Skip to content

feat(terrascan): Add support for __GIT_WORKING_DIR__ in hooks arguments #943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MaxymVlasov merged 2 commits into from
Oct 14, 2025
+12 −0
Merged

feat(terrascan): Add support for __GIT_WORKING_DIR__ in hooks arguments #943

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
880ca4a
feat: Support __GIT_WORKING_DIR__ for terrascan
GSokol Oct 10, 2025
94ed3c8
Fix README style.
GSokol Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1123,6 +1123,14 @@ If the generated name is incorrect, set them by providing the `module-repo-short

See the `terrascan run -h` command line help for available options.

To pass the config file path, use the `__GIT_WORKING_DIR__` placeholder. It will be replaced with the Git working directory (repo root) at run time. For example:

```yaml
- id: terrascan
args:
- --args=--config-path=__GIT_WORKING_DIR__/.terrascan.toml
```

2. Use the `--args=--verbose` parameter to see the rule ID in the scanning output. Useful to skip validations.
3. Use `--skip-rules="ruleID1,ruleID2"` parameter to skip one or more rules globally while scanning (e.g.: `--args=--skip-rules="ruleID1,ruleID2"`).
4. Use the syntax `#ts:skip=RuleID optional_comment` inside a resource to skip the rule for that resource.
Expand Down
4 changes: 4 additions & 0 deletions hooks/terrascan.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ function main {
common::parse_cmdline "$@"
common::export_provided_env_vars "${ENV_VARS[@]}"
common::parse_and_export_env_vars
# Support for setting PATH to repo root.
for i in "${!ARGS[@]}"; do
ARGS[i]=${ARGS[i]/__GIT_WORKING_DIR__/$(pwd)\/}
Comment thread
GSokol marked this conversation as resolved.
done
Comment on lines +15 to +18
Copy link
Copy Markdown
Collaborator

@yermulnik yermulnik Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MaxymVlasov Granted this is going to be 5th hook (out of 16) that has this feature implemented locally inside hook, would it make sense to look into moving this feature over right into common::parse_cmdline function so that it is available to all hooks that utilize common::parse_cmdline func?
Are there any obstacles or issues with this that I can't see off hands?
If not, then I can work on this task. Please let me know.

Copy link
Copy Markdown
Collaborator

@MaxymVlasov MaxymVlasov Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, should be generally supported by most of hooks.
As far as I remember, it just not make much sense in some hooks, but that's a nit a big deal

Copy link
Copy Markdown
Contributor Author

@GSokol GSokol Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, would move it there.

Copy link
Copy Markdown
Collaborator

@yermulnik yermulnik Oct 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GSokol Oh, I didn't mean for you to work on it (I thought I'd pick this up in a separate PR), although if you're up to — that's marvelous.
Once moved, these hooks need to be updated by removing the for loop (+ probably README update to provide more clear info):

hooks/terraform_tflint.sh:18:    ARGS[i]=${ARGS[i]/__GIT_WORKING_DIR__/$(pwd)\/}
hooks/terraform_trivy.sh:17:    ARGS[i]=${ARGS[i]/__GIT_WORKING_DIR__/$(pwd)\/}
hooks/terraform_checkov.sh:17:    ARGS[i]=${ARGS[i]/__GIT_WORKING_DIR__/$(pwd)\/}
hooks/terraform_tfsec.sh:17:    ARGS[i]=${ARGS[i]/__GIT_WORKING_DIR__/$(pwd)\/}

Let me know if you'd prefer not to pick this up (it is all fine!) and I'll work on this bit in a separate PR. Thanks.

Copy link
Copy Markdown
Collaborator

@yermulnik yermulnik Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm approving this PR as it is at the moment though.

Copy link
Copy Markdown
Collaborator

@yermulnik yermulnik Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know if you'd prefer not to pick this up (it is all fine!) and I'll work on this bit in a separate PR. Thanks.

@GSokol Could you please let me know whether you're ok to pick this up or would prefer me to take on this?

Copy link
Copy Markdown
Contributor Author

@GSokol GSokol Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would pick this up into a separate PR (as I need the changes ASAP).

Copy link
Copy Markdown
Collaborator

@yermulnik yermulnik Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MaxymVlasov I've created an issue for this: #944

@GSokol Feel free to pick that issue up if you're up to 👍🏻

Copy link
Copy Markdown
Collaborator

@yermulnik yermulnik Oct 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GSokol Would you have a chance to check whether #945 works as expected for your use case please?

# JFYI: terrascan color already suppressed via PRE_COMMIT_COLOR=never

# shellcheck disable=SC2153 # False positive
Expand Down
Loading