Search code examples
terraformterraform0.12+pre-commitpre-commit.comcheckov

How to pass pre-commit args correctly to make the output of the terraform checkov pre-commit hook less verbose?

While I find checkov to be great tool, the default output is way too verbose:

verbose checkov output

In my above example, it dumps all 78 passed checks as well in the terminal output which makes it hard to find the actual errors which need to be fixed. In fact, the output is so verbose, that it starts cutting off a lot of previous outputs which I actually still need to see.

I've embedded this check as one of many terraform checkers in my pre-commit setup like so:

- repo: https://github.com/antonbabenko/pre-commit-terraform
  rev: v1.76.0
  hooks:
    - id: terraform_checkov
    - ...

Filtering the output of checkov --help for keywords like "verbose" or "CLI", I found these two flags:

❯ checkov --help | grep CLI
  --quiet               in case of CLI output, display only failed checks.
  --compact             in case of CLI output, do not display code blocks

In hope this would resolve my problem, I added both of them to the args-section of the pre-commit hook:

- id: terraform_checkov
  args: ["--quiet", "--compact"]

Yet, running the pre-commit hook fails:

❯ git add -A && pre-commit run terraform_checkov       
Checkov..................................................................Failed     step
- hook id: terraform_checkov
- exit code: 1

getopt: unrecognized option '--quiet'
getopt: unrecognized option '--compact'

Therefore, I'm still looking for a possibility to reach exactly especially what the flat --quiet should do:

I only want to see in the terminal output what went wrong, not what went right.

Solution

  • Finally I found an example on the general terraform-related pre-commit page with which I could edit my ".pre-commit-config.yaml" - file accordingly:

    ...
- id: terraform_checkov
  args:
    - --args=--quiet
    - --args=--compact
...

    With this special way of passing arguments it is working now.

    Still, it could be even less verbose, as 2 failed checks at the same terraform code location translate into the following output:

    Checkov........................................................................Failed
- hook id: terraform_checkov
- exit code: 1

terraform scan results:

Passed checks: 78, Failed checks: 2, Skipped checks: 0

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
        FAILED for resource: module.codepipeline_kms.aws_iam_policy_document.kms_key_policy_doc
        Severity: LOW
        File: /modules\kms\main.tf:31-101
        Calling File: /main.tf:83-93
        Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
        FAILED for resource: module.codepipeline_kms.aws_iam_policy_document.kms_key_policy_doc
        Severity: LOW
        File: /modules\kms\main.tf:31-101
        Calling File: /main.tf:83-93
        Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

More details: https://www.bridgecrew.cloud/projects?repository=oauto_cli_repo/infrastructure&branch=bc-94b0d20_master&runId=latest

More details: https://www.bridgecrew.cloud/projects?repository=oauto_cli_repo/codebuild&branch=bc-414954b_master&runId=latest
terraform scan results:

Passed checks: 2, Failed checks: 0, Skipped checks: 0


More details: https://www.bridgecrew.cloud/projects?repository=oauto_cli_repo/codecommit&branch=bc-b61d2e2_master&runId=latest
terraform scan results:

Passed checks: 1, Failed checks: 0, Skipped checks: 0


More details: https://www.bridgecrew.cloud/projects?repository=oauto_cli_repo/codepipeline&branch=bc-85a3952_master&runId=latest
terraform scan results:

Passed checks: 7, Failed checks: 0, Skipped checks: 0


More details: https://www.bridgecrew.cloud/projects?repository=oauto_cli_repo/iam-role&branch=bc-73bb537_master&runId=latest
terraform scan results:

Passed checks: 9, Failed checks: 2, Skipped checks: 0

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
        FAILED for resource: aws_iam_policy_document.kms_key_policy_doc
        Severity: LOW
        File: /main.tf:31-101
        Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
        FAILED for resource: aws_iam_policy_document.kms_key_policy_doc
        Severity: LOW
        File: /main.tf:31-101
        Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

More details: https://www.bridgecrew.cloud/projects?repository=oauto_cli_repo/kms&branch=bc-17050bc_master&runId=latest
terraform scan results:

Passed checks: 56, Failed checks: 0, Skipped checks: 0


More details: https://www.bridgecrew.cloud/projects?repository=oauto_cli_repo/s3&branch=bc-125b61a_master&runId=latest

    EDIT on alternative:

    As pointed out in the first comment below my OP by @James Woolfenden

    Anton's Hooks arent the official supported ones from Checkov: github.com/bridgecrewio/checkov