Skip to content

feat: Docker Pre-Commit-Hooks #925

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
actuarysailor wants to merge 44 commits into from
Closed

feat: Docker Pre-Commit-Hooks #925

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
d8bb39a
chore(ci): Update default branches
actuarysailor Aug 12, 2025
f326080
feat: Added Docker based pre-commit-hooks (#1)
actuarysailor Aug 12, 2025
d70be2c
chore(ci): Fix release workflow (#2)
actuarysailor Aug 12, 2025
3b18d08
chore(ci): Fix release workflow (#3)
actuarysailor Aug 12, 2025
1b78031
chore(release): version 1.0.0 [skip ci]
semantic-release-bot Aug 12, 2025
3e91a9c
fix: Build Docker image workflow (#4)
actuarysailor Aug 12, 2025
bb38650
Update Dockerfile
actuarysailor Aug 12, 2025
17aa365
chore(release): version 1.0.1 [skip ci]
semantic-release-bot Aug 12, 2025
aa0d873
fix: Changelog dysync due to tag issue
actuarysailor Aug 12, 2025
8c61c89
chore(release): version 1.101.0 [skip ci]
semantic-release-bot Aug 12, 2025
0f8dfaa
chore: Resolve comment from yermulnik
actuarysailor Aug 15, 2025
6025c14
chore: Resolving coderabbits comment
actuarysailor Aug 15, 2025
c40f434
chore: Address coderabbit comment
actuarysailor Aug 15, 2025
c699975
chore: Making changelog compatible with upstream
actuarysailor Aug 15, 2025
d97a860
Update README.md
actuarysailor Aug 15, 2025
2f2bca6
Update .github/workflows/build-image.yaml
actuarysailor Aug 15, 2025
f26e742
Update Dockerfile.tools
actuarysailor Aug 15, 2025
4400849
chore: Pre-commit linting
actuarysailor Aug 15, 2025
df1fb32
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Aug 15, 2025
db8b255
chore: Coderabbit review of PRE_COMMIT_VERSION validation
actuarysailor Aug 15, 2025
0751a04
chore: Coderabbit INSTALL_ALL validation
actuarysailor Aug 15, 2025
506466c
chore: Fix coderabbit grep pattern
actuarysailor Aug 15, 2025
75a3a51
chore: Coderabbit bad recommendation
actuarysailor Aug 15, 2025
f35d066
chore: fixing a coderabbit change
actuarysailor Aug 15, 2025
12e5de2
chore: Accept coderabbit suggestion
actuarysailor Aug 15, 2025
8455c2e
chore: Fix coderabbit suggestion
actuarysailor Aug 15, 2025
1731092
chore: trigger CI with empty commit
actuarysailor Aug 15, 2025
8fb27aa
Update Dockerfile.tools
actuarysailor Aug 15, 2025
2f4a2a3
Update Dockerfile.tools
actuarysailor Aug 15, 2025
5aab062
Update Dockerfile.tools
actuarysailor Aug 15, 2025
dd977d1
fix: Disable docker hooks on pre-commit.ci (#5)
actuarysailor Aug 16, 2025
2dec291
chore(release): version 1.101.1 [skip ci]
semantic-release-bot Aug 16, 2025
70a37a8
Update Dockerfile.tools
actuarysailor Aug 16, 2025
d1629ba
chore: Improved documentation for pre-commit
actuarysailor Aug 16, 2025
4050d10
ci: Fixing pre-commit validate hook (#6)
actuarysailor Aug 16, 2025
1815705
chore: Fix Changelog
actuarysailor Aug 16, 2025
5aed527
chore: Remaining coderabbit comments
actuarysailor Aug 16, 2025
75e7837
chore: Coderabbit nitpicks
actuarysailor Aug 16, 2025
3d20103
chore: One last nitpic
actuarysailor Aug 16, 2025
9e0a309
chore: More coderabbit nitpicks
actuarysailor Aug 16, 2025
246cbe5
Trigger CodeRabbit
actuarysailor Aug 16, 2025
1108a8f
chore: More coderabbit nitpicks
actuarysailor Aug 16, 2025
d848eb1
Trigger coderabbit
actuarysailor Aug 16, 2025
6b2eb62
Fix terraform_fmt hook and drop useless stuff
MaxymVlasov Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .dockerignore
View file
Open in desktop
Comment thread
MaxymVlasov marked this conversation as resolved.
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,8 @@
!Dockerfile
!tools/entrypoint.sh
!tools/install/*.sh
!hooks/
!lib_getopt
!src/
!hooks/*.sh
!lib_getopt
Comment thread
actuarysailor marked this conversation as resolved.
Outdated
52 changes: 37 additions & 15 deletions .github/workflows/build-image-test.yaml
View file
Open in desktop
Copy link
Copy Markdown
Author

