gitpre-commitpre-commit.comcheckov

Checkov running on Swagger docs even though excluded

I have a pre-commit configuration that I use inside a Go repository. This repository includes Go files and Swagger docs generated by Protobuf so I want to exclude those from the checks to avoid issues with the tools yelling at each other. So, I came up with this:

repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0 # Use the ref you want to point at
    hooks:
      # Git style
      - id: check-added-large-files
        args: ["--maxkb=512"]
      - id: check-merge-conflict
      - id: check-vcs-permalinks
      - id: forbid-new-submodules

      # Common errors
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
      - id: check-json
        exclude: ^.devcontainer/|^.vscode/
      - id: check-executables-have-shebangs
      - id: check-docstring-first

      # Cross platform
      - id: check-case-conflict

  - repo: https://github.com/python-jsonschema/check-jsonschema
    rev: 0.31.3
    hooks:
      - id: check-github-workflows

  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.97.4
    hooks:
      - id: terraform_fmt
        files: terraform/.*|terraform/modules/.*/.*
      - id: terraform_tflint
        files: terraform/.*|terraform/modules/.*/.*
        args:
          - "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"
      - id: terraform_checkov
        files: terraform/.*|terraform/modules/.*/.*
        args:
          - --args=--quiet
          - --args=--skip-check CKV_GIT_1

  - repo: https://github.com/tekwizely/pre-commit-golang
    rev: v1.0.0-rc.1
    hooks:
      - id: go-build-mod
      - id: go-mod-tidy
      - id: go-test-mod
      - id: go-vet-mod
      - id: go-revive
        args: ["-config", "revive.toml"]
      - id: go-sec-mod
        args: ["-exclude-generated"]
      - id: go-staticcheck-mod
      - id: go-fmt
      - id: go-imports

exclude: (src/vendor/.*)|(docs/.*)|((\.pb\.go|\.connect\.go)(\.orig)?)$

All the checks pass except for Checkov, which complains loudly about the Swagger docs contained in /docs/, even though I've added those to the exclude list. I've checked the regex on several online tools and also by calling the pre-commit's internal pre_commit.commands.run.filter_by_include_exclude method and these files should not be included for any checks. Also, from the hook itself, I can see that it should only be looking at the terraform/ directory.

So why is it running on these files and how can I make it stop?

Solution

  • The docs for terraform_checkov were not explicit about the arguments I could pass in but the checkov docs gave some helpful hints. All I needed to do was to modify the hook like this:

      - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.97.4
    hooks:
      - id: terraform_fmt
        files: terraform/.*|terraform/modules/.*/.*
      - id: terraform_tflint
        files: terraform/.*|terraform/modules/.*/.*
        args:
          - "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"
      - id: terraform_checkov
        files: terraform/.*|terraform/modules/.*/.*
        args:
          - --args=--skip-path /docs
          - --args=--quiet
          - --args=--skip-check CKV_GIT_1

    and the directory was ignored. I'm still not sure why they were included despite my explicit exclude at the global config level but I suspect it has to do with Checkov examining relationships between files.