I have a pre-commit configuration that I use inside a Go repository. This repository includes Go files and Swagger docs generated by Protobuf so I want to exclude those from the checks to avoid issues with the tools yelling at each other. So, I came up with this:
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0 # Use the ref you want to point at
hooks:
# Git style
- id: check-added-large-files
args: ["--maxkb=512"]
- id: check-merge-conflict
- id: check-vcs-permalinks
- id: forbid-new-submodules
# Common errors
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
- id: check-json
exclude: ^.devcontainer/|^.vscode/
- id: check-executables-have-shebangs
- id: check-docstring-first
# Cross platform
- id: check-case-conflict
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.31.3
hooks:
- id: check-github-workflows
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.97.4
hooks:
- id: terraform_fmt
files: terraform/.*|terraform/modules/.*/.*
- id: terraform_tflint
files: terraform/.*|terraform/modules/.*/.*
args:
- "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"
- id: terraform_checkov
files: terraform/.*|terraform/modules/.*/.*
args:
- --args=--quiet
- --args=--skip-check CKV_GIT_1
- repo: https://github.com/tekwizely/pre-commit-golang
rev: v1.0.0-rc.1
hooks:
- id: go-build-mod
- id: go-mod-tidy
- id: go-test-mod
- id: go-vet-mod
- id: go-revive
args: ["-config", "revive.toml"]
- id: go-sec-mod
args: ["-exclude-generated"]
- id: go-staticcheck-mod
- id: go-fmt
- id: go-imports
exclude: (src/vendor/.*)|(docs/.*)|((\.pb\.go|\.connect\.go)(\.orig)?)$
All the checks pass except for Checkov, which complains loudly about the Swagger docs contained in /docs/
, even though I've added those to the exclude list. I've checked the regex on several online tools and also by calling the pre-commit's internal pre_commit.commands.run.filter_by_include_exclude
method and these files should not be included for any checks. Also, from the hook itself, I can see that it should only be looking at the terraform/
directory.
So why is it running on these files and how can I make it stop?
The docs for terraform_checkov
were not explicit about the arguments I could pass in but the checkov docs gave some helpful hints. All I needed to do was to modify the hook like this:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.97.4
hooks:
- id: terraform_fmt
files: terraform/.*|terraform/modules/.*/.*
- id: terraform_tflint
files: terraform/.*|terraform/modules/.*/.*
args:
- "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"
- id: terraform_checkov
files: terraform/.*|terraform/modules/.*/.*
args:
- --args=--skip-path /docs
- --args=--quiet
- --args=--skip-check CKV_GIT_1
and the directory was ignored. I'm still not sure why they were included despite my explicit exclude
at the global config level but I suspect it has to do with Checkov examining relationships between files.