diff --git a/README.md b/README.md index fb316b9d5d8..9de07d48643 100644 --- a/README.md +++ b/README.md @@ -457,57 +457,6 @@ Defaults: --evaluate-variables:True ``` -### Pre-commit hook - -If you want to automatically run `checkov` tasks when files in your git repo change, [install the pre-commit binary](https://pre-commit.com/#install), and add a [.pre-commit-config.yaml file](./.pre-commit-config.yaml) to your project with content similar to the example below. - -Note that depending on the hook id you select for pre-commit hooks, you may need to provide the following: - -* For the `python` hooks, pre-commit 3.x is able to provide [python](https://pre-commit.com/#python) without additional dependencies. -* For the `container` hooks, the [Docker](https://docs.docker.com/get-docker/) CLI and a container runtime must be available. - -```yaml - - repo: https://github.com/bridgecrewio/checkov.git - rev: '2.4.2' - hooks: - - id: checkov - # - id: checkov_container - # - id: checkov_diff - # - id: checkov_diff_container - # - id: checkov_secrets - # - id: checkov_secrets_container -``` - -To pass arguments to `checkov` use the following examples as a guide: - -```yaml - - id: checkov - args: - - '--quiet' -``` - -When using the `diff` or `secrets` hooks, the last argument _must_ be `-f` due to how `checkov` and `pre-commit` interact: - -```yaml - - id: checkov_secrets_container - args: - - '--quiet' - - '-f' # required and must come last -``` - -After adding the hooks to `.pre-commit-config.yaml` run the following command(s): - -```bash -pre-commit install --install-hooks -``` - -or - -```bash -pre-commit install -pre-commit install-hooks -``` - ## Contributing Contribution is welcomed! diff --git a/docs/4.Integrations/pre-commit.md b/docs/4.Integrations/pre-commit.md index d0e074c4178..633daff1ee2 100644 --- a/docs/4.Integrations/pre-commit.md +++ b/docs/4.Integrations/pre-commit.md @@ -7,17 +7,41 @@ nav_order: 6 # Pre-Commit -To use Checkov with [pre-commit](https://pre-commit.com), just add the following to your local repo's `.pre-commit-config.yaml` file: +If you want to automatically run `checkov` tasks when files in your git repo change, [install the pre-commit binary](https://pre-commit.com/#install), and add a [.pre-commit-config.yaml file](./.pre-commit-config.yaml) to your project with content similar to the example below. + +Note that depending on the hook id you select for pre-commit hooks, you may need to provide the following: + +* For the `python` hooks, pre-commit 3.x is able to provide [python](https://pre-commit.com/#python) without additional dependencies. +* For the `container` hooks, the [Docker](https://docs.docker.com/get-docker/) CLI and a container runtime must be available. + ```yaml - repo: https://github.com/bridgecrewio/checkov.git rev: '' # change to tag or sha hooks: - id: checkov + # - id: checkov_container + # - id: checkov_diff + # - id: checkov_diff_container + # - id: checkov_secrets + # - id: checkov_secrets_container ``` Make sure to change `rev:` to be either a git commit sha or tag of checkov containing `.pre-commit-hooks.yaml`. Note that local environment variables will apply when using pre-commit hooks. In urgent situations, pre-commit hooks can be skipped with the `--no-verify` flag. +After adding the hooks to `.pre-commit-config.yaml` run the following command(s): + +```bash +pre-commit install --install-hooks +``` + +or + +```bash +pre-commit install +pre-commit install-hooks +``` + ## Adding Custom Parameters By default, the Checkov pre-commit hook runs when there are changes to `.tf` files. This can be modified by overriding the file parameter: @@ -70,6 +94,16 @@ repos: entry: checkov -d . --skip-check CKV_AWS_123 ``` +When using the `diff` or `secrets` hooks, the last argument _must_ be `-f` due to how `checkov` and `pre-commit` interact: + +```yaml + - id: checkov_secrets_container + args: + - '--quiet' + - '-f' # required and must come last +``` + + ## Diff scanning pre-commit hook To let `checkov` only scan the changed files choose the `checkov_diff` hook, which scans against all frameworks: @@ -80,6 +114,7 @@ repos: rev: '' # change to tag or sha hooks: - id: checkov_diff + # - id: checkov_diff_container ``` if you want to customize this hook, you need to override the `entry` field, because the file flag `-f` has to be at the end: @@ -103,4 +138,5 @@ repos: rev: '' # change to tag or sha hooks: - id: checkov_secrets + # - id: checkov_secrets_container ```