@actuarysailor actuarysailor Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

largely just matrix blow-out to handle the additional docker file

Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,23 @@ jobs:

strategy:
matrix:
arch:
- amd64
- arm64
include:
- os-name: Ubuntu x64
os: ubuntu-latest
arch: amd64

dockerfile: Dockerfile
- os-name: Ubuntu ARM
os: ubuntu-24.04-arm
arch: arm64
dockerfile: Dockerfile
- os-name: Ubuntu x64 (tools)
os: ubuntu-latest
arch: amd64
dockerfile: Dockerfile.tools
- os-name: Ubuntu ARM (tools)
os: ubuntu-24.04-arm
arch: arm64
dockerfile: Dockerfile.tools

name: ${{ matrix.os-name }}
runs-on: ${{ matrix.os }}
Expand All @@ -45,27 +51,29 @@ jobs:
files: |
.dockerignore
.github/workflows/build-image-test.yaml
Dockerfile
${{ matrix.dockerfile }}
tools/entrypoint.sh
tools/install/*.sh

- name: Set IMAGE environment variable
if: steps.changed-files-specific.outputs.any_changed == 'true'
# Lowercase the org/repo name to allow for workflow to run in forks,
# which owners have uppercase letters in username
run: >-
echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}"
>> $GITHUB_ENV
run: |
if [[ "${{ matrix.dockerfile }}" == "Dockerfile" ]]; then
echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}" >> $GITHUB_ENV
else
echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}-tools" >> $GITHUB_ENV
fi

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
if: steps.changed-files-specific.outputs.any_changed == 'true'

- name: Build if Dockerfile changed
- name: Build if "${{ matrix.dockerfile }}" changed
if: steps.changed-files-specific.outputs.any_changed == 'true'
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
file: ${{ matrix.dockerfile }}
build-args: |
INSTALL_ALL=true
push: false
Expand Down Expand Up @@ -98,8 +106,7 @@ jobs:
IMAGE_NAME: ${{ env.IMAGE }}
run: >-
container-structure-test test
--config ${{ github.workspace
}}/.github/.container-structure-test-config.yaml
--config ${{ github.workspace }}/.github/.container-structure-test-config.yaml
--image "${IMAGE_NAME}"

- name: Dive - check image for waste files
Expand All @@ -112,8 +119,9 @@ jobs:

# Can't build both platforms and use --load at the same time
# https://github.com/docker/buildx/issues/59#issuecomment-1433097926
- name: Build Multi-arch docker-image
if: >-
# Build Multi-arch docker-image
- name: Build Multi-arch "${{ matrix.dockerfile }}"
if: >
steps.changed-files-specific.outputs.any_changed == 'true'
&& matrix.os == 'ubuntu-latest'
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
Expand All @@ -128,3 +136,17 @@ jobs:
provenance: false
secrets: |
"github_token=${{ secrets.GITHUB_TOKEN }}"

# Only run smoke tests for the tools image
- name: Smoke test tools image
if: >
steps.changed-files-specific.outputs.any_changed == 'true'
&& matrix.os == 'ubuntu-latest'
&& matrix.dockerfile == 'Dockerfile.tools'
env:
TOOLS_IMAGE: ${{ env.IMAGE }}
run: |
echo "Testing tools image: $TOOLS_IMAGE"
docker run --rm "$TOOLS_IMAGE" terraform --version
docker run --rm "$TOOLS_IMAGE" terraform-docs --version
docker run --rm "$TOOLS_IMAGE" tflint --version
91 changes: 46 additions & 45 deletions .github/workflows/build-image.yaml
View file
Open in desktop
Copy link
Copy Markdown
Author

