feat: Add `terraform_checkov`, that run per folder. Deprecate `checkov` hook #290

bmbferreira · 2021-11-30T23:38:25Z

Put an x into the box if that apply:

This PR introduces breaking change.
This PR fixes a bug.
This PR adds new functionality.
This PR enhances existing functionality.

Description of your changes

This change applies the same logic to checkov that is already being used for other tools, such as tflint. If we have a monorepo with multiple modules such as module1 and module2 and we run for example pre-commit run --files module1/istio/*, it would run checkov for all the modules but tflint would just run for module1, which is inconsistent with the argument that was passed to pre-commit.

How has this code been tested

In a monorepo with multiple modules, before if you ran pre-commit run --files module1/istio/*, checkov would execute for all the modules because of the -d . while other tools such as tflint would just execute for the paths passed as argument to pre-commit. With this change, checkov will start having the same behaviour as other tools, improving the consistency between the different tools.

MaxymVlasov

checkov used in 176 OSS projects.
So we can't merge this PR as is before 2.0.0 version.

I suggest adding a new Checkov hook, like checkov_2, and marking checkov as deprecated with the note "Will be removed in 2.0.0. Please, use checkov_2" (and in 2.0.0 rename checkov_2 to checkov)

@antonbabenko what do you think?

antonbabenko · 2021-12-08T20:14:11Z

Can we achieve backward compatibility with both checkov versions 1 and 2? From what I see, it is possible. It is rather a bad idea to ask people to update anything unless it is absolutely necessary when we bump to version 2 of this repo.

terraform_checkov.sh

yermulnik · 2021-12-08T21:51:17Z

It is rather a bad idea to ask people to update anything unless it is absolutely necessary when we bump version 2 of this repo.

@MaxymVlasov Do I get it right that the backward incompatible thing with the new hook would be the args parameter which is passed to hook via .pre-commit-config.yaml like in the README here https://github.com/antonbabenko/pre-commit-terraform#checkov ? Or am I missing something else?
If it's about args only I'd guess that most probably vast majority of those OSS repos don't pass custom args to checkov hook, and even those who do, most probably, have pinned their config to a specific version tag of pre-commit-terraform, hence I 100% agree with your suggestion about decommissioning legacy check with v2 of pre-commit-terraform with the understanding that those few who pass custom args to checkov and who don't pin to version tag, are smart enough to surf to this repo and read change log, explore issues, and re-read the readme.
@antonbabenko FYI. I don't think it's worth of implementing quirks to add compatibility of the two checkov hook versions as of what I wrote above.

UPD: especially having that people should know that major version is something to pay a very close attention to.

MaxymVlasov · 2021-12-09T12:58:04Z

On my test infra repo:

took 14s

repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
  rev: v1.60.0
  hooks:
  - id: checkov

took 4m 20s

repos:
- repo: [email protected]:bmbferreira/pre-commit-terraform.git
  rev: 9885aaf # latest commit in this PR
  hooks:
  - id: checkov

Something wrong with the hook implementation in this PR. It shouldn't take so much time.

MaxymVlasov

Performance issue detected.
To fix it, you need to find an error in logic. It is based on how the checkov works

MaxymVlasov · 2021-12-09T13:35:07Z

@yermulnik yeah, it's about args: section only

I checked all +- related 84 OSS results and found that args used in 16 repos by 7 folks.

Here their configs:

args:
  - '--quiet'
  - '--skip-check'
  - 'CKV_GCP_43,CKV_GCP_62,CKV_GCP_37,CKV_GCP_38'  # Key Rotation, Bucket log, CSEK

https://github.com/mikinhas/terraform-scaleway-instance-module/blob/d3fdfdf31502e2ab569678cc44b2667298956fd4/.pre-commit-config.yaml#L11-L15

args:
  - --skip-path
  - .*(?<!\.tf)$

https://github.com/htec-infra/project-scaffold/blob/07848452c5b68b219169ce1f92b676dcca4df6e0/apps/terraform/tmpl/.pre-commit-config.yaml#L35-L38

args: ['-d .']

https://github.com/ravi-skills/AWS-EKS/blob/15acd1a2a3d9a70f0d3d44422b9e5702d9a28eb2/InfraCode/.pre-commit-config.yaml#L8-L9

args: ["-d", "."]

