Closed jmswick closed 2 years ago
Hi,
Use pre-commit autoupdate
to get latest hook versions.
It works fine with v1.62.3
, just checked
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.62.3
hooks:
- id: terraform_tfsec
Describe the bug
When running the configured pre-commit hooks, whether manually with
pre-commit run -a
or via the commit hook itself, Issues found by TF are not being displayed by pre-commit. However, when running tfsec directly, issues are being flagged.How can we reproduce it?
Create a terraform config with an issue that tfsec is known to flag on. In our example, we are missing content type and expiration date on the following azure keyvault secret:
When running tfsec directly, it should return output similar to the following:
TFSec Output
```bash Result 3 [azure-keyvault-content-type-for-secret][LOW] Resource 'azurerm_key_vault_secret.argocd_pass' should have a content type set. /home/..../app-argocd.tf:67-71 64 | key_vault_id = azurerm_key_vault.cluster_key_vault.id 65 | } 66 | 67 | resource "azurerm_key_vault_secret" "argocd_pass" { 68 | name = "${local.def_resource_prefix}-argocd-oauth" 69 | value = azuread_application_password.argocd.value 70 | key_vault_id = azurerm_key_vault.cluster_key_vault.id 71 | } 72 | Legacy ID: AZU022 Impact: The secret's type is unclear without a content type Resolution: Provide content type for secrets to aid interpretation on retrieval More Info: - https://tfsec.dev/docs/azure/keyvault/content-type-for-secret#azure/keyvault - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type - https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets Result 4 [azure-keyvault-ensure-secret-expiry][LOW] Resource 'azurerm_key_vault_secret.argocd_pass' should have an expiration date set. /home/..../app-argocd.tf:67-71 64 | key_vault_id = azurerm_key_vault.cluster_key_vault.id 65 | } 66 | 67 | resource "azurerm_key_vault_secret" "argocd_pass" { 68 | name = "${local.def_resource_prefix}-argocd-oauth" 69 | value = azuread_application_password.argocd.value 70 | key_vault_id = azurerm_key_vault.cluster_key_vault.id 71 | } 72 | ```When pre-commit is run manually, it does not flag on the tfsec issue:
Environment information
OS: Ubuntu 20.04
uname -a
and/orsysteminfo | Select-String "^OS"
output:.pre-commit-config.yaml
:file content
```bash repos: - repo: git://github.com/antonbabenko/pre-commit-terraform rev: v1.56.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt - id: terraform_validate - id: terraform_tflint args: - "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl" - id: terraform_tfsec args: - --args=--tfvars-file=__GIT_WORKING_DIR__/terraform.tfvars - id: terraform_docs args: - "--args=--sort-by required" - repo: https://github.com/pre-commit/pre-commit-hooks rev: v3.4.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer - id: check-yaml ```