Skip to content

Commit

Permalink
fix: Check all directories with changes and pass all args in terrasca…
Browse files Browse the repository at this point in the history
…n hook (#305)
  • Loading branch information
carlosbustillordguez authored Dec 22, 2021
1 parent 04ecd10 commit 66401d9
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 8 deletions.
2 changes: 2 additions & 0 deletions .pre-commit-hooks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -108,4 +108,6 @@
description: Runs terrascan on Terraform templates.
language: script
entry: terrascan.sh
files: \.tf$
exclude: \.terraform\/.*$
require_serial: true
19 changes: 18 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ If you are using `pre-commit-terraform` already or want to support its developme
* [terraform_tflint](#terraform_tflint)
* [terraform_tfsec](#terraform_tfsec)
* [terraform_validate](#terraform_validate)
* [terrascan](#terrascan)
* [Authors](#authors)
* [License](#license)

Expand Down Expand Up @@ -223,7 +224,7 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform
| `terraform_validate` | Validates all Terraform configuration files. [Hook notes](#terraform_validate) | - |
| `terragrunt_fmt` | Reformat all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format. | `terragrunt` |
| `terragrunt_validate` | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) | `terragrunt` |
| `terrascan` | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations. | `terrascan` |
| `terrascan` | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations. [Hook notes](#terrascan) | `terrascan` |
<!-- markdownlint-enable no-inline-html -->

Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook.
Expand Down Expand Up @@ -550,6 +551,22 @@ Example:

**Warning:** If you use Terraform workspaces, DO NOT use this workaround ([details](https://github.com/antonbabenko/pre-commit-terraform/issues/203#issuecomment-918791847)). Wait to [`force-init`](https://github.com/antonbabenko/pre-commit-terraform/issues/224) option implementation.

### terrascan

1. `terrascan` supports custom arguments so you can pass supported flags like `--non-recursive` and `--policy-type` to disable recursive inspection and set the policy type respectively:

```yaml
- id: terrascan
args:
- --args=--non-recursive # avoids scan errors on subdirectories without Terraform config files
- --args=--policy-type=azure
```

See the `terrascan run -h` command line help for available options.

2. Use the `--args=--verbose` parameter to see the rule ID in the scaning output. Usuful to skip validations.
3. Use `--skip-rules="ruleID1,ruleID2"` parameter to skip one or more rules globally while scanning (e.g.: `--args=--skip-rules="ruleID1,ruleID2"`).
4. Use the syntax `#ts:skip=RuleID optional_comment` inside a resource to skip the rule for that resource.

## Authors

Expand Down
36 changes: 29 additions & 7 deletions terrascan.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,27 +4,49 @@ set -eo pipefail
main() {
initialize_
parse_cmdline_ "$@"

# propagate $FILES to custom function
terrascan_ "$ARGS" "$FILES"
terrascan_ "${ARGS[*]}" "${FILES[@]}"
}

terrascan_() {
local -r args="${1}"
shift 1
local -a -r files=("$@")

# consume modified files passed from pre-commit so that
# terrascan runs against only those relevant directories
for file_with_path in $FILES; do
for file_with_path in "${files[@]}"; do
file_with_path="${file_with_path// /__REPLACED__SPACE__}"
paths[index]=$(dirname "$file_with_path")

let "index+=1"
index=$((index + 1))
done

# allow terrascan to continue if exit_code is greater than 0
# preserve errexit status
shopt -qo errexit && ERREXIT_IS_SET=true
set +e
terrascan_final_exit_code=0

# for each path run terrascan
for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
path_uniq="${path_uniq//__REPLACED__SPACE__/ }"
pushd "$path_uniq" > /dev/null
terrascan scan -i terraform $ARGS

# pass the arguments to terrascan
# shellcheck disable=SC2086 # terrascan fails when quoting is used ("$arg" vs $arg)
terrascan scan -i terraform $args

local exit_code=$?
if [ $exit_code != 0 ]; then
terrascan_final_exit_code=$exit_code
fi

popd > /dev/null
done

# restore errexit if it was set before the "for" loop
[[ $ERREXIT_IS_SET ]] && set -e
# return the terrascan final exit_code
exit $terrascan_final_exit_code
}

initialize_() {
Expand Down

0 comments on commit 66401d9

Please sign in to comment.