#277 - Repo migration progress - GH Actions

.github/workflows/static_analysis_pre_commit.yml

@@ -0,0 +1,37 @@
+name: Static Analysis
+
+on: [pull_request]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v3
+      with:
+        python-version: '3.11'
+    - name: Read .terraform-version
+      id: tf_version
+      run: echo "TF_VERSION=$(cat .terraform-version)" >> $GITHUB_ENV
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: ${{ env.TF_VERSION }}
+    - name: Install Hadolint for pre-commit hook
+      run: |
+        wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64
+        chmod +x /usr/local/bin/hadolint
+    - name: Install TFLint for pre-commit hook
+      run: |
+        curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
+    - name: Install trivy for pre-commit hook
+      run: |
+        sudo apt-get install wget apt-transport-https gnupg lsb-release
+        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+        echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+        sudo apt-get update
+        sudo apt-get install trivy
+    - name: Static Analysis with Pre-commit
+      uses: pre-commit/[email protected]
+      with:
+        extra_args: --config .pre-commit-config-ci.yaml --all-files

.pre-commit-config-ci.yaml

@@ -0,0 +1,77 @@
+fail_fast: true
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-xml
+      - id: check-added-large-files
+        args:
+          - --maxkb=50000
+      - id: check-json # Checks json files for parsable syntax.
+      - id: pretty-format-json # Sets a standard for formatting json files.
+        args:
+          - --autofix
+      - id: requirements-txt-fixer # Sorts entries in requirements.txt.
+      - id: check-ast # Simply checks whether the files parse as valid python.
+      - id: detect-private-key # Detects the presence of private keys.
+      - id: detect-aws-credentials # Detects *your* aws credentials from the aws cli credentials file.
+        args:
+          - --allow-missing-credentials
+      - id: check-toml # Checks toml files for parsable syntax.
+
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: "v0.39.0"
+    hooks:
+      - id: markdownlint
+        args: ["--config", ".markdownlintrc", "--ignore", "CHANGELOG.md"]
+
+  - repo: https://github.com/PyCQA/isort
+    rev: 5.13.2
+    hooks:
+      - id: isort
+
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 24.1.1
+    hooks:
+      - id: black
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.2.1
+    hooks:
+      - id: ruff
+
+  - repo: https://github.com/PyCQA/bandit
+    rev: "1.7.7" # you must change this to newest version
+    hooks:
+      - id: bandit
+        args:
+          [
+            "--configfile=pyproject.toml",
+            "--severity-level=high",
+            "--confidence-level=high",
+          ]
+        additional_dependencies: [".[toml]"]
+
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.1-beta
+    hooks:
+      - id: hadolint # requires hadolint is installed (brew install hadolint)
+        args:
+          - --no-color
+          - --failure-threshold=error
+          - --verbose
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.86.0
+    hooks:
+      - id: terraform_fmt # Rewrites all Terraform configuration files to a canonical format.
+      - id: terraform_tflint # Validates all Terraform configuration files with TFLint.
+      - id: terraform_trivy # Static analysis of Terraform templates to spot potential security issues.
+        args:
+          - >
+            --args=--severity=CRITICAL
+            --skip-dirs="**/.terraform"
+            --tf-exclude-downloaded-modules

.pre-commit-config.yaml

@@ -64,21 +64,21 @@ repos:
           - --failure-threshold=error
           - --verbose
 
-  # - repo: https://github.com/antonbabenko/pre-commit-terraform
-  #   rev: v1.86.0
-  #   hooks:
-  #     - id: terraform_validate # Validates all Terraform configuration files.
-  #       args:
-  #         - --tf-init-args=-upgrade
-  #     - id: terraform_fmt # Rewrites all Terraform configuration files to a canonical format.
-  #     - id: terraform_tflint # Validates all Terraform configuration files with TFLint.
-  #     - id: terraform_trivy # Static analysis of Terraform templates to spot potential security issues.
-  #       args:
-  #         - >
-  #           --args=--severity=CRITICAL
-  #           --skip-dirs="**/.terraform"
-  #           --tf-exclude-downloaded-modules
-  #     - id: terraform_docs
-  #       args:
-  #         - --hook-config=--add-to-existing-file=true
-  #         - --hook-config=--create-file-if-not-exist=true
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.86.0
+    hooks:
+      - id: terraform_validate # Validates all Terraform configuration files.
+        args:
+          - --tf-init-args=-upgrade
+      - id: terraform_fmt # Rewrites all Terraform configuration files to a canonical format.
+      - id: terraform_tflint # Validates all Terraform configuration files with TFLint.
+      - id: terraform_trivy # Static analysis of Terraform templates to spot potential security issues.
+        args:
+          - >
+            --args=--severity=CRITICAL
+            --skip-dirs="**/.terraform"
+            --tf-exclude-downloaded-modules
+      - id: terraform_docs
+        args:
+          - --hook-config=--add-to-existing-file=true
+          - --hook-config=--create-file-if-not-exist=true`