feat: Docker Pre-Commit-Hooks #925

actuarysailor · 2025-08-12T18:13:54Z

Put an x into the box if that apply:

This PR introduces breaking change.
This PR fixes a bug.
This PR adds new functionality.
This PR enhances existing functionality.

Description of your changes

This PR adds full support for Docker-based pre-commit hooks to pre-commit-terraform, allowing all major Terraform-related checks to be run in isolated, reproducible Docker containers. This enables users to run pre-commit hooks without installing any tools locally, ensuring consistent results across all environments and CI/CD systems.

Key features:

Adds 7 new Docker-based hooks (*_docker variants) for: terraform_fmt, terraform_validate, terraform_tflint, terraform_docs, terraform_checkov, terraform_trivy, and infracost_breakdown.
All Docker hooks use the published image ghcr.io/actuarysailor/pre-commit-terraform-tools:latest.
No breaking changes: all original script-based hooks remain unchanged and fully functional.
Users can mix and match Docker-based and script-based hooks as needed.
Comprehensive documentation and example configs for Docker usage.
CI/CD workflow for building and publishing the Docker image.
All temporary and development files have been cleaned up.

How can we test changes

Use the provided .pre-commit-config-docker-example.yaml to test Docker-based hooks in any repo.
Run pre-commit run --all-files with Docker installed; all Docker hooks should pass (except Infracost, which requires an API key).
All original script-based hooks remain available and work as before (no breaking changes).
See the updated README for usage instructions and details.

Fixes #418
Fixes #722

* Add Docker-based pre-commit hooks implementation - Add Docker-based versions of terraform hooks (*_docker variants) - Create Dockerfile.tools for individual tool execution - Add GitHub Actions workflow for automated Docker image building - Include comprehensive documentation and examples - Maintain backward compatibility with existing script-based hooks * Fix Docker workflow test step and add latest tag for feature branch - Update test step to use dynamic tag instead of hardcoded :latest - Add :latest tag for feat/use-docker-pre-commit branch to match hook expectations * Fix corrupted .pre-commit-hooks.yaml and properly add Docker hooks - Restore clean hooks file structure - Add Docker-based hook variants at the end of file - Ensure proper YAML formatting and syntax * Fix docker_image language syntax: use image name in entry field * Fix all Docker hooks syntax and add pass_filenames for validate * Fix tflint Docker hook to use --chdir argument * Add pass_filenames false to terraform_docs_docker * Fix terraform_docs_docker argument order * Add pass_filenames false to all remaining Docker hooks * Clean up temporary files and add Docker hooks documentation - Remove temporary documentation files and unused wrapper scripts - Update README.md with comprehensive Docker hooks documentation - Update example config to use stable release version - Maintain backward compatibility - all original hooks unchanged * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * chore: Pre-commit fixes * Update README.md Co-authored-by: Copilot <[email protected]> * Update .pre-commit-hooks.yaml Co-authored-by: Copilot <[email protected]> * chore: Undo copilot recommendation * fix: Example file should point to upstream repo * chore(ci): Maintain workflows * fix: Pre-commit security issues * fix: One more pre-commit security risk * fix: Pre-commit security issue * fix: Pre-commit security issue * fix: One more try * fix: Final security issue * chore: Enhanced testing * fix: Hadolint error * fix: Consistent build conditions for all images * fix: Hadolint? * chore: Testing load switch * chore: Test expanded matrix method * fix: Remove dependency on other docker image * fix: Added the hadolint hint * fix: Build artifacts * chore: Linting * fix: Build artifacting * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * fix: Workflow syntax * chore: Fix workflow syntax * fix: Workflow linting * chore: Cleanup deprecated job step --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Copilot <[email protected]>

* chore(ci): Fix release workflow * Update .github/workflows/release.yml Co-authored-by: Copilot <[email protected]> * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

* fix: Build image workflow * fix: Relocate permissions block? * chore: Add a test to workflow to check things * fix: Debugging snippet needed the matrix * fix: Output entire JSON from REST API * fix: Still trying to debug * fix: One last verification of the token * fix: Test permissions * fix: Restore workflow

coderabbitai · 2025-08-12T18:14:05Z

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Summary by CodeRabbit

New Features
- Introduced a dedicated tools Docker image for Terraform-related tooling.
- Added Docker-based pre-commit hooks (fmt, validate, docs, tflint, checkov, trivy, infracost).
- Provided an example configuration for Docker-based hooks.
CI
- Expanded build pipeline to support multiple images with dynamic tagging and smoke tests.
- Enabled auto-builds on Dockerfile/workflow changes and added main branch triggers across workflows.
Documentation
- Added comprehensive guidance for Docker-based hooks and updated examples/links.
Chores
- Adjusted Docker build context to include required files.

