Add option to make trivy non-fatal (currently --exit-code=1 is hard-coded)

antonbabenko / pre-commit-terraform

pre-commit git hooks to take care of Terraform configurations 🇺🇦

MIT License

3.24k stars 541 forks source link

Add option to make trivy non-fatal (currently --exit-code=1 is hard-coded) #726

Closed jhannah closed 1 month ago

jhannah commented 1 month ago

By default, trivy returns exit code 0, even if serious issues are found. But pre-commit-terraform is hard-coding --exit-code=1.

https://github.com/antonbabenko/pre-commit-terraform/blob/master/hooks/terraform_trivy.sh#L51

We have a large backlog of errors we're cleaning up, but it's going to take a while. So it would be nice if pre-commit-terraform didn't override the default trivy behavior.

Or if pre-commit-terraform insists on overriding that setting by default, could it also add some way I can override it's override?

yermulnik commented 1 month ago

It looks like trivy consumes command line args with the latter arg taking precedence over the former one. As in trivy … --exit-code=1 --exit-code=0 will end up with exit-code being set to 0. This means you can try and set exit-code via --args like below:

 - id: terraform_trivy
    args:
      - --args=--exit-code=0

Ref: https://github.com/antonbabenko/pre-commit-terraform/?tab=readme-ov-file#terraform_trivy

Please try and see whether this "quirk" works.

jhannah commented 1 month ago

@yermulnik !! lol wow, that is some wacky syntax. It works!! Thank you!! (Feel free to close this if you want.)

yermulnik commented 1 month ago

Not sure that we indeed need such a feature as pre-commit-terraform is intended to identify errors and similar noncompliance and one can simply disable hook whenever they don't want it to throw errors and prevent commits from being pushed to remote. Glad the quirk helped with your use case though 🤝

MaxymVlasov commented 1 month ago

And set verbose: true if you still want to see info about errors

https://pre-commit.com/#config-verbose