https://github.com/kazhala/terraform-aws-tags/blob/79ca76a9d7f37ad6846a760536b5263ad96584c9/.pre-commit-config.yaml#L9-L10
https://github.com/kazhala/terraform-aws-ecs-ec2-cluster/blob/4febe01e8c04e02548b0062cf5c92aab330caebd/.pre-commit-config.yaml#L9-L10
https://github.com/kazhala/terraform-aws-rds/blob/8124dd6105eb71526c52095d784fc0c4c5595d4f/.pre-commit-config.yaml#L9-L10
https://github.com/kazhala/terraform-aws-vpc/blob/a7c05cbf523f50dd9572f2abe90dec0418a11216/.pre-commit-config.yaml#L9-L10
https://github.com/kazhala/terraform-aws-ecs-service/blob/f44eda6f216c389a3321b948199041e3a8e1dc52/.pre-commit-config.yaml#L9-L10
https://github.com/kazhala/terraform-aws-efs/blob/af4f06d04cb63e45f04e5ae6302ff5737b8a8a06/.pre-commit-config.yaml#L9-L10
https://github.com/kazhala/terraform-aws-ses-smtp-identity/blob/f484e01c88b70f3ee9c1239e052aaaee14c82219/.pre-commit-config.yaml#L9-L10
https://github.com/anhdle14/terraform-module-template/blob/1098d5c3babe63d5b5c7fefde063cbd01384181c/.pre-commit-config.yaml#L20-L25

args: [--framework, 'terraform']

https://github.com/silazare/terraform-eks-base/blob/7dca5aeff1c4ec0553ee98c7d053643043e2929c/.pre-commit-config.yaml#L13-L14
https://github.com/silazare/terraform-gke-base/blob/20cdd542603990ed8a273e1265b19326331bc38c/.pre-commit-config.yaml#L12-L13

args: [-d ./staging, --skip-check, 'CKV_AWS_18,CKV_AWS_28,CKV_AWS_52,CKV_AWS_65,CKV_AWS_97', --framework, 'terraform']

https://github.com/silazare/aws-ecs-workshop/blob/5da377bcef0ffd6246ebbdcfcc2deabb43b0cef8/.pre-commit-config.yaml#L15-L16

args: [
  "-d", ".",
  "--skip-check", "CKV2_AWS_8",
]

https://github.com/mackah666/terraform-aws-sqs/blob/dfef1849eb07a2f44a072fc3711ca0b2bc8527e2/.pre-commit-config.yaml#L11-L14
[Commented] https://github.com/mackah666/terraform-aws-lambda/blob/ddbe71e2ff8062f6d34d5a31bfa92b8739daa3cc/.pre-commit-config.yaml#L9-L13

yermulnik · 2021-12-09T14:09:01Z

and found that args used in 16 repos by 7 folks.

Great finding mate. This means we can introduce such a backward incompatible change and even create issues in those projects to let the folks know they need to update their configs, right?

MaxymVlasov · 2021-12-09T14:22:41Z

GH doesn't count private repos, which means that it only helps to understand ~% repos that use checkov with args: relative to the total repos.

16/176 ~= 9% repos will be affected.

And no, we shouldn't go to folks and open issues about any changes.

MaxymVlasov · 2021-12-22T20:15:29Z

Have the same performance issue for pre-commit run --all as in Improve perfomance during pre-commit --all (-a) run #309, so this PR depends on Improve perfomance during pre-commit --all (-a) run #309 resolution.
I committed some changes, that dramatically improved speed

Test results

5 runs 'checkov (pre-commit run --all) PR #290:'

time command	max	min	mean	median
users seconds	194.15	183.31	187.162	184.49
system seconds	121.55	119.64	120.796	121.24
CPU %	149	144	146.6	147
Total time	218.03	203.03	209.576	206.83

Run details

Test Start: Wed Dec 22 18:55:01 UTC 2021
Test End: Wed Dec 22 19:12:29 UTC 2021

Variable name	Value
`TEST_NUM`	`5`
`TEST_COMMAND`	`pre-commit try-repo -a /tmp/290 checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`5 runs 'checkov PR #290:'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         6307376 kB
MemAvailable:    8895252 kB
Buffers:          356464 kB
Cached:          2229868 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.007
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