Walkthrough

Adds a Docker-based tools image and Docker-backed pre-commit hooks, updates README and examples, includes .dockerignore inclusions for hook assets, and refactors GitHub Actions workflows to a matrix-based, per-Dockerfile build/test flow while expanding CI triggers to include main and Dockerfile* paths.

Changes

Cohort / File(s)	Summary
Docker tooling image `Dockerfile.tools`	Adds a multi-stage tools image that installs many Terraform-related tools via ARGs/INSTALL_ALL, sets up hook scripts and binaries, and provides a bash CMD/runtime environment for running tools.
Pre-commit hooks (Docker variants) `.pre-commit-hooks.yaml`	Adds seven Docker-based hook entries (fmt, validate, tflint, docs, checkov, trivy, infracost) pointing at a tools image, with files/excludes, serial settings, and Docker execution semantics.
Workflows: build & test (matrix + metadata) `.github/workflows/build-image.yaml`, `.github/workflows/build-image-test.yaml`	Converts CI to a matrix with per-entry `dockerfile` and `image_name`, uses docker/metadata-action for tags/labels, dynamically builds/pushes per-matrix Dockerfiles (including `Dockerfile.tools`), and adds conditional smoke/test steps for the tools image.
Workflow triggers & minor CI updates `.github/workflows/release.yml`, `.github/workflows/codeql.yml`, `.github/workflows/scorecards.yml`	Adds `main` to push triggers, expands watched paths (workflow files and `Dockerfile*`), swaps release token usage to `secrets.GITHUB_TOKEN`, and removes a top-level permissions block in release.
Docs and examples `README.md`, `examples/.pre-commit-config-docker.yaml`	Adds Docker-based hooks documentation, usage notes, examples, and an example pre-commit config demonstrating the new docker-based hooks.
Build context / Docker ignore `.dockerignore`	Adds negated patterns to explicitly include `hooks/*.sh`, `lib_getopt`, and `src/` in the Docker build context.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev
  participant PreCommit as pre-commit
  participant ToolsImg as Tools Docker Image

  Dev->>PreCommit: commit / push triggers hooks
  PreCommit->>ToolsImg: run docker-based hook (e.g., terraform_validate_docker)
  ToolsImg->>ToolsImg: execute tool (terraform/tflint/checkov/...)
  ToolsImg-->>PreCommit: return exit code & output
  PreCommit-->>Dev: hook result

sequenceDiagram
  autonumber
  participant GitHub as GitHub Actions
  participant Buildx as Docker Buildx
  participant GHCR as GHCR

  GitHub->>GitHub: trigger (push/PR/schedule)
  GitHub->>GitHub: matrix over {Dockerfile, Dockerfile.tools}
  GitHub->>Buildx: build (file = matrix.dockerfile)
  Buildx-->>GitHub: image built
  GitHub->>GHCR: push (tags/labels from metadata)
  alt matrix.dockerfile == Dockerfile.tools
    GitHub->>GitHub: run tools smoke/test steps
  end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Provide easy Docker-based execution of hooks without local deps (#418)	✅
Provide preloaded/automated tool dependencies or versioned installs for hooks (#722)	✅

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Add main branch to CodeQL push trigger (`.github/workflows/codeql.yml`)	CI trigger maintenance; unrelated to dockerized hooks or dependency automation objectives.
Add main branch to Scorecards push trigger (`.github/workflows/scorecards.yml`)	Security workflow trigger update not required by the linked issues.
Release workflow token/path/permission changes (`.github/workflows/release.yml`)	Release process adjustments outside the scope of providing dockerized hooks or preloading tools.
Broad build workflow refactor beyond Dockerfile.tools handling (`.github/workflows/build-image.yaml`)	General workflow modernization (metadata-driven tagging, registry env) exceeds the specific objectives; only Dockerfile.tools support directly ties to issues.

Suggested reviewers

antonbabenko
yermulnik

Summary by CodeRabbit

New Features
- Introduced a standalone tools Docker image for Terraform-related tooling.
- Added Docker-based pre-commit hooks (fmt, validate, tflint, terraform-docs, checkov, trivy, infracost).
- Provided an example Docker-based pre-commit configuration.
Documentation
- Added comprehensive guidance on Docker-based hooks, usage, and limitations.
- Updated tags information and references.
Chores
- Expanded Docker build context and added .dockerignore inclusions.
- Overhauled CI to matrix-driven multi-image builds with metadata-based tagging and registry config.
- Enabled additional triggers and branch coverage (main) across workflows; improved release flow.
Tests
- Added smoke tests for the tools image in CI.

