From 7bb011e776039fa992a90937de686759cfbfa8f1 Mon Sep 17 00:00:00 2001
From: Balazs Kenez <96087935+bkenez@users.noreply.github.com>
Date: Mon, 13 Jan 2025 18:46:02 +0100
Subject: [PATCH] feat: add trivy terraform scan to pre-commit checks

---
 .lint/trivy/trivy-scan.sh | 3 +++
 .pre-commit-config.yaml   | 8 ++++++++
 .tool-versions            | 2 ++
 3 files changed, 13 insertions(+)
 create mode 100755 .lint/trivy/trivy-scan.sh

diff --git a/.lint/trivy/trivy-scan.sh b/.lint/trivy/trivy-scan.sh
new file mode 100755
index 00000000..350e8f58
--- /dev/null
+++ b/.lint/trivy/trivy-scan.sh
@@ -0,0 +1,3 @@
+# Since Trivy does not have a pre-commit hook by default, this is a custom hook script
+#!/bin/bash
+trivy config --config .lint/trivy/trivy.yaml --ignorefile .trivyignore
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index bb92c0a0..e599750f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -71,3 +71,11 @@ repos:
       rev: 0.2.3
       hooks:
           - id: yamlfmt
+
+    - repo: local
+      hooks:
+          - id: trivy-scan
+            name: Trivy Scan
+            entry: .lint/trivy/trivy-scan.sh
+            language: script
+            types: [yaml, terraform]
diff --git a/.tool-versions b/.tool-versions
index 9ce9e0af..2fb62d21 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -33,3 +33,5 @@ terraform-docs 0.19.0
 tflint 0.55.0
 
 tfsec 1.28.13
+
+trivy 0.58.1