@actuarysailor actuarysailor Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

largely the same, but got rid of the need for your if schedule do these jobs if not do these other jobs by using one of the other standard docker actions. was able to clean up the jobs a bit and basically do the same thing - you might want to double check though

Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,35 @@ name: Publish container image

on:
workflow_dispatch:
push:
paths:
- .github/workflows/build-image.yaml
- Dockerfile*
release:
types:
- created
schedule:
- cron: 00 00 * * *

permissions:
contents: read
env:
REGISTRY: ghcr.io

jobs:
docker:
runs-on: ubuntu-latest
permissions:
# for docker/build-push-action to publish docker image
contents: read
packages: write

runs-on: ubuntu-latest
attestations: write
id-token: write
strategy:
fail-fast: false
matrix:
include:
- dockerfile: Dockerfile
image_name: ${{ github.repository }}
- dockerfile: Dockerfile.tools
image_name: ${{ github.repository }}-tools
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand All @@ -26,60 +39,48 @@ jobs:

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

- name: Login to GitHub Container Registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set tag for image
env:
REF_TYPE: ${{ github.ref_type }}
REF_NAME: ${{ github.ref_name }}
run: >-
echo IMAGE_TAG=$(
[ $REF_TYPE == 'tag' ]
&& echo $REF_NAME
|| echo 'latest'
) >> $GITHUB_ENV

- name: Set IMAGE_REPO environment variable
# Lowercase the org/repo name to allow for workflow to run in forks,
# which owners have uppercase letters in username
run: >-
echo "IMAGE_REPO=ghcr.io/${GITHUB_REPOSITORY@L}" >> $GITHUB_ENV
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

- name: Build and Push release
if: github.event_name != 'schedule'
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f
with:
context: .
build-args: |
INSTALL_ALL=true
platforms: linux/amd64,linux/arm64
push: true
images: ${{ env.REGISTRY }}/${{ matrix.image_name }}
tags: |
${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
${{ env.IMAGE_REPO }}:latest
# Fix multi-platform: https://github.com/docker/buildx/issues/1533
provenance: false
secrets: |
"github_token=${{ secrets.GITHUB_TOKEN }}"
type=ref,event=branch
type=ref,event=pr
type=sha
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
type=raw,value=${{ github.ref_name }},enable=${{ github.ref_type == 'tag' }}
type=raw,value=nightly,enable=${{ github.event_name == 'schedule' }}

- name: Build and Push nightly
if: github.event_name == 'schedule'
- name: Build and Push release
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
file: ${{ matrix.dockerfile }}
build-args: |
INSTALL_ALL=true
platforms: linux/amd64,linux/arm64
push: true
tags: |
${{ env.IMAGE_REPO }}:nightly
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# Fix multi-platform: https://github.com/docker/buildx/issues/1533
provenance: false
secrets: |
"github_token=${{ secrets.GITHUB_TOKEN }}"

- name: Test tools image
if: matrix.dockerfile == 'Dockerfile.tools' && github.event_name != 'schedule'
env:
IMAGE_TAGS: ${{ steps.meta.outputs.tags }}
run: |
IMAGE_TAG=$(echo "$IMAGE_TAGS" | head -n1)
echo "Testing tools image: $IMAGE_TAG"
docker run --rm "$IMAGE_TAG" terraform --version
docker run --rm "$IMAGE_TAG" terraform-docs --version
docker run --rm "$IMAGE_TAG" tflint --version
Comment thread
actuarysailor marked this conversation as resolved.
1 change: 1 addition & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Copy link
Copy Markdown
Author

@actuarysailor actuarysailor Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added main because i normally fork to master and only allow upstream updates to come in, then use main for my main in case i want to use it before a PR is approved.

Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ name: CodeQL
on:
push:
branches:
- main
- master
merge_group:
pull_request:
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/release.yml
View file
Open in desktop
Copy link
Copy Markdown
Author

@actuarysailor actuarysailor Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added main because i normally fork to master and only allow upstream updates to come in, then use main for my main in case i want to use it before a PR is approved. Also made it both docker files and the release workflow so i could trigger it when i changed it. modified to use built-in github_token because that is the only way for "fresh/new" packages to auto attribute to parent repo, PAT orphans them until you go add them to a repo.

Copy link
Copy Markdown
Collaborator

@MaxymVlasov MaxymVlasov Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. Now I'll modify them back

Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,17 @@ on:
workflow_dispatch:
push:
branches:
- main
- master
paths:
- .github/workflows/release.yml
- '**/*.py'
- '**/*.sh'
- Dockerfile
- Dockerfile*
- .pre-commit-hooks.yaml
# Ignore paths
- '!tests/**'
Comment thread
coderabbitai[bot] marked this conversation as resolved.

permissions:
contents: read

jobs:
release:
Expand Down Expand Up @@ -46,4 +46,4 @@ jobs:
# Custom token for triggering Docker image build GH Workflow on release
# created by cycjimmy/semantic-release-action. Events created by
# workflows with default GITHUB_TOKEN not trigger other GH Workflow.
GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Comment thread
actuarysailor marked this conversation as resolved.
Comment thread
actuarysailor marked this conversation as resolved.
Comment thread
actuarysailor marked this conversation as resolved.
1 change: 1 addition & 0 deletions .github/workflows/scorecards.yml
View file
Open in desktop
Copy link
Copy Markdown
Author

@actuarysailor actuarysailor Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added main because i normally fork to master and only allow upstream updates to come in, then use main for my main in case i want to use it before a PR is approved.

Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ on:
- cron: 20 7 * * 2
push:
branches:
- main
- master

# Declare default permissions as read only.
Expand Down
82 changes: 82 additions & 0 deletions .pre-commit-hooks.yaml
View file
Open in desktop
Copy link
Copy Markdown
Author

@actuarysailor actuarysailor Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the new pre-commit-hooks, left your original ones unchanged

Original file line number Diff line number Diff line change
Expand Up @@ -178,3 +178,85 @@
- --args=terraform
files: \.(tf|tofu)$
require_serial: true

# Docker-based versions of hooks (non-breaking additions)
- id: terraform_fmt_docker
name: Terraform fmt (Docker)
description: >-
Rewrites all Terraform configuration files to a canonical format using Docker.
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
Comment thread
actuarysailor marked this conversation as resolved.
Outdated
language: docker_image
args: [terraform, fmt]
Copy link
Copy Markdown
Collaborator

@MaxymVlasov MaxymVlasov Sep 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ignores all logic in hooks.

  1. Use entrypoint as specified in https://pre-commit.com/#docker_image to call same entry as in regular hooks.
  2. To simplify review - put docker hooks right after regular one. In other words - sorts hooks alphabetically
  3. Dockerfile.tools is not needed - you can put all into Dockerfile, there just minor changes
  4. You don't need to copy hooks few times to /usr/local/bin/hooks/ and /usr/bin/hooks/

I addressed all of that in 6b2eb62 (#925), please check terraform_fmt_docker in it and make same changes to everything else

files: \.(tf|tofu|tfvars|tftest\.hcl|tfmock\.hcl)$
exclude: \.terraform/.*$

- id: terraform_validate_docker
name: Terraform validate (Docker)
description: Validates all Terraform configuration files using Docker.
require_serial: true
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [terraform, validate]
pass_filenames: false
files: \.(tf|tofu|tfvars|terraform\.lock\.hcl)$
exclude: \.terraform/.*$

- id: terraform_tflint_docker
name: Terraform validate with tflint (Docker)
description: Validates all Terraform configuration files with TFLint using
Docker.
require_serial: true
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [tflint, --chdir=.]
pass_filenames: false
files: \.(tf|tofu|tfvars)$
exclude: \.terraform/.*$
Comment on lines +215 to +227
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

TFLint Docker hook likely scans only repo root; consider wrapper/parsing for per-module.

tflint --chdir=. won’t iterate modules. Either switch to the wrapper (parity with script hook) or pass filenames and let pre-commit drive per-dir runs.