5 runs 'checkov PR #290:'

time command	max	min	mean	median
users seconds	194.15	7.04	97.346	95.625
system seconds	121.55	4.81	62.839	62.325
CPU %	155	140	147.1	147
Total time	218.03	8.08	108.988	106.045

Run details

Test Start: Wed Dec 22 19:22:51 UTC 2021
Test End: Wed Dec 22 19:23:33 UTC 2021

Variable name	Value
`TEST_NUM`	`5`
`TEST_COMMAND`	`pre-commit try-repo /tmp/290 checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`5 runs 'checkov PR #290:'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         6285132 kB
MemAvailable:    8874268 kB
Buffers:          357716 kB
Cached:          2229876 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.007
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

5 runs 'checkov (pre-commit run --all) v1.62.3:'

time command	max	min	mean	median
users seconds	194.15	7.04	69.267333333333	13.35
system seconds	121.55	2.65	42.863333333333	4.84
CPU %	155	106	134.46666666667	146
Total time	218.03	8.08	77.54	14.84

Run details

Test Start: Wed Dec 22 19:24:26 UTC 2021
Test End: Wed Dec 22 19:25:40 UTC 2021

Variable name	Value
`TEST_NUM`	`5`
`TEST_COMMAND`	`pre-commit try-repo -a /mnt/c/Users/vm/code/open-source/pre-commit-terraform checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`5 runs 'checkov PR v1.62.3:'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         6318444 kB
MemAvailable:    8910328 kB
Buffers:          358448 kB
Cached:          2229980 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.007
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

5 runs 'checkov v1.62.3:'

time command	max	min	mean	median
users seconds	194.15	7.04	55.241	13.18
system seconds	121.55	2.47	32.826	4.035
CPU %	155	104	127.5	126.5
Total time	218.03	8.08	61.8665	14.85

Run details

Test Start: Wed Dec 22 19:25:48 UTC 2021
Test End: Wed Dec 22 19:27:03 UTC 2021

Variable name	Value
`TEST_NUM`	`5`
`TEST_COMMAND`	`pre-commit try-repo /mnt/c/Users/vm/code/open-source/pre-commit-terraform checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`5 runs 'checkov PR v1.62.3:'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         6270784 kB
MemAvailable:    8862552 kB
Buffers:          359112 kB
Cached:          2229980 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.007
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

5 runs 'checkov improvments:'

time command	max	min	mean	median
users seconds	194.15	5.22	45.258	12.99
system seconds	121.55	2.47	26.882	3.11
CPU %	184	104	136	146
Total time	218.03	4.59	50.4892	14.7

Run details

Test Start: Wed Dec 22 20:01:22 UTC 2021
Test End: Wed Dec 22 20:01:47 UTC 2021

Variable name	Value
`TEST_NUM`	`5`
`TEST_COMMAND`	`pre-commit try-repo /tmp/290 checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`5 runs 'checkov improvments:'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         6116244 kB
MemAvailable:    8744184 kB
Buffers:          366044 kB
Cached:          2257108 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.007
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

5 runs 'checkov (pre-commit -a) improvments:'

time command	max	min	mean	median
users seconds	194.15	5.22	57.949333333333	13.18
system seconds	121.55	2.47	35.683666666667	4.1
CPU %	184	104	141.93333333333	147
Total time	218.03	4.59	61.578	14.85

Run details

Test Start: Wed Dec 22 20:02:13 UTC 2021
Test End: Wed Dec 22 20:11:59 UTC 2021

Variable name	Value
`TEST_NUM`	`5`
`TEST_COMMAND`	`pre-commit try-repo -a /tmp/290 checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`5 runs 'checkov (pre-commit -a) improvments:'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         6027688 kB
MemAvailable:    8657460 kB
Buffers:          367748 kB
Cached:          2257132 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.007
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

github-actions · 2022-01-23T00:08:39Z

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

MaxymVlasov · 2022-02-10T17:52:48Z

performance issue for pre-commit run --all fixed in d4b1096 (#290)

Tests results:

5 runs 'v1.63.0 `pre-commit run`'

time command	max	min	mean	median
users seconds	29.93	26.1	27.922	27.83
system seconds	10.2	8.12	9.062	8.68
CPU %	165	159	162	162
Total time	24.77	20.93	22.754	22.83

