feat(general): Add docker to pre commit hooks

[lhriley]

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # n/a

Description

Include a description of what makes it a violation and any relevant external links.

This PR adds support for running pre-commit hooks using the container image, rather than depending on the checkov binary or python module.

Note that due to a limitation in pre-commit I had to make a choice about what the default container tag should be. I opted for latest to reduce the overhead of maintenance. However, it is possible to override this by declaring the entry field in the pre-commit config.

Example:

---
repos:
  - repo: https://github.com/Labelbox/checkov
    rev: 76b8e380a
    hooks:
      - id: checkov_container
        entry: bridgecrew/checkov:2.4.2 -d .

Related:
pre-commit/pre-commit#2968

Fix

How does someone fix the issue in code and/or in runtime?

To test this PR, add the following to your .pre-commit-config.yaml

---
repos:
  - repo: https://github.com/Labelbox/checkov
    rev: 76b8e380a
    hooks:
      - id: checkov_container
      - id: checkov_diff_container
      - id: checkov_secrets_container
        args:
          - '--quiet'
          - '--skip-path'
          - 'dependencies/onepassword-connect/connect-helm-charts'
          - '-f' # required and must come last

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• [n/a] I have added tests that prove my feature, policy, or fix is effective and works
• New and existing tests pass locally with my changes
• [n/a] Any dependent changes have been merged and published in downstream modules

[gruebel]

nice work, added some comments

[gruebel]

we usually recommend to run docker with --tty for better output handle.

[lhriley]

For reference, this is how pre-commit runs docker_image hooks:

https://github.com/pre-commit/pre-commit/blob/bde292b51078357384602ebe6b9b27b1906987e5/pre_commit/languages/docker.py#L111-L146

I pushed up a commit to add --tty and the output looks like this now:

❯ pre-commit run -av checkov_secrets_container
Checkov Secrets..........................................................Passed
- hook id: checkov_secrets_container
- duration: 17.04s

secrets scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 49




❯ pre-commit run -av checkov_secrets_container
Checkov Secrets..........................................................Failed
- hook id: checkov_secrets_container
- duration: 17.16s
- exit code: 1

secrets scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 49

Check: CKV_SECRET_6: "Base64 High Entropy String"
	FAILED for resource: a2478cff5623ee9e46dfe2ab06e96bfe5168f732
	File: /foo/bar-values.yaml:7-8
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html

		7 | superSecret: c2Vjcm******************************************************************************************************************************************************************************




❯ pre-commit run -a checkov_secrets_container
Checkov Secrets..........................................................Failed
- hook id: checkov_secrets_container
- exit code: 1

secrets scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 49

Check: CKV_SECRET_6: "Base64 High Entropy String"
	FAILED for resource: a2478cff5623ee9e46dfe2ab06e96bfe5168f732
	File: /foo/bar-values.yaml:7-8
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html

		7 | superSecret: c2Vjcm******************************************************************************************************************************************************************************




❯ pre-commit run -a checkov_secrets_container
Checkov Secrets..........................................................Passed

[lhriley]

@gruebel question about the container tag. As mentioned I picked latest to avoid maintenance overhead, however, the intended solution is to pin to the same tag as the git release / tag. That would mean updating the .pre-commit-hooks.yaml with every release cycle.

The downside to using latest is that as a user you never know which version of checkov your checks are running as.

Any thoughts on how you would want to maintain this? Should I pin to whatever tag is available today (2.4.7?) or leave it as latest?

[JamesWoolfenden]

LGTM

[JamesWoolfenden]

@gruebel question about the container tag. As mentioned I picked latest to avoid maintenance overhead, however, the intended solution is to pin to the same tag as the git release / tag. That would mean updating the .pre-commit-hooks.yaml with every release cycle.

The downside to using latest is that as a user you never know which version of checkov your checks are running as.

Any thoughts on how you would want to maintain this? Should I pin to whatever tag is available today (2.4.7?) or leave it as latest?

Least maintenance is best, going to be a pain either way if you have pinned a version from pip locally and another pinned version in pre-commit unless you can specify version as a var in pre-commit?.

[lhriley]

Least maintenance is best, going to be a pain either way if you have pinned a version from pip locally and another pinned version in pre-commit unless you can specify version as a var in pre-commit?.

There are limitations based on how pre-commit is designed, but you can replace the entry field like this to specify a version:

entry: --tty bridgecrew/checkov:<version> --framework secrets --enable-secret-scan-all-files

[JamesWoolfenden]

where does the value of <version> come from? Unless it matches the revision that come from the hook im not sure it has a use?

…

On Tue, 5 Dec 2023 at 17:19, l.h. riley ***@***.***> wrote: Least maintenance is best, going to be a pain either way if you have pinned a version from pip locally and another pinned version in pre-commit unless you can specify version as a var in pre-commit?. There are limitations based on how pre-commit is designed, but you can replace the entry field like this to specify a version: entry: --tty bridgecrew/checkov:<version> --framework secrets --enable-secret-scan-all-files — Reply to this email directly, view it on GitHub <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bridgecrewio_checkov_pull_5458-23issuecomment-2D1841268013&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=4swPLFBnc0bEa0eCYAXVTwbfSHo3u8zED6QU--oM1JxuMhxkyvo1p4ZO6f46FFxe&m=5ITlsi_fIs5Alwt7c2_mdPeKnGUcB9gBgXw9nJda2i0XnKabeZKa3KJi4aMfgmXd&s=tI-zfE8u3_LuPdx43KyRt6yYZLjTSg5xxjZeeMPsGlo&e=>, or unsubscribe <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AALDV4A62JTYVLOA4UY5DU3YH5JSHAVCNFSM6AAAAAA3V6NJFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBRGI3DQMBRGM&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=4swPLFBnc0bEa0eCYAXVTwbfSHo3u8zED6QU--oM1JxuMhxkyvo1p4ZO6f46FFxe&m=5ITlsi_fIs5Alwt7c2_mdPeKnGUcB9gBgXw9nJda2i0XnKabeZKa3KJi4aMfgmXd&s=KZvJw4BsfJ7KSnDlSRdWvNjzycpAYC0Gucz-XOvdECs&e=> . You are receiving this because your review was requested.Message ID: ***@***.***>

[lhriley]

The <version> in my example is just any valid docker image tag that has been published.

[JamesWoolfenden]

then i think its best to stick with the latest, bit of a draw back in using docker in this case.

[tsmithv11]

LGTM but we should include how to override the latest tag in the docs. Thanks!

[lhriley]

Thanks @tsmithv11. Suggestions merged, and branch updated from main. 👍