-  entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest
-  language: docker_image
-  args: [tflint, --chdir=.]
-  pass_filenames: false
+  entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest
+  language: docker_image
+  args: [/usr/bin/hooks/terraform_tflint.sh]
+  pass_filenames: true

🏁 Script executed:

#!/bin/bash
set -eux
# Locate tflint hook definitions
grep -R "terraform_tflint" -n .pre-commit-hooks.yaml
# Check for wrapper script in repo
grep -R "terraform_tflint.sh" -n .

Length of output: 299

🏁 Script executed:

#!/bin/bash
set -eux
# Show beginning of wrapper script for terraform_tflint
sed -n '1,200p' hooks/terraform_tflint.sh

Length of output: 2711

Run TFLint via the per-dir wrapper in the Docker hook
The Docker hook currently invokes tflint --chdir=. only at the repo root, skipping per-module scans. Switch to the bundled wrapper (which handles per-directory runs) and enable pass_filenames.

-  entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest
-  language: docker_image
-  args: [tflint, --chdir=.]
-  pass_filenames: false
+  entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest
+  language: docker_image
+  args: [/usr/bin/hooks/terraform_tflint.sh]
+  pass_filenames: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- id: terraform_tflint_docker
name: Terraform validate with tflint (Docker)
description: >-
Validates all Terraform configuration files with TFLint using Docker.
NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml
if running on pre-commit.ci or other environments without Docker.
require_serial: true
entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest
language: docker_image
args: [tflint, --chdir=.]
pass_filenames: false
files: \.(tf|tofu|tfvars)$
exclude: \.terraform/.*$
- id: terraform_tflint_docker
name: Terraform validate with tflint (Docker)
description: >-
Validates all Terraform configuration files with TFLint using Docker.
NOTE: Requires Docker to be available. Use 'skip' in .pre-commit-config.yaml
if running on pre-commit.ci or other environments without Docker.
require_serial: true
entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest
language: docker_image
args: [/usr/bin/hooks/terraform_tflint.sh]
pass_filenames: true
files: \.(tf|tofu|tfvars)$
exclude: \.terraform/.*$
🤖 Prompt for AI Agents 
In .pre-commit-hooks.yaml around lines 215 to 227, the Docker hook currently
calls tflint with a global --chdir=. which prevents per-module scanning; replace
the explicit tflint invocation with the bundled per-dir wrapper and enable
filename passing. Change args to use the bundled wrapper (e.g.,
["tflint-wrapper"]) and remove the --chdir argument, and set pass_filenames:
true so the wrapper can run TFLint per-directory for each matched file.


- id: terraform_docs_docker
name: Terraform docs (Docker)
description: >-
Inserts input and output documentation into README.md using Docker.
require_serial: true
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [terraform-docs, markdown, table, ., --output-file, README.md]
pass_filenames: false
files: \.(tf|tofu|terraform\.lock\.hcl)$
exclude: \.terraform/.*$

Comment thread
actuarysailor marked this conversation as resolved.
- id: terraform_checkov_docker
name: Checkov (Docker)
description: Runs checkov on Terraform templates using Docker.
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [checkov, -d, .]
pass_filenames: false
always_run: false
files: \.(tf|tofu)$
exclude: \.terraform/.*$
require_serial: true

- id: terraform_trivy_docker
name: Terraform validate with trivy (Docker)
description: >-
Static analysis of Terraform templates to spot potential security issues
using Docker.
require_serial: true
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [trivy, config, .]
pass_filenames: false
files: \.(tf|tofu|tfvars)$
exclude: \.terraform/.*$

- id: infracost_breakdown_docker
name: Infracost breakdown (Docker)
description: Check terraform infrastructure cost using Docker.
entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
language: docker_image
args: [infracost, breakdown, --path, .]
pass_filenames: false
require_serial: true
files: \.(tf|tofu|tfvars|hcl)$
exclude: \.terraform/.*$
Loading