Run details

Test Start: Thu Feb 10 16:57:19 UTC 2022
Test End: Thu Feb 10 16:59:13 UTC 2022

Variable name	Value
`TEST_NUM`	`5`
`TEST_COMMAND`	`pre-commit try-repo /mnt/c/Users/vm/code/open-source/pre-commit-terraform checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`5 runs 'v1.63.0 pre-commit run'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         4908188 kB
MemAvailable:    8161860 kB
Buffers:          300264 kB
Cached:          2923732 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.008
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

2 runs 'v1.63.0 pre-commit run -a'

time command	max	min	mean	median
users seconds	25.87	25.02	25.445	25.445
system seconds	8.98	8.06	8.52	8.52
CPU %	168	161	164.5	164.5
Total time	20.64	20.47	20.555	20.555

Run details

Test Start: Thu Feb 10 16:59:35 UTC 2022
Test End: Thu Feb 10 17:00:16 UTC 2022

Variable name	Value
`TEST_NUM`	`2`
`TEST_COMMAND`	`pre-commit try-repo -a /mnt/c/Users/vm/code/open-source/pre-commit-terraform checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`2 runs 'v1.63.0 pre-commit run -a'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         4906488 kB
MemAvailable:    8160928 kB
Buffers:          300568 kB
Cached:          2923872 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.008
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

5 runs '290 pre-commit run:'

time command	max	min	mean	median
users seconds	7.89	7.64	7.724	7.66
system seconds	4.09	4.04	4.072	4.08
CPU %	175	159	163.6	161
Total time	7.42	6.79	7.196	7.26

Run details

Test Start: Thu Feb 10 17:01:42 UTC 2022
Test End: Thu Feb 10 17:02:18 UTC 2022

Variable name	Value
`TEST_NUM`	`5`
`TEST_COMMAND`	`pre-commit try-repo /tmp/290 checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`5 runs '290 pre-commit run:'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         4879912 kB
MemAvailable:    8134636 kB
Buffers:          301016 kB
Cached:          2924104 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.008
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

2 runs '290 pre-commit run -a without speedup:'

time command	max	min	mean	median
users seconds	137.59	135.64	136.615	136.615
system seconds	80.82	79.96	80.39	80.39
CPU %	171	169	170	170
Total time	127.46	127.17	127.315	127.315

Run details

Test Start: Thu Feb 10 17:03:28 UTC 2022
Test End: Thu Feb 10 17:07:42 UTC 2022

Variable name	Value
`TEST_NUM`	`2`
`TEST_COMMAND`	`pre-commit try-repo -a /tmp/290 checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`2 runs '290 pre-commit run -a without speedup:'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         4908756 kB
MemAvailable:    8163916 kB
Buffers:          301620 kB
Cached:          2924188 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.008
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

2 runs '290 pre-commit run -a with speedup:'

time command	max	min	mean	median
users seconds	24.59	24.06	24.325	24.325
system seconds	8.36	7.73	8.045	8.045
CPU %	182	176	179	179
Total time	18.33	17.78	18.055	18.055

Run details

Test Start: Thu Feb 10 17:49:26 UTC 2022
Test End: Thu Feb 10 17:50:02 UTC 2022

Variable name	Value
`TEST_NUM`	`2`
`TEST_COMMAND`	`pre-commit try-repo -a /tmp/290 checkov`
`TEST_DIR`	`/home/vm/code/Oslo`
`TEST_DESCRIPTION`	`2 runs '290 pre-commit run -a with speedup:'`
`RAW_TEST_RESULTS_FILE_NAME`	`pr290`

Memory info (head -n 6 /proc/meminfo):

MemTotal:       12765352 kB
MemFree:         4798432 kB
MemAvailable:    8062356 kB
Buffers:          308048 kB
Cached:          2925804 kB
SwapCached:            0 kB

CPU info:

Real procs: 6
Virtual (hyper-threading) procs: 12

processor	: 11
vendor_id	: GenuineIntel
cpu family	: 6
model		: 165
model name	: Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
stepping	: 2
microcode	: 0xffffffff
cpu MHz		: 2712.008
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 5
cpu cores	: 6
apicid		: 11
initial apicid	: 11
fpu		: yes
fpu_exception	: yes
cpuid level	: 21
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves flush_l1d arch_capabilities
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs itlb_multihit
bogomips	: 5424.01
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

amontalban · 2022-04-12T17:59:10Z

@MaxymVlasov Looks like this is ready to be merged, isn't it? I can test if there is more testing needed. Thanks!

hooks/terraform_checkov.sh

antonbabenko

Let's keep the existing hook but customize its behavior to support both recursive and non-recursive runs (or what else this PR adds).

