From 430f447598ec859f0dd571415bccc830716af4b2 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Tue, 11 Jan 2022 17:48:56 +0200 Subject: [PATCH 1/5] Add hadolint check for Dockerfiles Co-authored-by: Balazs Hamorszky --- .github/workflows/pre-commit.yaml | 17 +++++++++++++++-- .pre-commit-config.yaml | 17 ++++++++++++++++- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 6f2ec84ff..6250935b0 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -25,19 +25,32 @@ jobs: - name: Install shellcheck run: | sudo apt update && sudo apt install shellcheck + + - name: Install hadolint + run: | + curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \ + && chmod +x hadolint && sudo mv hadolint /usr/bin/ # Need to success pre-commit fix push - uses: actions/checkout@v2 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} - + # Skip terraform_tflint which interferes to commit pre-commit auto-fixes - uses: actions/setup-python@v2 with: python-version: '3.9' - name: Execute pre-commit uses: pre-commit/action@v2.0.0 env: - SKIP: no-commit-to-branch + SKIP: no-commit-to-branch,hadolint with: token: ${{ secrets.GITHUB_TOKEN }} extra_args: --color=always --show-diff-on-failure --files ${{ steps.file_changes.outputs.files }} + # Run only skipped checks + - name: Execute pre-commit check that have no auto-fixes + if: always() + uses: pre-commit/action@v2.0.0 + env: + SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck + with: + extra_args: --color=always --show-diff-on-failure --files ${{ steps.file_changes.outputs.files }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f876ccd35..5ba5639d7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.0.1 + rev: v4.1.0 hooks: # Git style - id: check-added-large-files @@ -34,3 +34,18 @@ repos: - id: shfmt args: ['-l', '-i', '2', '-ci', '-sr', '-w'] - id: shellcheck + +# Dockerfile linter +- repo: https://github.com/hadolint/hadolint + rev: v2.8.0 + hooks: + - id: hadolint + args: [ + '--ignore', 'DL3027', # Do not use apt + '--ignore', 'DL3007', # Using latest + '--ignore', 'DL4006', # Not related to alpine + '--ignore', 'SC1091', # Useless check + '--ignore', 'SC2015', # Useless check + '--ignore', 'SC3037', # Not related to alpine + '--ignore', 'DL3013', # Pin versions in pip + ] From 128ae6ec3f0b8b4a40827f72a3dacf8bcbe7834a Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Tue, 11 Jan 2022 17:50:19 +0200 Subject: [PATCH 2/5] Fix Dockerfile issues Co-authored-by: Balazs Hamorszky --- Dockerfile | 20 ++++++++++---------- tests/Dockerfile | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9266eb346..184846008 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,14 @@ -ARG TAG=3.9.7-alpine3.14 +ARG TAG=3.10.1-alpine3.15 FROM python:${TAG} as builder WORKDIR /bin_dir RUN apk add --no-cache \ # Builder deps - curl \ - unzip && \ + curl=~7 \ + unzip=~6 && \ # Upgrade pip for be able get latest Checkov - python3 -m pip install --upgrade pip + python3 -m pip install --no-cache-dir --upgrade pip ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-latest} @@ -57,7 +57,7 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ - apk add --no-cache gcc libffi-dev musl-dev; \ + apk add --no-cache gcc=~10 libffi-dev=~3 musl-dev=~1; \ [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ apk del gcc libffi-dev musl-dev \ @@ -146,9 +146,9 @@ FROM python:${TAG} RUN apk add --no-cache \ # pre-commit deps - git \ + git=~2 \ # All hooks deps - bash + bash=~5 # Copy tools COPY --from=builder \ @@ -159,16 +159,16 @@ COPY --from=builder \ /usr/local/bin/checkov* \ /usr/bin/ # Copy pre-commit packages -COPY --from=builder /usr/local/lib/python3.9/site-packages/ /usr/local/lib/python3.9/site-packages/ +COPY --from=builder /usr/local/lib/python3.10/site-packages/ /usr/local/lib/python3.10/site-packages/ # Copy terrascan policies COPY --from=builder /root/ /root/ # Install hooks extra deps RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \ - apk add --no-cache perl \ + apk add --no-cache perl=~5 \ ; fi && \ if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \ - apk add --no-cache jq \ + apk add --no-cache jq=~1 \ ; fi ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always} diff --git a/tests/Dockerfile b/tests/Dockerfile index cc0f7d2e1..7a5ce5870 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,4 +1,4 @@ -FROM pre-commit +FROM pre-commit:latest RUN apt update && \ apt install -y \ From 5c6a15d76769a32d3b9bfa88b7405c859e297783 Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Tue, 11 Jan 2022 17:50:57 +0200 Subject: [PATCH 3/5] Make configs up-to-date --- .github/CONTRIBUTING.md | 2 +- tests/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index 7c4178c42..f4ce9aa36 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -73,7 +73,7 @@ sudo apt install -y datamash ```bash # Build `pre-commit` image -docker build -t pre-commit --build-arg INSTALL_ALL=true . +docker build -t pre-commit-terraform --build-arg INSTALL_ALL=true . # Build test image docker build -t pre-commit-tests tests/ # Run diff --git a/tests/Dockerfile b/tests/Dockerfile index 7a5ce5870..ec77d18af 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,4 +1,4 @@ -FROM pre-commit:latest +FROM pre-commit-terraform:latest RUN apt update && \ apt install -y \ From 7e34de024972344787a1704e5952f812148aa33b Mon Sep 17 00:00:00 2001 From: MaxymVlasov Date: Tue, 11 Jan 2022 17:51:42 +0200 Subject: [PATCH 4/5] Fix shellcheck issue Co-authored-by: Balazs Hamorszky --- hooks/infracost_breakdown.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hooks/infracost_breakdown.sh b/hooks/infracost_breakdown.sh index 267971d65..dc7bc51b1 100755 --- a/hooks/infracost_breakdown.sh +++ b/hooks/infracost_breakdown.sh @@ -73,8 +73,8 @@ function infracost_breakdown_ { }; then check="${check:1:-1}" fi - # shellcheck disable=SC2207 # Can't find working `read` command - operations=($(echo "$check" | grep -oE '[!<>=]{1,2}')) + + mapfile -t operations < <(echo "$check" | grep -oE '[!<>=]{1,2}') # Get the very last operator, that is used in comparison inside `jq` query. # From the example below we need to pick the `>` which is in between `add` and `1000`, # but not the `!=`, which goes earlier in the `jq` expression From fa08179b4f5060c177202cce313a13ce1d4b9974 Mon Sep 17 00:00:00 2001 From: Maksym Vlasov Date: Tue, 11 Jan 2022 19:08:44 +0200 Subject: [PATCH 5/5] Apply suggestions from code review --- .github/CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index f4ce9aa36..e606c0973 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -72,7 +72,7 @@ sudo apt install -y datamash ### Run via Docker ```bash -# Build `pre-commit` image +# Build `pre-commit-terraform` image docker build -t pre-commit-terraform --build-arg INSTALL_ALL=true . # Build test image docker build -t pre-commit-tests tests/