From ae88ed73cfb63398270608d4e68f46bb4424f150 Mon Sep 17 00:00:00 2001 From: Olivier Brisse Date: Tue, 28 Jun 2022 02:57:09 +1000 Subject: [PATCH] feat: Add __GIT_WORKING_DIR__ to terraform_checkov (#399) --- README.md | 8 ++++++++ hooks/terraform_checkov.sh | 7 +++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1bebe5240..416533aa4 100644 --- a/README.md +++ b/README.md @@ -310,6 +310,14 @@ For deprecated hook you need to specify each argument separately: ] ``` +2. When you have multiple directories and want to run `terraform_checkov` in all of them and share a single config file - use the `__GIT_WORKING_DIR__` placeholder. It will be replaced by `terraform_checkov` hooks with Git working directory (repo root) at run time. For example: + + ```yaml + - id: terraform_checkov + args: + - --args=--config-file __GIT_WORKING_DIR__/.checkov.yml + ``` + ### infracost_breakdown `infracost_breakdown` executes `infracost breakdown` command and compare the estimated costs with those specified in the hook-config. `infracost breakdown` parses Terraform HCL code, and calls Infracost Cloud Pricing API (remote version or [self-hosted version](https://www.infracost.io/docs/cloud_pricing_api/self_hosted)). diff --git a/hooks/terraform_checkov.sh b/hooks/terraform_checkov.sh index bcf7672e6..91d80b673 100755 --- a/hooks/terraform_checkov.sh +++ b/hooks/terraform_checkov.sh @@ -14,8 +14,11 @@ function main { common::initialize "$SCRIPT_DIR" common::parse_cmdline "$@" common::parse_and_export_env_vars - # shellcheck disable=SC2153 # False positive - common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}" + # Support for setting PATH to repo root. + # shellcheck disable=SC2178 # It's the simplest syntax for that case + ARGS=${ARGS[*]/__GIT_WORKING_DIR__/$(pwd)\/} + # shellcheck disable=SC2128 # It's the simplest syntax for that case + common::per_dir_hook "$ARGS" "$HOOK_ID" "${FILES[@]}" } #######################################################################