.pre-commit-config.yaml

repos:
-   repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.6.0
    hooks:
      - id: check-merge-conflict
      - id: end-of-file-fixer
      - id: trailing-whitespace
      - id: check-yaml
      - id: check-added-large-files
-   repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.0
    hooks:
      - id: gitleaks
-   repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.92.1
    hooks:
      - id: terraform_fmt
      - id: terraform_docs
        args:
          - '--args=--lockfile=false'
      - id: terraform_tflint
        args:
          - '--args=--only=terraform_deprecated_interpolation'
          - '--args=--only=terraform_deprecated_index'
          - '--args=--only=terraform_unused_declarations'
          - '--args=--only=terraform_comment_syntax'
          - '--args=--only=terraform_documented_outputs'
          - '--args=--only=terraform_documented_variables'
          - '--args=--only=terraform_typed_variables'
          - '--args=--only=terraform_module_pinned_source'
          - '--args=--only=terraform_naming_convention'
          - '--args=--only=terraform_required_version'
          - '--args=--only=terraform_required_providers'
          - '--args=--only=terraform_standard_module_structure'
          - '--args=--only=terraform_workspace_remote'
          - '--args=--only=terraform_unused_required_providers'
      - id: terraform_validate
        args:
          - --hook-config=--retry-once-with-cleanup=true
          - --tf-init-args=-upgrade
      - id: terraform_trivy
        args:
          - '--args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore'
      ### below action lock the terraform providers versions
      ### it can done also by command:
      ### terraform providers lock -platform=linux_arm64 -platform=linux_amd64 -platform=darwin_amd64
      # - id: terraform_providers_lock
      #   args:
      #     - --args=-platform=linux_arm64
      #     - --args=-platform=linux_amd64
      #     - --args=-platform=darwin_amd64
-   repo: https://github.com/bridgecrewio/checkov.git
    rev: '3.2.219' # change to tag or sha
    hooks:
      - id: checkov
        verbose: true
        args: [
          --compact,
          --download-external-modules,"true",
          --quiet,
          --soft-fail,
          --skip-check, "CKV_AWS_26,CKV_AWS_27,CKV_AWS_28,CKV_AWS_50,CKV_AWS_116,CKV_AWS_119,CKV_AWS_117,CKV_AWS_158,CKV_AWS_173,CKV_AWS_272,CKV_AWS_338,CKV2_AWS_16",
          --soft-fail-on, "CKV2_GHA_1",
        ]
# -   repo: https://github.com/tenable/terrascan
#     rev: v1.19.9
#     hooks:
#       - id: terraform-pre-commit
#         args: [ '-i terraform' ]
#         files: ^.*\.tf$
#         exclude: ^\.github/.*  # Exclude the .github directory