [
"-d", ".",
"-d", "./mod1",
"--skip-check", "CKV2_AWS_8",
]
```

By default, `checkov` will scan the entire repository's terraform files. You can use the `--scan-change-directories` or `--scan-change-files` arguments, to restrict the scan to changed directories or terraform files (if both of these are provided, the directory command will take precedence). Any other arguments provided will be passed through to checkov.

### infracost_breakdown

`infracost_breakdown` executes `infracost breakdown` command and compare the estimated costs with those specified in the hook-config. `infracost breakdown` normally runs `terraform init`, `terraform plan`, and calls Infracost Cloud Pricing API (remote version or [self-hosted version](https://www.infracost.io/docs/cloud_pricing_api/self_hosted)).
Expand Down
123 changes: 123 additions & 0 deletions hooks/checkov.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
#!/usr/bin/env bash
set -eo pipefail

#######################################################################
# Wrapper function for hook. Determines run mode based on bool set by
# argparse, and triggers that run mode.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0 if successful, non-zero on error
#######################################################################
function main {
parse_arguments "$@"
# shellcheck disable=SC2153 # False positive
if [[ ${CHANGE_DIRECTORY_SCAN} == true ]]; then
# directories containing changed .tf files only
directory_runner
elif [[ ${CHANGE_FILE_SCAN} == true ]]; then
# changed .tf files only
file_runner
else
# whole repository
checkov "${ARGS[@]}" -d .
fi
}

#######################################################################
# Parses arguments provided to the hook to filter out changed files and
# args for the hook, set run mode (if present) and remove run mode toggles
# from the args as they're not valid for checkov. Enables backwards
# compatibility for those using checkov with no args, or without --args
# Globals:
# None
# Arguments:
# None
# Returns:
# 0 if successful, non-zero on error
# Creates global arrays ARGS, FILES, may create a run mode global
#######################################################################
function parse_arguments {
declare -a -g ARGS=()
declare -a -g FILES=()

argv=("$@")
pattern='^.*\.tf$'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The any_chars_from_beginning part of pattern makes no much sense and can be dropped

Suggested change
pattern='^.*\.tf$'
pattern='\.tf$'


for item in "${argv[@]}"; do
if [[ $item =~ $pattern ]]; then
FILES+=("$item")
else
case $item in
--scan-change-directories)
CHANGE_DIRECTORY_SCAN=true
;;
--scan-change-files)
CHANGE_FILE_SCAN=true
;;
# -f filtered out to avoid duplicating
-f | --file)
:
;;
*)
ARGS+=("$item")
;;
esac
fi
done
}

#######################################################################
# Identifies directories containing files that have changed in them, builds
# a command string from them, and then runs checkov against those dirs
# with args provided to hook.
# Globals:
# FILES
# ARGS
# Arguments:
# None
# Returns:
# 0 if successful, non-zero on error
#######################################################################
function directory_runner {
declare -a directories=()
declare -a directory_command=()

for file_with_path in "${FILES[@]}"; do
directory=$(dirname "$file_with_path")
directories+=("$directory")
done

for dir in $(echo "${directories[*]}" | tr ' ' '\n' | sort -u); do
directory_command+=("-d")
directory_command+=("$dir")
done

checkov "${ARGS[@]}" "${directory_command[@]}"
}

#######################################################################
# Builds a command string from the files provided, and runs checkov against
# those files with args provided to hook. This is the fastest run mode.
# Globals:
# FILES
# ARGS
# Arguments:
# None
# Returns:
# 0 if successful, non-zero on error
#######################################################################
function file_runner {
declare -a file_command=()

for file in "${FILES[@]}"; do
file_command+=("-f")
file_command+=("$file")
done

checkov "${ARGS[@]}" "${file_command[@]}"
}

[ "${BASH_SOURCE[0]}" != "$0" ] || main "$@"