Walkthrough

Adds a Docker-based tools image and Docker-backed pre-commit hooks, updates README and examples, includes .dockerignore inclusions for hook assets, and refactors GitHub Actions workflows to a matrix-based, per-dockerfile build/test flow while expanding CI triggers to include main and Dockerfile* paths.

Changes

Cohort / File(s)	Summary
Docker tooling image `Dockerfile.tools`	Adds a multi-stage tools image installing many Terraform-related tools, supports per-tool ARGs and INSTALL_ALL, sets up hook scripts and environment, and exposes a bash CMD for direct use.
Pre-commit hooks (Docker variants) `.pre-commit-hooks.yaml`	Adds seven Docker-based hook entries (`terraform_fmt_docker`, `terraform_validate_docker`, `terraform_tflint_docker`, `terraform_docs_docker`, `terraform_checkov_docker`, `terraform_trivy_docker`, `infracost_breakdown_docker`) using a tools image with appropriate args, files/excludes, and serial settings.
Workflow: build & test images (matrix + metadata) `.github/workflows/build-image.yaml`, `.github/workflows/build-image-test.yaml`	Converts image workflows to a matrix with per-entry `dockerfile` and `image_name`, uses `docker/metadata-action` for tags/labels, dynamically builds/pushes per-matrix Dockerfiles (including `Dockerfile.tools`), and adds conditional smoke/test steps for the tools image.
Workflow triggers & release/CI updates `.github/workflows/release.yml`, `.github/workflows/codeql.yml`, `.github/workflows/scorecards.yml`	Adds `main` to push triggers, expands watched paths (workflow files and `Dockerfile*`), swaps release token usage to `secrets.GITHUB_TOKEN`, and removes a top-level permissions block in release.
Docs and examples `README.md`, `examples/.pre-commit-config-docker.yaml`	Adds Docker-based hooks documentation, mapping and usage guidance, CI notes, and an example pre-commit config demonstrating the new docker-based hooks; minor wording/link updates.
Build context / Docker ignore `.dockerignore`	Adds negated patterns to explicitly include `hooks/*.sh`, `lib_getopt`, and `src/` in the Docker build context.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev
  participant PreCommit as pre-commit
  participant ToolsImg as Tools Docker Image

  Dev->>PreCommit: commit / push triggers hooks
  PreCommit->>ToolsImg: run docker-based hook (e.g., terraform_validate_docker)
  ToolsImg->>ToolsImg: execute tool (terraform/tflint/checkov/...)
  ToolsImg-->>PreCommit: return exit code & output
  PreCommit-->>Dev: hook result

sequenceDiagram
  autonumber
  participant GitHub as GitHub Actions
  participant Buildx as Docker Buildx
  participant GHCR as GHCR

  GitHub->>GitHub: trigger (push/PR/schedule)
  GitHub->>GitHub: matrix over {Dockerfile, Dockerfile.tools}
  GitHub->>Buildx: build (file = matrix.dockerfile)
  Buildx-->>GitHub: image built
  GitHub->>GHCR: push (tags/labels from metadata)
  alt matrix.dockerfile == Dockerfile.tools
    GitHub->>GitHub: run tools smoke/test steps
  end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Provide easy Docker-based execution of hooks without local deps (#418)	✅
Provide preloaded/automated tool dependencies or versioned installs for hooks (#722)	✅

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Add main branch to CodeQL push trigger (`.github/workflows/codeql.yml`)	CI trigger maintenance; not required by dockerized hooks or dependency automation objectives.
Add main branch to Scorecards push trigger (`.github/workflows/scorecards.yml`)	Security workflow trigger update unrelated to the stated objectives.
Release workflow token/path/permission changes (`.github/workflows/release.yml`)	Release process adjustments outside the scope of providing dockerized hooks or preloading tools.
Broad build workflow refactor beyond Dockerfile.tools handling (`.github/workflows/build-image.yaml`)	Large workflow modernization and metadata-driven tagging exceed the specific objectives; only `Dockerfile.tools` support directly ties to issues.

