From 2127949b54e84d9993ec9f2d6fcd711c7f9f3308 Mon Sep 17 00:00:00 2001
From: Narek Kazarian <nkazarian@spokeo.com>
Date: Thu, 20 Aug 2020 17:14:22 -0700
Subject: [PATCH 1/5] fix: have terraform_tfsec.sh only run in relevant
 modified directories

---
 terraform_tfsec.sh | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)
 mode change 100755 => 100644 terraform_tfsec.sh

diff --git a/terraform_tfsec.sh b/terraform_tfsec.sh
old mode 100755
new mode 100644
index 78aaf0945..d226ad0c2
--- a/terraform_tfsec.sh
+++ b/terraform_tfsec.sh
@@ -28,8 +28,21 @@ main() {
 }
 
 tfsec_() {
-  # Ignore $files because tfsec will recurse directories anyway.
-  tfsec $args .
+  # consume modified files passed from pre-commit so that
+  # tfsec runs against only those relevant directories
+  for file_with_path in $files; do
+    file_with_path="${file_with_path// /__REPLACED__SPACE__}"
+    paths[index]=$(dirname "$file_with_path")
+
+    let "index+=1"
+  done
+
+  for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
+    path_uniq="${path_uniq//__REPLACED__SPACE__/ }"
+    pushd "$path_uniq" > /dev/null
+    tfsec $args
+    popd > /dev/null
+  done
 }
 
 getopt() {

From 79450397789616b7486be7969cf2d6a8b3521861 Mon Sep 17 00:00:00 2001
From: Narek Kazarian <nkazarian@spokeo.com>
Date: Fri, 21 Aug 2020 07:56:31 -0700
Subject: [PATCH 2/5] docs: Update README.md to reflect changes to
 terraform_tfsec.sh

---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 78f995158..8dc58adb9 100644
--- a/README.md
+++ b/README.md
@@ -121,7 +121,10 @@ if they are present in `README.md`.
 
 ## Notes about terraform_tfsec hooks
 
-1. `terraform_tfsec` will recurse all directories/modules.
+1. `terraform_tfsec` will consume modified files that pre-commit
+    passes to it, so you can perform whitelisting of directories
+    or files to run against via [files](https://pre-commit.com/#config-files)
+    pre-commit flag
 1. To ignore specific warnings, follow the convention from the
 [documentation](https://github.com/liamg/tfsec#ignoring-warnings).
     1. Example:

From ccb001211255a2363da93798be98f3578a0905fd Mon Sep 17 00:00:00 2001
From: Narek Kazarian <nkazarian@spokeo.com>
Date: Fri, 21 Aug 2020 10:10:17 -0700
Subject: [PATCH 3/5] docs: example of sample hook configuration for changes
 proposed to terraform_tfsec

---
 README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README.md b/README.md
index 8dc58adb9..3133bf7b4 100644
--- a/README.md
+++ b/README.md
@@ -125,6 +125,18 @@ if they are present in `README.md`.
     passes to it, so you can perform whitelisting of directories
     or files to run against via [files](https://pre-commit.com/#config-files)
     pre-commit flag
+
+    1. Example:
+    ```yaml
+    hooks:
+      - id: terraform_tfsec
+        files: ^prd-infra/
+    ```
+
+    The above will tell pre-commit to pass down files from the `prd-infra/` folder
+    only such that the underlying `tfsec` tool can run against changed files in this
+    directory, ignoring any other folders at the root level
+
 1. To ignore specific warnings, follow the convention from the
 [documentation](https://github.com/liamg/tfsec#ignoring-warnings).
     1. Example:

From 9fc4e24dff50aa1b7d8c5a1a4a0934c74c82ae6c Mon Sep 17 00:00:00 2001
From: Narek Kazarian <nkazarian@spokeo.com>
Date: Mon, 31 Aug 2020 15:07:19 -0700
Subject: [PATCH 4/5] feat: bring in modified-files-only logic
 post-introduction of getopt changes

---
 terraform_tfsec.sh | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/terraform_tfsec.sh b/terraform_tfsec.sh
index e063de1fc..a0d2b0e87 100644
--- a/terraform_tfsec.sh
+++ b/terraform_tfsec.sh
@@ -5,8 +5,27 @@ main() {
   initialize_
   parse_cmdline_ "$@"
 
-  # Don't pass any files tfsec will recurse directories anyway.
-  tfsec "$ARGS" .
+  # propagate $FILES to custom function
+  tfsec_ "$ARGS" "$FILES"
+}
+
+tfsec_() {
+  # consume modified files passed from pre-commit so that
+  # tfsec runs against only those relevant directories
+  for file_with_path in $FILES; do
+    file_with_path="${file_with_path// /__REPLACED__SPACE__}"
+    paths[index]=$(dirname "$file_with_path")
+
+    let "index+=1"
+  done
+
+  for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
+    echo "PATH UNIQ: ${path_uniq}"
+    path_uniq="${path_uniq//__REPLACED__SPACE__/ }"
+    pushd "$path_uniq" > /dev/null
+    tfsec $ARGS
+    popd > /dev/null
+  done
 }
 
 initialize_() {
@@ -41,7 +60,7 @@ parse_cmdline_() {
         ;;
       --)
         shift
-        # ignore any parameters, as they're not used
+        FILES+=("$@")
         break
         ;;
     esac
@@ -50,5 +69,6 @@ parse_cmdline_() {
 
 # global arrays
 declare -a ARGS=()
+declare -a FILES=()
 
 [[ ${BASH_SOURCE[0]} != "$0" ]] || main "$@"

From 505a95822af069213cc1994f948bea1ff3c6a8a6 Mon Sep 17 00:00:00 2001
From: Narek Kazarian <nkazarian@spokeo.com>
Date: Mon, 31 Aug 2020 15:09:11 -0700
Subject: [PATCH 5/5] chore: remove echo

---
 terraform_tfsec.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/terraform_tfsec.sh b/terraform_tfsec.sh
index a0d2b0e87..a698420c6 100644
--- a/terraform_tfsec.sh
+++ b/terraform_tfsec.sh
@@ -20,7 +20,6 @@ tfsec_() {
   done
 
   for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
-    echo "PATH UNIQ: ${path_uniq}"
     path_uniq="${path_uniq//__REPLACED__SPACE__/ }"
     pushd "$path_uniq" > /dev/null
     tfsec $ARGS