It is pretty bad to have two hooks doing very similar things.

MaxymVlasov · 2022-04-13T19:03:28Z

Let's keep the existing hook but customize

No way. @antonbabenko

It is pretty bad to have two hooks doing very similar things.

So the old one will be removed in 2.0.0

or what else this PR adds).

This PR makes the hook customizable as all other hooks, which allows us to introduce custom settings for hook etc., and support it at all.
Also, the old hook can run only on the whole repo or on hardcoded in .pre-commit-config.yaml path, which is not what you want to see when you change a tiny thing somewhere in big monorepo.

antonbabenko

We need to make it a bit clear that checkov hook is deprecated in favor of terraform_checkov hook.

Update name in .pre-commit-hooks.yaml (line 96) with (deprecated, use "terraform_checkov").

README.md

MaxymVlasov · 2022-04-15T17:24:38Z

@antonbabenko merge, please

# [1.67.0](v1.66.0...v1.67.0) (2022-04-15) ### Features * Added `terraform_checkov` (run per folder), deprecated `checkov` hook ([#290](#290)) ([e3a9834](e3a9834))

antonbabenko · 2022-04-15T17:27:07Z

This PR is included in version 1.67.0 🎉

amontalban · 2022-04-15T17:33:28Z

Thank you very much @MaxymVlasov !

bmbferreira requested review from MaxymVlasov and yermulnik as code owners November 30, 2021 23:38

MaxymVlasov added estimate/1h Need 1 hour to be done hook/terraform_checkov Bash hook labels Dec 8, 2021

MaxymVlasov self-assigned this Dec 8, 2021

MaxymVlasov added breaking-changes The current implementation contains Breaking Changes / Can't be implemented without Breaking Changes estimate/2h Need 2 hours to be done and removed estimate/1h Need 1 hour to be done labels Dec 8, 2021

MaxymVlasov reviewed Dec 8, 2021

View reviewed changes

yermulnik reviewed Dec 8, 2021

View reviewed changes

terraform_checkov.sh Outdated Show resolved Hide resolved

MaxymVlasov added the feature New feature or request label Dec 9, 2021

MaxymVlasov requested changes Dec 9, 2021

View reviewed changes

This was referenced Dec 21, 2021

[3rd party: checkov] Checkov runs for all files, not just .tf #284

Closed

Improve perfomance during pre-commit --all (-a) run #309

Closed

MaxymVlasov changed the title ~~fix: allow checkov to run per folder like tflint~~ feat: Allow checkov to run per folder Dec 23, 2021

github-actions bot added the stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 23, 2022

MaxymVlasov added on-hold Indicates that an issue or PR should not be auto-closed due to staleness. and removed stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 26, 2022

MaxymVlasov force-pushed the execute-checkov-per-folder branch from fa75ebc to c83c55a Compare February 10, 2022 16:14

MaxymVlasov mentioned this pull request Feb 10, 2022

feat: Make checkov more flexible #329

Closed

4 tasks

MaxymVlasov added 3 commits April 13, 2022 20:19

Refactor to latest file structure

b81aea1

Speedup pre-commit -a

1a524ef

Create new checkov hook without remove the old one

044baac

MaxymVlasov force-pushed the execute-checkov-per-folder branch from b82d5a7 to 044baac Compare April 13, 2022 17:19

f

2e88324

MaxymVlasov removed on-hold Indicates that an issue or PR should not be auto-closed due to staleness. breaking-changes The current implementation contains Breaking Changes / Can't be implemented without Breaking Changes labels Apr 13, 2022