Suggested reviewers

antonbabenko
yermulnik

✨ Finishing Touches

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

actuarysailor · 2025-08-12T18:14:55Z

examples/.pre-commit-config-docker.yaml

new file, not used, just a example pre-commit-config file for anyone wanting to use it... I have it pointing to my repo at the moment because you don't have the embedded pre-commit-hooks for docker

actuarysailor · 2025-08-12T18:17:12Z

README.md

simply added documentation regarding the new hooks. Note I made them new hooks to avoid this being a "breaking change" for you. I also didn't modify your dockerfile for that same reason. Wasn't sure if your dockerfile was intended to do this but hadn't gotten there yet, but I tried to make this not be a breaking change. so most of the changes are adding additional parallel github action matrices etc. so that the workflow is largely the same, just has more parallel permutations to accomplish the docker.tools build and test it etc.

actuarysailor · 2025-08-12T18:17:55Z

Dockerfile.tools

new Dockerfile to avoid it being a breaking change

CHANGELOG.md

actuarysailor · 2025-08-12T18:19:34Z

.pre-commit-hooks.yaml

the new pre-commit-hooks, left your original ones unchanged

actuarysailor · 2025-08-12T18:20:11Z

.github/workflows/scorecards.yml

added main because i normally fork to master and only allow upstream updates to come in, then use main for my main in case i want to use it before a PR is approved.

actuarysailor · 2025-08-12T18:21:37Z

.github/workflows/release.yml

added main because i normally fork to master and only allow upstream updates to come in, then use main for my main in case i want to use it before a PR is approved. Also made it both docker files and the release workflow so i could trigger it when i changed it. modified to use built-in github_token because that is the only way for "fresh/new" packages to auto attribute to parent repo, PAT orphans them until you go add them to a repo.

actuarysailor · 2025-08-12T18:21:43Z

.github/workflows/codeql.yml

added main because i normally fork to master and only allow upstream updates to come in, then use main for my main in case i want to use it before a PR is approved.

actuarysailor · 2025-08-12T18:23:33Z

.github/workflows/build-image.yaml

largely the same, but got rid of the need for your if schedule do these jobs if not do these other jobs by using one of the other standard docker actions. was able to clean up the jobs a bit and basically do the same thing - you might want to double check though

actuarysailor · 2025-08-12T18:24:06Z

.github/workflows/build-image-test.yaml

largely just matrix blow-out to handle the additional docker file

coderabbitai

Actionable comments posted: 12

🔭 Outside diff range comments (4)

.github/workflows/release.yml (1)
39-50: Ensure downstream workflows trigger correctly

Switching to the default GITHUB_TOKEN here will prevent any workflows that listen for release events (e.g., your Docker‐build workflow) from running, as noted in the inline comment.

• Location: .github/workflows/release.yml (lines 46–49)
• Current snippet:
    env:
      # Custom token for triggering Docker image build GH Workflow on release
      # created by cycjimmy/semantic-release-action. Events created by
      # workflows with default GITHUB_TOKEN not trigger other GH Workflow.
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Possible fixes:
Restore a PAT with the needed scopes:
    env:
-   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+   GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
Refactor downstream workflows to use workflow_run instead of release:
on:
  workflow_run:
    workflows: ["Release"]
    types: [completed]
Please confirm which approach you’d like to take before merging.
.pre-commit-hooks.yaml (1)
182-263: Pin Docker image to an immutable tag/digest instead of latest

Using :latest makes runs non-reproducible and increases supply-chain risk. Pin the image for deterministic results and to pass Scorecards/reproducibility checks.

Apply this pattern across all Docker entries (example shown for two hooks):
-  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
+  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:vX.Y.Z
Or even better, pin by digest:
-  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
+  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools@sha256:<immutable_digest>
If you prefer to keep a moving tag, document how users can override the image in their .pre-commit-config.yaml, but defaulting to a pinned reference here is strongly recommended.
.dockerignore (1)
6-11: Ensure Dockerfile.tools is included and remove redundant entries

Add !Dockerfile* to include multi-variant Dockerfiles (e.g., Dockerfile.tools) in the build context.

!hooks/ already includes hook scripts; !hooks/*.sh is redundant.

!lib_getopt is duplicated.

Apply:
 *
 !.dockerignore
-!Dockerfile
+!Dockerfile*
 !tools/entrypoint.sh
 !tools/install/*.sh
 !hooks/
 !lib_getopt
 !src/
-!hooks/*.sh
-!lib_getopt
.github/workflows/build-image-test.yaml (1)
47-57: Build trigger misses key sources now embedded in the image.

Since Dockerfile now copies hooks/, lib_getopt, and src/pre_commit_terraform into the image, changes to those should trigger a rebuild/test. Add them to the change detector, or you risk stale images in PR tests.
       with:
         files: |
           .dockerignore
           .github/workflows/build-image-test.yaml
           ${{ matrix.dockerfile }}
           tools/entrypoint.sh
           tools/install/*.sh
+          .pre-commit-hooks.yaml
+          hooks/**
+          lib_getopt
+          src/**

🧹 Nitpick comments (5)

.pre-commit-hooks.yaml (1)
228-239: Consider always_run for full-repo scanners

checkov and similar scanners operate on -d . and do not benefit from filename filtering. Consider always_run: true for predictability in CI. If you intentionally depend on path filters for performance, ignore this.

