feat: Make checkov more flexible

[Miscreancy]

Put an x into the box if that apply:

• This PR introduces breaking change.
• This PR fixes a bug.
• This PR adds new functionality.
• This PR enhances existing functionality.

Description of your changes

Currently, the checkov hook is hard-coded to run against the entire directory - no override is possible.

This change allows the hook to run in any of three modes - whole directory (the default), against all directories which contain a changed file, and against only changed files.

It should be noted that:

• There is a PR in place for similar but different functionality; the disparity between the two approaches I thought was sufficient to justify a separate PR as the code and logic is very different. I will post a link to this PR in that PR's discussion to raise the question as to which route should be followed.
• Common scripts were not used deliberately; this is for two reasons. 1. Using the common::parse_cmdline function would've forced the introduction of a breaking change (having to preface all arguments with --args) and 2. Using the common::per_dir_hook function would have removed the ability to pass multiple arguments to checkov, as the code block at line 70 assumes that only $1 is an argument and the rest are files.

How can we test changes

• Use a dummy IaC repo with multiple modules and known security issues
• Use pre-commit try-repo $path/to/clone to confirm the default behaviour is still scanning the entire repository
• Use manual script runs of checkov.sh from within that dummy directory to confirm that when passed --scan-change-directories (and file names), the tool only scans directories that contain a change file, and while passed --scan-change-files, the tool only scans files, as well as any other changes and logic deemed necessary.

[yermulnik]

The code looks sensible to me, though I'll leave design appropriateness consideration and decision to @MaxymVlasov and @antonbabenko

[yermulnik]

The any_chars_from_beginning part of pattern makes no much sense and can be dropped

Suggested change

	pattern='^.*\.tf$'
	pattern='\.tf$'

[MaxymVlasov]

There is a PR in place for similar but different functionality; the disparity between the two approaches I thought was sufficient to justify a separate PR as the code and logic is very different. I will post a link to this PR in that PR's discussion to raise the question as to which route should be followed.
... 1. Using the common::parse_cmdline function would've forced the introduction of a breaking change (having to preface all arguments with --args)...

#290 + compatibility in args parsing by replacing/changing common::parse_cmdline, but not sure it's worth it.
It could be done via #155

2. Using the common::per_dir_hook function would have removed the ability to pass multiple arguments to checkov, as the code block at line 70 assumes that only $1 is an argument and the rest are files.

Looks like you mean this code:

pre-commit-terraform/hooks/_common.sh

Lines 65 to 72 in 321fb16

	# Arguments:
	# args (string with array) arguments that configure wrapped tool behavior
	# files (array) filenames to check
	#######################################################################
	function common::per_dir_hook {
	local -r args="$1"
	shift 1
	local -a -r files=("$@")

args not arg. The answer already in var name and func description :)
It was done in this way during bash limitation

This is a string with array:

pre-commit-terraform/hooks/terragrunt_fmt.sh

Line 13 in 321fb16

common::per_dir_hook "${ARGS[*]}" "${FILES[@]}"

That then passed as a string with array

pre-commit-terraform/hooks/_common.sh

Line 96 in 321fb16

per_dir_hook_unique_part "$args" "$dir_path"

and then - expanded to an array

pre-commit-terraform/hooks/terragrunt_fmt.sh

Line 33 in 321fb16

terragrunt hclfmt ${args[@]}

So this argument is not vaild.

[github-actions]

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

[github-actions]

This PR was automatically closed because of stale in 10 days