fix: Check all directories with changes and pass all args in terrascan hook

.pre-commit-hooks.yaml

@@ -108,3 +108,6 @@
   description: Runs terrascan on Terraform templates.
   language: script
   entry: terrascan.sh
+  files: \.tf$
+  exclude: \.terraform\/.*$
+  require_serial: true

README.md

@@ -43,6 +43,7 @@ If you are using `pre-commit-terraform` already or want to support its developme
   * [terraform_tflint](#terraform_tflint)
   * [terraform_tfsec](#terraform_tfsec)
   * [terraform_validate](#terraform_validate)
+  * [terrascan](#terrascan)
 * [Authors](#authors)
 * [License](#license)
 
@@ -223,7 +224,7 @@ There are several [pre-commit](https://pre-commit.com/) hooks to keep Terraform
 | `terraform_validate`                                   | Validates all Terraform configuration files. [Hook notes](#terraform_validate)                                                                                                                                                               | -                                                                                    |
 | `terragrunt_fmt`                                       | Reformat all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`) to a canonical format.                                                                                                                   | `terragrunt`                                                                         |
 | `terragrunt_validate`                                  | Validates all [Terragrunt](https://github.com/gruntwork-io/terragrunt) configuration files (`*.hcl`)                                                                                                                                         | `terragrunt`                                                                         |
-| `terrascan`                                            | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations.                                                                                                                                                | `terrascan`                                                                          |
+| `terrascan`                                            | [terrascan](https://github.com/accurics/terrascan) Detect compliance and security violations. [Hook notes](#terrascan)                                                                                                                                               | `terrascan`                                                                          |
 <!-- markdownlint-enable no-inline-html -->
 
 Check the [source file](https://github.com/antonbabenko/pre-commit-terraform/blob/master/.pre-commit-hooks.yaml) to know arguments used for each hook.
@@ -550,6 +551,22 @@ Example:
 
     **Warning:** If you use Terraform workspaces, DO NOT use this workaround ([details](https://github.com/antonbabenko/pre-commit-terraform/issues/203#issuecomment-918791847)). Wait to [`force-init`](https://github.com/antonbabenko/pre-commit-terraform/issues/224) option implementation.
 
+### terrascan
+
+1. `terrascan` supports custom arguments so you can pass supported flags like `--non-recursive` and `--policy-type` to disable recursive inspection and set the policy type respectively:
+
+    ```yaml
+    - id: terrascan
+      args:
+        - --args=--non-recursive # avoids scan errors on subdirectories without Terraform config files
+        - --args=--policy-type=azure
+    ```
+
+    See the `terrascan run -h` command line help for available options.
+
+2. Use the `--args=--verbose` parameter to see the rule ID in the scaning output. Usuful to skip validations.
+3. Use `--skip-rules="ruleID1,ruleID2"` parameter to skip one or more rules globally while scanning (e.g.: `--args=--skip-rules="ruleID1,ruleID2"`).
+4. Use the syntax `#ts:skip=RuleID optional_comment` inside a resource to skip the rule for that resource.
 
 ## Authors
 

terrascan.sh

@@ -4,27 +4,45 @@ set -eo pipefail
 main() {
   initialize_
   parse_cmdline_ "$@"
-
-  # propagate $FILES to custom function
-  terrascan_ "$ARGS" "$FILES"
+  terrascan_
 }
 
 terrascan_() {
   # consume modified files passed from pre-commit so that
   # terrascan runs against only those relevant directories
-  for file_with_path in $FILES; do
+  for file_with_path in "${FILES[@]}"; do
     file_with_path="${file_with_path// /__REPLACED__SPACE__}"
     paths[index]=$(dirname "$file_with_path")
-
-    let "index+=1"
+    index=$((index + 1))
   done
 
+  # allow terrascan to continue if exit_code is greater than 0
+  # preserve errexit status
+  shopt -qo errexit && ERREXIT_IS_SET=true
+  set +e
+  terrascan_final_exit_code=0
+
+  # for each path run terrascan
   for path_uniq in $(echo "${paths[*]}" | tr ' ' '\n' | sort -u); do
     path_uniq="${path_uniq//__REPLACED__SPACE__/ }"
     pushd "$path_uniq" > /dev/null
-    terrascan scan -i terraform $ARGS
+
+    # pass the arguments to terrascan
+    # shellcheck disable=SC2068 # terrascan fails when quoting is used ("${ARGS[@]}" vs ${ARGS[@]})
+    terrascan scan -i terraform ${ARGS[@]}
+
+    local exit_code=$?
+    if [ $exit_code != 0 ]; then
+      terrascan_final_exit_code=$exit_code
+    fi
+
     popd > /dev/null
   done
+
+  # restore errexit if it was set before the "for" loop
+  [[ $ERREXIT_IS_SET ]] && set -e
+  # return the terrascan final exit_code
+  exit $terrascan_final_exit_code
 }
 
 initialize_() {