chore: synced file(s) with honestbank/.github

.checkov.yaml

@@ -1,11 +1,14 @@
 compact: true
-directory: .
+directory:
+  - .
 download-external-modules: true
 evaluate-variables: true
 external-modules-download-path: .external_modules
 framework:
-- all
+  - all
 quiet: true
 skip-path:
   - .external_modules
   - modules
+  - catalog-info.yml
+baseline: .checkov.baseline

.pre-commit-config.yaml

@@ -1,23 +1,70 @@
+# DO NOT CHANGE. This file is being managed from a central repository
+# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md
+
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
+
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0 # Get the latest version from: https://github.com/pre-commit/pre-commit-hooks/releases
+    rev: v4.6.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
     hooks:
-      - id: end-of-file-fixer
-      - id: trailing-whitespace
       - id: check-yaml
+        args: ["--allow-multiple-documents"]
       - id: check-added-large-files
+      - id: detect-aws-credentials
+        args: ["--allow-missing-credentials"]
+  - repo: local
+    hooks:
+      - id: create-checkov-baseline
+        name: Create Checkov Baseline
+        entry: bash -c 'if [ ! -f .checkov.baseline ]; then echo "{}" > .checkov.baseline && touch baseline-created; fi'
+        language: system
+        stages: [commit]
+        pass_filenames: false
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.74.1 # Get the latest version from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.94.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
-      - id: terraform_docs
-        args:
-          - --args=--config=.terraform-docs.yml
       - id: terraform_validate
-        exclude: test/
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+          - --tf-init-args=-upgrade
       - id: terraform_tfsec
-        exclude: test/
+        exclude: "test/"
+        args:
+          - --args=--exclude-downloaded-modules
       - id: terraform_checkov
-        exclude: test/
+        exclude: "test/"
+        args:
+          - --args=--config-file __GIT_WORKING_DIR__/.checkov.yaml --baseline __GIT_WORKING_DIR__/.checkov.baseline
+  - repo: local
+    hooks:
+      - id: delete-checkov-baseline
+        name: Delete Checkov Baseline
+        entry: bash -c 'if [ -f baseline-created ]; then rm .checkov.baseline && rm baseline-created; fi'
+        language: system
+        stages: [commit]
+        pass_filenames: false
+  - repo: https://github.com/gitguardian/ggshield
+    rev: v1.31.0
+    hooks:
+      - id: ggshield
+        language: python
+        stages: [commit]
+        args: ["secret", "scan", "pre-commit"]
+  - repo: local
+    hooks:
+      - id: docs
+        name: docs
+        entry: make
+        args: ["docs"]
+        language: system
+        pass_filenames: false
+  # Run this at the end so that we don't end up in infinite loop
+  # where the end of line fixer runs first and then the docs and fmt
+  # and other hooks that modify files will break it again.
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer

Makefile

@@ -0,0 +1,19 @@
+commit: docs validate
+
+docs:
+	terraform-docs --lockfile=false -c .terraform-docs.yml .
+
+init:
+	git submodule update --init --recursive
+	terraform init -upgrade
+
+lint:
+	terraform fmt --recursive
+
+tests:
+# Super long timeout since this Makefile will be used in various repositories
+	cd test; go clean -testcache; go test -v -timeout 60m
+
+validate: lint
+	terraform init --upgrade
+	terraform validate