gitgithubpre-commitpre-commit.comcodespaces

github_conf/branch_protection_rules.json keeps on showing up


I am using GitHub Codespaces and try to run pre-commit run --all-files on its terminal. I have pasted the pre-commit configuration below for reference.

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v2.4.0
    hooks:
      - id: check-added-large-files
      - id: check-yaml
      # - id: end-of-file-fixer
      - id: mixed-line-ending
        args: [--fix=lf]
      - id: requirements-txt-fixer
      - id: trailing-whitespace
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.74.1
    hooks:
      - id: terraform_fmt
      - id: terraform_checkov
        args:
          - --args=--quiet
          - --args=--skip-check CKV_GCP_83 # We rely on Google-managed encryption keys
          - --args=--skip-check CKV_GCP_45 # Extensive privileges are actually required
          - --args=--skip-check CKV_GCP_90 # We rely on Google-managed encryption keys
      - id: terraform_tflint
      - id: terraform_docs
        args:
          - --hook-config=--path-to-file=README.md
          - --hook-config=--add-to-existing-file=true
          - --hook-config=--create-file-if-not-exist=true
      - id: terraform_tfsec
      - id: tfupdate

When I run it initially, there is no github_conf folder in the repository. However, after running the pre-commit command, a folder github_conf is created, and it contains a file branch_protection_rules.json. It looks like this:

{
    "message": "Not Found",
    "documentation_url": "https://docs.github.com/rest"
}

We have indeed a branch-protection rule enabled, but this is a completely different branch and I am not even trying to commit or push, just running the pre-commit is causing the issue. Basically I don't want to keep the file (branch_protection_rules.json) in my repo as it also interferes with at least one pre-commit hook, which is otherwise required.

At this point, I don't get what is going on, as the "message" is not that descriptive. Can anyone help?

Additional information: After further investigation, this is definitely related to the hook terraform_checkov... Do let me know if you have experienced issues with this hook.


Solution

  • Had the same issue. It turns out that terraform_checkov hook does not set --framework=terrraform parameter when running checkov (as one might expect). That means it will run all possible checks - also github one.

    There are two solutions:

    1. Set the argument yourself to run only terraform check:
        - id: terraform_checkov
          args:
            - --args=--framework=terraform
    
    1. Set environmental variable CKV_GITHUB_CONFIG_FETCH_DATA=False to ignore github checks (as in here).