MaxymVlasov changed the title ~~feat: Allow checkov to run per folder~~ feat: Add terraform_checkov, that run per folder. Deprecate checkov hook Apr 13, 2022

yermulnik reviewed Apr 13, 2022

View reviewed changes

hooks/terraform_checkov.sh Outdated Show resolved Hide resolved

MaxymVlasov added 3 commits April 13, 2022 20:45

Improve example

3095d2c

Merge branch 'master' into execute-checkov-per-folder

791f949

Remove useless and improve docs

5c70d53

MaxymVlasov requested a review from yermulnik April 13, 2022 18:47

MaxymVlasov approved these changes Apr 13, 2022

View reviewed changes

antonbabenko requested changes Apr 13, 2022

View reviewed changes

MaxymVlasov requested a review from antonbabenko April 13, 2022 19:04

yermulnik approved these changes Apr 13, 2022

View reviewed changes

antonbabenko requested changes Apr 14, 2022

View reviewed changes

README.md Outdated Show resolved Hide resolved

README.md Outdated Show resolved Hide resolved

README.md Outdated Show resolved Hide resolved

MaxymVlasov added 2 commits April 15, 2022 17:05

Apply review suggestions

fdc5a3b

Apply review suggestion

b1b0434

MaxymVlasov requested a review from antonbabenko April 15, 2022 14:07

Explicitly specify that only checkov is deperecated

1a69d97

antonbabenko merged commit e3a9834 into antonbabenko:master Apr 15, 2022

bmbferreira deleted the execute-checkov-per-folder branch April 16, 2022 23:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Add `terraform_checkov`, that run per folder. Deprecate `checkov` hook #290

feat: Add `terraform_checkov`, that run per folder. Deprecate `checkov` hook #290

bmbferreira commented Nov 30, 2021 •

edited

Loading

MaxymVlasov left a comment •

edited

Loading

antonbabenko commented Dec 8, 2021 •

edited by MaxymVlasov

Loading

yermulnik commented Dec 8, 2021 •

edited by MaxymVlasov

Loading

MaxymVlasov commented Dec 9, 2021

MaxymVlasov left a comment

MaxymVlasov commented Dec 9, 2021 •

edited

Loading

yermulnik commented Dec 9, 2021

MaxymVlasov commented Dec 9, 2021

MaxymVlasov commented Dec 22, 2021

github-actions bot commented Jan 23, 2022

MaxymVlasov commented Feb 10, 2022 •

edited

Loading

amontalban commented Apr 12, 2022

antonbabenko left a comment

MaxymVlasov commented Apr 13, 2022 •

edited

Loading

antonbabenko left a comment

MaxymVlasov commented Apr 15, 2022

antonbabenko commented Apr 15, 2022

amontalban commented Apr 15, 2022

feat: Add terraform_checkov, that run per folder. Deprecate checkov hook #290

feat: Add terraform_checkov, that run per folder. Deprecate checkov hook #290

Conversation

bmbferreira commented Nov 30, 2021 • edited Loading

Description of your changes

How has this code been tested

MaxymVlasov left a comment • edited Loading

Choose a reason for hiding this comment

antonbabenko commented Dec 8, 2021 • edited by MaxymVlasov Loading

yermulnik commented Dec 8, 2021 • edited by MaxymVlasov Loading

MaxymVlasov commented Dec 9, 2021

MaxymVlasov left a comment

Choose a reason for hiding this comment

MaxymVlasov commented Dec 9, 2021 • edited Loading

yermulnik commented Dec 9, 2021

MaxymVlasov commented Dec 9, 2021

MaxymVlasov commented Dec 22, 2021

github-actions bot commented Jan 23, 2022

MaxymVlasov commented Feb 10, 2022 • edited Loading

amontalban commented Apr 12, 2022

antonbabenko left a comment

Choose a reason for hiding this comment

MaxymVlasov commented Apr 13, 2022 • edited Loading

antonbabenko left a comment

Choose a reason for hiding this comment

MaxymVlasov commented Apr 15, 2022

antonbabenko commented Apr 15, 2022

amontalban commented Apr 15, 2022

feat: Add `terraform_checkov`, that run per folder. Deprecate `checkov` hook #290

feat: Add `terraform_checkov`, that run per folder. Deprecate `checkov` hook #290

bmbferreira commented Nov 30, 2021 •

edited

Loading

MaxymVlasov left a comment •

edited

Loading

antonbabenko commented Dec 8, 2021 •

edited by MaxymVlasov

Loading

yermulnik commented Dec 8, 2021 •

edited by MaxymVlasov

Loading

MaxymVlasov commented Dec 9, 2021 •

edited

Loading

MaxymVlasov commented Feb 10, 2022 •

edited

Loading

MaxymVlasov commented Apr 13, 2022 •

edited

Loading