Apply revie suggestions

.pre-commit-config.yaml

@@ -42,14 +42,14 @@ repos:
   hooks:
     - id: hadolint
       args: [
-        '--ignore', 'DL3027', # Do not use apt
         '--ignore', 'DL3007', # Using latest
+        '--ignore', 'DL3013', # Pin versions in pip
+        '--ignore', 'DL3027', # Do not use apt
+        '--ignore', 'DL3059', # Docker `RUN`s shouldn't be consolidated here
         '--ignore', 'DL4006', # Not related to alpine
         '--ignore', 'SC1091', # Useless check
         '--ignore', 'SC2015', # Useless check
         '--ignore', 'SC3037', # Not related to alpine
-        '--ignore', 'DL3013', # Pin versions in pip
-        '--ignore', 'DL3059', # Docker `RUN`s shouldn't be consolidated here
       ]
 
 # JSON5 Linter

tools/install/checkov.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 set -eo pipefail
-# shellcheck disable=SC1091 # Created by Dockerfile above script call
+# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script
 source /.env
 
 if [[ $CHECKOV_VERSION != false ]]; then

tools/install/hcledit.sh

@@ -1,15 +1,15 @@
 #!/usr/bin/env bash
 set -eo pipefail
-# shellcheck disable=SC1091 # Created by Dockerfile above script call
+# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script
 source /.env
 
 if [[ $HCLEDIT_VERSION != false ]]; then
-  HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases"
+  readonly RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases"
 
   if [[ $HCLEDIT_VERSION == latest ]]; then
-    curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz
+    curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz
   else
-    curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz
+    curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz
   fi
 
   tar -xzf hcledit.tgz hcledit

tools/install/infracost.sh

@@ -1,15 +1,15 @@
 #!/usr/bin/env bash
 set -eo pipefail
-# shellcheck disable=SC1091 # Created by Dockerfile above script call
+# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script
 source /.env
 
 if [[ $INFRACOST_VERSION != false ]]; then
-  INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases"
+  readonly RELEASES="https://api.github.com/repos/infracost/infracost/releases"
 
   if [[ $INFRACOST_VERSION == latest ]]; then
-    curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz
+    curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz
   else
-    curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz
+    curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz
   fi
 
   tar -xzf infracost.tgz

tools/install/terraform-docs.sh

@@ -1,15 +1,15 @@
 #!/usr/bin/env bash
 set -eo pipefail
-# shellcheck disable=SC1091 # Created by Dockerfile above script call
+# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script
 source /.env
 
 if [[ $TERRAFORM_DOCS_VERSION != false ]]; then
-  TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases"
+  readonly RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases"
 
   if [[ $TERRAFORM_DOCS_VERSION == latest ]]; then
-    curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz
+    curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz
   else
-    curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz
+    curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz
   fi
 
   tar -xzf terraform-docs.tgz terraform-docs

tools/install/terragrunt.sh

@@ -1,15 +1,15 @@
 #!/usr/bin/env bash
 set -eo pipefail
-# shellcheck disable=SC1091 # Created by Dockerfile above script call
+# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script
 source /.env
 
 if [[ $TERRAGRUNT_VERSION != false ]]; then
-  TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases"
+  readonly RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases"
 
   if [[ $TERRAGRUNT_VERSION == latest ]]; then
-    curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt
+    curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt
   else
-    curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt
+    curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt
   fi
 
   chmod +x terragrunt

tools/install/terrascan.sh

@@ -1,26 +1,26 @@
 #!/usr/bin/env bash
 set -eo pipefail
-# shellcheck disable=SC1091 # Created by Dockerfile above script call
+# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script
 source /.env
 
 if [[ $TERRASCAN_VERSION != false ]]; then
   if [[ $TARGETARCH != amd64 ]]; then
-    ARCH="$TARGETARCH"
+    readonly ARCH="$TARGETARCH"
   else
-    ARCH="x86_64"
+    readonly ARCH="x86_64"
   fi
   # Convert the first letter to Uppercase
   OS="$(
     echo "${TARGETOS}" | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n
     echo "${TARGETOS}" | cut -c2-
   )"
 
-  TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases"
+  readonly RELEASES="https://api.github.com/repos/tenable/terrascan/releases"
 
   if [[ $TERRASCAN_VERSION == latest ]]; then
-    curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz
+    curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz
   else
-    curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz
+    curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz
   fi
 
   tar -xzf terrascan.tar.gz terrascan

tools/install/tflint.sh

@@ -1,15 +1,15 @@
 #!/usr/bin/env bash
 set -eo pipefail
-# shellcheck disable=SC1091 # Created by Dockerfile above script call
+# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script
 source /.env
 
 if [[ $TFLINT_VERSION != false ]]; then
-  TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases"
+  readonly RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases"
 
   if [[ $TFLINT_VERSION == latest ]]; then
-    curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip
+    curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip
   else
-    curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip
+    curl -L "$(curl -s ${RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip
   fi
 
   unzip tflint.zip

tools/install/tfsec.sh

@@ -1,15 +1,15 @@
 #!/usr/bin/env bash
 set -eo pipefail
-# shellcheck disable=SC1091 # Created by Dockerfile above script call
+# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script
 source /.env
 
 if [[ $TFSEC_VERSION != false ]]; then
-  TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases"
+  readonly RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases"
 
   if [[ $TFSEC_VERSION == latest ]]; then
-    curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec
+    curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec
   else
-    curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec
+    curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec
   fi
 
   chmod +x tfsec

tools/install/tfupdate.sh

@@ -1,16 +1,16 @@
 #!/usr/bin/env bash
 set -eo pipefail
-# shellcheck disable=SC1091 # Created by Dockerfile above script call
+# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script
 source /.env
 
 # TFUpdate
 if [[ $TFUPDATE_VERSION != false ]]; then
-  TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases"
+  readonly RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases"
 
   if [[ $TFUPDATE_VERSION == latest ]]; then
-    curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz
+    curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz
   else
-    curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz
+    curl -L "$(curl -s ${RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz
   fi
 
   tar -xzf tfupdate.tgz tfupdate

tools/install/trivy.sh

@@ -1,22 +1,22 @@
 #!/usr/bin/env bash
 set -eo pipefail
-# shellcheck disable=SC1091 # Created by Dockerfile above script call
+# shellcheck disable=SC1091 # Created in Dockerfile before execution of this script
 source /.env
 
 if [[ $TRIVY_VERSION != false ]]; then
 
   if [[ $TARGETARCH != amd64 ]]; then
-    ARCH="$TARGETARCH"
+    readonly ARCH="$TARGETARCH"
   else
-    ARCH="64bit"
+    readonly ARCH="64bit"
   fi
 
-  TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases"
+  readonly RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases"
 
   if [[ $TRIVY_VERSION == latest ]]; then
-    curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz
+    curl -L "$(curl -s ${RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz
   else
-    curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz
+    curl -L "$(curl -s ${RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz
   fi
 
   tar -xzf trivy.tar.gz trivy