Skip to content


Folders and files

Last commit message
Last commit date

Latest commit


Repository files navigation

Maintained by

Pre-commit hooks

This repo defines Git pre-commit hooks intended for use with pre-commit. The currently supported hooks are:

  • terraform-fmt: Automatically run terraform fmt on all Terraform code (*.tf files).
  • terraform-validate: Automatically run terraform validate on all Terraform code (*.tf files).
  • packer-validate: Automatically run packer validate on all Packer code (*.pkr.* files).
  • terragrunt-hclfmt: Automatically run terragrunt hclfmt on all Terragrunt configurations.
  • tflint: Automatically run tflint on all Terraform code (*.tf files).
  • shellcheck: Run shellcheck to lint files that contain a bash shebang.
  • gofmt: Automatically run gofmt on all Golang code (*.go files).
  • goimports: Automatically run goimports on all Golang code (*.go files).
  • golint: Automatically run golint on all Golang code (*.go files). [DEPRECATED]: Please use golangci-lint below.
  • golangci-lint: Automatically run golangci-lint on all Golang code (*.go files).
  • yapf: Automatically run yapf on all python code (*.py files).
  • helmlint Automatically run helm lint on your Helm chart files. See caveats here.
  • markdown-link-check Automatically run markdown-link-check on markdown doc files.
  • sentinel-fmt: Automatically run sentinel fmt on all Sentinel code (*.sentinel.* files).

General Usage

In each of your repos, add a file called .pre-commit-config.yaml with the following contents:

  - repo:
    rev: <VERSION> # Get the latest from:
      - id: terraform-fmt
      - id: terraform-validate
      - id: tflint
      - id: shellcheck
      - id: gofmt
      - id: golint

Next, have every developer: 

  1. Install pre-commit. E.g. brew install pre-commit.
  2. Run pre-commit install in the repo.

That’s it! Now every time you commit a code change (.tf file), the hooks in the hooks: config will execute.

Running Against All Files At Once

Example: Formatting all files

If you'd like to format all of your code at once (rather than one file at a time), you can run:

pre-commit run terraform-fmt --all-files

Example: Enforcing in CI

If you'd like to enforce all your hooks, you can configure your CI build to fail if the code doesn't pass checks by adding the following to your build scripts:

pip install pre-commit
pre-commit install
pre-commit run --all-files

If all the hooks pass, the last command will exit with an exit code of 0. If any of the hooks make changes (e.g., because files are not formatted), the last command will exit with a code of 1, causing the build to fail.

Helm Lint Caveats

Detecting charts

The helmlint pre-commit hook runs helm lint on the charts that have been changed by the commit. It will run once per changed chart that it detects.

Note that charts are detected by walking up the directory tree of the changed file and looking for a Chart.yaml file that exists on the path.


helm lint requires input values to look for configuration errors in your helm chart. However, this means that the linter needs a complete values file. Because we want to develop charts that define required values that the operator should provide, we don't want to specify defaults for all the values the chart expects in the default values.yaml file.

Therefore, to support this, this pre-commit hook looks for a special linter_values.yaml file defined in the chart path. This will be combined with the values.yaml file before running helm lint. In your charts, you should define the required values in linter_values.yaml.

For example, suppose you had a helm chart that defined two input values: containerImage and containerTag. Suppose that your chart required containerImage to be defined, but not containerTag. To enforce this, you created the following values.yaml file for your chart:

# values.yaml

# containerImage is required and defines which image to use

# containerTag specifies the image tag to use. Defaults to latest.
containerTag: latest

If you run helm lint on this chart, it will fail because somewhere in your chart you will reference .Values.containerImage which will be undefined with this values.yaml file. To handle this, you can define a linter_values.yaml file that defines containerImage:

# linter_values.yaml
containerImage: nginx

Now when the pre-commit hook runs, it will call helm lint with both linter_values.yaml and values.yaml:

helm lint -f values.yaml -f linter_values.yaml .

Shellcheck Arguments

To enable optional shellcheck features you can use the --enable flag. Other shellcheck flags can not be passed through.

  - repo:
    rev: <VERSION>
      - id: shellcheck
        args: ["--enable require-variable-braces,deprecate-which"]

tflint Caveats

Using the --config argument

With the introduction of --chdir into tflint, the --config argument is now bound to whatever subdirectory you are running the check against. For mono-repos this isn't ideal as you may have a central configuration file you'd like to use. If this matches your use-case, you can specify the placeholder __GIT_ROOT__ value in the --config argument that will evaluate to the root of the repository you are in.

  - repo:
    rev: <VERSION>
    - id: tflint
        - "--config=__GIT_ROOT__/.tflint.hcl"

Changing the placeholder value

You can change the value of the placeholder by populating the PRECOMMIT_TFLINT_REPO_ROOT_KEYWORD environment variable.


cat <<EOF > .pre-commit-config.yaml
  - repo:
    rev: v0.1.22
    - id: terragrunt-hclfmt
    - id: tflint
        - "--config=__foo__/.tflint.hcl"

pre-commit run


This code is released under the Apache 2.0 License. Please see LICENSE and NOTICE for more details.

Copyright © 2019 Gruntwork, Inc.