diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
index 2602e9956..dbee5e2a7 100644
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -93,7 +93,7 @@
language: script
- id: checkov
- name: Checkov
+ name: checkov (deprecated, use "terraform_checkov")
description: Runs checkov on Terraform templates.
entry: checkov -d .
language: python
@@ -103,6 +103,16 @@
exclude: \.terraform\/.*$
require_serial: true
+- id: terraform_checkov
+ name: Checkov
+ description: Runs checkov on Terraform templates.
+ entry: hooks/terraform_checkov.sh
+ language: script
+ always_run: false
+ files: \.tf$
+ exclude: \.terraform\/.*$
+ require_serial: true
+
- id: terrascan
name: terrascan
description: Runs terrascan on Terraform templates.
diff --git a/README.md b/README.md
index 176a6c0e8..b0801b527 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ If you are using `pre-commit-terraform` already or want to support its developme
* [4. Run](#4-run)
* [Available Hooks](#available-hooks)
* [Hooks usage notes and examples](#hooks-usage-notes-and-examples)
- * [checkov](#checkov)
+ * [checkov (deprecated) and terraform_checkov](#checkov-deprecated-and-terraform_checkov)
* [infracost_breakdown](#infracost_breakdown)
* [terraform_docs](#terraform_docs)
* [terraform_docs_replace (deprecated)](#terraform_docs_replace-deprecated)
@@ -220,11 +220,11 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform
| Hook name | Description | Dependencies
[Install instructions here](#1-install-dependencies) |
| ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
-| `checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. [Hook notes](#checkov) | `checkov`
Ubuntu deps: `python3`, `python3-pip` |
+| `checkov` and `terraform_checkov` | [checkov](https://github.com/bridgecrewio/checkov) static analysis of terraform templates to spot potential security issues. [Hook notes](#checkov-deprecated-and-terraform_checkov) | `checkov`
Ubuntu deps: `python3`, `python3-pip` |
| `infracost_breakdown` | Check how much your infra costs with [infracost](https://github.com/infracost/infracost). [Hook notes](#infracost_breakdown) | `infracost`, `jq`, [Infracost API key](https://www.infracost.io/docs/#2-get-api-key) |
+| `terraform_docs` | Inserts input and output documentation into `README.md`. Recommended. [Hook notes](#terraform_docs) | `terraform-docs` |
| `terraform_docs_replace` | Runs `terraform-docs` and pipes the output directly to README.md. **DEPRECATED**, see [#248](https://github.com/antonbabenko/pre-commit-terraform/issues/248). [Hook notes](#terraform_docs_replace-deprecated) | `python3`, `terraform-docs` |
| `terraform_docs_without_`
`aggregate_type_defaults` | Inserts input and output documentation into `README.md` without aggregate type defaults. Hook notes same as for [terraform_docs](#terraform_docs) | `terraform-docs` |
-| `terraform_docs` | Inserts input and output documentation into `README.md`. Recommended. [Hook notes](#terraform_docs) | `terraform-docs` |
| `terraform_fmt` | Reformat all Terraform configuration files to a canonical format. [Hook notes](#terraform_fmt) | - |
| `terraform_providers_lock` | Updates provider signatures in [dependency lock files](https://www.terraform.io/docs/cli/commands/providers/lock.html). [Hook notes](#terraform_providers_lock) | - |
| `terraform_tflint` | Validates all Terraform configuration files with [TFLint](https://github.com/terraform-linters/tflint). [Available TFLint rules](https://github.com/terraform-linters/tflint/tree/master/docs/rules#rules). [Hook notes](#terraform_tflint). | `tflint` |
@@ -240,9 +240,24 @@ Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blo
## Hooks usage notes and examples
-### checkov
+### checkov (deprecated) and terraform_checkov
+
+> `checkov` hook is deprecated, please use `terraform_checkov`.
+
+Note that `terraform_checkov` runs recursively during `-d .` usage. That means, for example, if you change `.tf` file in repo root, all existing `.tf` files in repo will be checked.
+
+1. You can specify custom arguments. E.g.:
+
+ ```yaml
+ - id: terraform_checkov
+ args:
+ - --args=--quiet
+ - --args=--skip-check CKV2_AWS_8
+ ```
+
+ Check all available arguments [here](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html).
-For [checkov](https://github.com/bridgecrewio/checkov) you need to specify each argument separately:
+For deprecated hook you need to specify each argument separately:
```yaml
- id: checkov
diff --git a/hooks/terraform_checkov.sh b/hooks/terraform_checkov.sh
new file mode 100755
index 000000000..e648b0ee1
--- /dev/null
+++ b/hooks/terraform_checkov.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# globals variables
+# hook ID, see `- id` for details in .pre-commit-hooks.yaml file
+# shellcheck disable=SC2034 # Unused var.
+readonly HOOK_ID='terraform_checkov'
+# shellcheck disable=SC2155 # No way to assign to readonly variable in separate lines
+readonly SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")"
+# shellcheck source=_common.sh
+. "$SCRIPT_DIR/_common.sh"
+
+function main {
+ common::initialize "$SCRIPT_DIR"
+ common::parse_cmdline "$@"
+ # shellcheck disable=SC2153 # False positive
+ common::per_dir_hook "${ARGS[*]}" "$HOOK_ID" "${FILES[@]}"
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed in loop
+# on each provided dir path. Run wrapped tool with specified arguments
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+# dir_path (string) PATH to dir relative to git repo root.
+# Can be used in error logging
+# Outputs:
+# If failed - print out hook checks status
+#######################################################################
+function per_dir_hook_unique_part {
+ # common logic located in common::per_dir_hook
+ local -r args="$1"
+ # shellcheck disable=SC2034 # Unused var.
+ local -r dir_path="$2"
+
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ checkov -d . ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+#######################################################################
+# Unique part of `common::per_dir_hook`. The function is executed one time
+# in the root git repo
+# Arguments:
+# args (string with array) arguments that configure wrapped tool behavior
+#######################################################################
+function run_hook_on_whole_repo {
+ local -r args="$1"
+
+ # pass the arguments to hook
+ # shellcheck disable=SC2068 # hook fails when quoting is used ("$arg[@]")
+ checkov -d "$(pwd)" ${args[@]}
+
+ # return exit code to common::per_dir_hook
+ local exit_code=$?
+ return $exit_code
+}
+
+[[ ${BASH_SOURCE[0]} != "$0" ]] || main "$@"