pre-commit-hooks VS tfsec

# See https://pre-commit.com for more information # See https://pre-commit.com/hooks.html for more hooks repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v3.2.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer - id: check-yaml - id: check-toml - id: check-added-large-files - repo: local hooks: - id: tox lint name: tox-validation entry: pdm run tox -e test,lint language: system files: ^src\/.+py$|pyproject.toml|^tests\/.+py$ types_or: [python, toml] pass_filenames: false - id: tox docs name: tox-docs language: system entry: pdm run tox -e docs types_or: [python, rst, toml] files: ^src\/.+py$|pyproject.toml|^docs\/ pass_filenames: false - repo: https://github.com/pdm-project/pdm rev: 2.10.4 # a PDM release exposing the hook hooks: - id: pdm-lock-check - repo: https://github.com/jumanjihouse/pre-commit-hooks rev: 3.0.0 hooks: - id: markdownlint

repos: - repo: https://github.com/ambv/black rev: 23.3.0 hooks: - id: black args: [--config=./pyproject.toml] language_version: python3.11 - repo: https://github.com/pycqa/flake8 rev: 6.0.0 hooks: - id: flake8 args: [--config=./tox.ini] language_version: python3.11 - repo: https://github.com/pycqa/isort rev: 5.12.0 hooks: - id: isort args: ["--profile", "black", "--filter-files"] language_version: python3.11 - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.4.0 hooks: - id: requirements-txt-fixer language_version: python3.11 - id: debug-statements - id: detect-aws-credentials - id: detect-private-key

repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: hooks: - id: check-json

$ pre-commit run --all-files [INFO] Initializing environment for https://github.com/pre-commit/pre-commit-hooks. [INFO] Initializing environment for https://github.com/psf/black. [INFO] Installing environment for https://github.com/pre-commit/pre-commit-hooks. [INFO] Once installed this environment will be reused. [INFO] This may take a few minutes... [INFO] Installing environment for https://github.com/psf/black. [INFO] Once installed this environment will be reused. [INFO] This may take a few minutes... Check Yaml...............................................................Passed Fix End of Files.........................................................Passed Trim Trailing Whitespace.................................................Failed - hook id: trailing-whitespace - exit code: 1 Files were modified by this hook. Additional output: Fixing sample.py black....................................................................Passed

The excellent pre-commit framework (https://pre-commit.com/) has a hook for that in its official hook collection: https://github.com/pre-commit/pre-commit-hooks#detect-aws-cr...

exclude: .*migrations\/.* repos: - repo: https://github.com/pre-commit/pre-commit-hooks ... - repo: https://github.com/psf/black rev: 22.12.0 hooks: - id: black language_version: python3.9

This is what we use — https://github.com/pre-commit/pre-commit-hooks/blob/main/pre_commit_hooks/detect_private_key.py

Personally I do also add "end-of-file-fixer" and "trailing-whitespace" from the "https://github.com/pre-commit/pre-commit-hooks" repo. That cleans up and normalizes some files as well.

repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v3.3.0 hooks: - id: check-yaml args: ["--allow-multiple-documents"] - repo: local hooks: - id: forbidden-files name: forbidden files entry: found copier update rejection files; review them and remove them language: fail files: "\\.rej$" - id: black name: black entry: poetry run black language: system types: [python] - id: flake8 name: flake8 entry: poetry run flake8 language: system types: [python] - id: isort name: isort entry: poetry run isort --settings-path=. language: system types: [python] - id: pyupgrade name: pyupgrade entry: poetry run pyupgrade language: system types: [python] args: [--py310-plus] - id: mypy name: mypy description: Check python types. entry: poetry run mypy language: system types: [python]

repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.1.0 hooks: - id: no-commit-to-branch

Using pre-commit framework with terraform repository, will help your code to be kept clean, formated, updated document and checked for tf security issues (optional with tfsec) before committing and pushing the code to git source.

Here again more than one tool exists to assist. We will highlight two of the most popular ones here: tfsec and checkov. Both provide a predefined set of checks that they use to inspect your code, allowing to explicitly open exceptions (if you really want to) by annotating your code with comments, and adjust the configuration to ignore some modules, for example.

An additional benefit of using a CI workflow is adding automated tests. In this scenario, I’ve added a step leveraging tfsec to scan for static code vulnerabilities. In the example below, tfsec warns against creating an Azure network security rule which is fully open. This will halt and fail the workflow unless I provide an ignore comment to accept the warning.

· Provision an EKS Cluster (AWS) · Terraform v15.0 · Terraform Registry · Pre-Commit · Terraform Pre-commit · Terraform-docs · Tflint · Tfsec

Using terraform, create a skeleton directory that they can review for how EC2 instances should be created. Use tools like https://github.com/tfsec/tfsec or other scanners/linters to validate that your developers followed this process and didn't uncheck something.

I know tfsec (https://github.com/tfsec/tfsec) which is pretty good for AWS resources but I think vSphere resources are not implemented.

tfsec/tfsec (Go): 🔒🌍 Static analysis powered security scanner for your terraform code