Apply this small change if desired:
-  always_run: false
+  always_run: true
Dockerfile (1)
156-160: Ensure hooks’ executability and pick one destination path.

If you keep only /usr/bin/hooks (recommended), the chmod here is sufficient. If you insist on keeping the /usr/local/bin/hooks copy, you should chmod there too to avoid “permission denied” when the repo doesn’t preserve exec bits.

Option A (preferred; single location): keep as-is after removing the earlier /usr/local/bin copy.

Option B (if retaining both locations): also chmod /usr/local/bin/hooks.
 RUN chmod +x /usr/bin/hooks/*.sh
+RUN [ -d /usr/local/bin/hooks ] && chmod +x /usr/local/bin/hooks/*.sh || true
.github/workflows/build-image-test.yaml (1)
141-153: Expand smoke tests or leave minimal—both are acceptable.

Minimal version checks for terraform, terraform-docs, and tflint are fine. Consider adding a cheap check for checkov/trivy presence if they’re part of the tools image to catch regressions.

Example:
         docker run --rm "$TOOLS_IMAGE" terraform --version
         docker run --rm "$TOOLS_IMAGE" terraform-docs --version
         docker run --rm "$TOOLS_IMAGE" tflint --version
+        docker run --rm "$TOOLS_IMAGE" sh -lc 'command -v checkov >/dev/null && checkov --version || true'
+        docker run --rm "$TOOLS_IMAGE" sh -lc 'command -v trivy  >/dev/null && trivy --version  || true'
Dockerfile.tools (2)
70-85: Consolidate tool installation RUN commands for better layer efficiency.

Having separate RUN commands for each tool installation creates unnecessary Docker layers and increases image size.
-# Docker `RUN`s shouldn't be consolidated here
-# hadolint global ignore=DL3059
-RUN /install/opentofu.sh
-RUN /install/terraform.sh
-
-RUN /install/checkov.sh
-RUN /install/hcledit.sh
-RUN /install/infracost.sh
-RUN /install/terraform-docs.sh
-RUN /install/terragrunt.sh
-RUN /install/terrascan.sh
-RUN /install/tflint.sh
-RUN /install/tfsec.sh
-RUN /install/tfupdate.sh
-RUN /install/trivy.sh
+# Install infrastructure tools
+RUN /install/opentofu.sh && \
+    /install/terraform.sh
+
+# Install validation and security tools
+RUN /install/checkov.sh && \
+    /install/hcledit.sh && \
+    /install/infracost.sh && \
+    /install/terraform-docs.sh && \
+    /install/terragrunt.sh && \
+    /install/terrascan.sh && \
+    /install/tflint.sh && \
+    /install/tfsec.sh && \
+    /install/tfupdate.sh && \
+    /install/trivy.sh
146-154: Optimize conditional package installation logic.

The current logic uses grep to check version info files which could be error-prone. Consider using the environment variables directly.
-# Install hooks extra deps
-RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
-        apk add --no-cache perl=~5 \
-    ; fi && \
-    if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
-        apk add --no-cache jq=~1 \
-    ; fi && \
+# Install hooks extra deps
+RUN . /.env && \
+    if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \
+        apk add --no-cache perl=~5; \
+    fi && \
+    if [ "$INFRACOST_VERSION" != "false" ]; then \
+        apk add --no-cache jq=~1; \
+    fi && \
     # Fix git runtime fatal:
     # unsafe repository ('/lint' is owned by someone else)
     git config --global --add safe.directory /lint

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between acf85ff and 3e91a9c.

📒 Files selected for processing (12)

.dockerignore (1 hunks)
.github/workflows/build-image-test.yaml (5 hunks)
.github/workflows/build-image.yaml (2 hunks)
.github/workflows/codeql.yml (1 hunks)
.github/workflows/release.yml (2 hunks)
.github/workflows/scorecards.yml (1 hunks)
.pre-commit-hooks.yaml (1 hunks)
CHANGELOG.md (1 hunks)
Dockerfile (2 hunks)
Dockerfile.tools (1 hunks)
README.md (3 hunks)
examples/.pre-commit-config-docker.yaml (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (3)

examples/.pre-commit-config-docker.yaml (2)

hooks/terraform_docs.sh (2)

terraform_docs (59-264)

main (18-29)

hooks/_common.sh (1)

common::per_dir_hook (285-429)

CHANGELOG.md (1)

hooks/terraform_docs.sh (3)

terraform_docs (59-264)

main (18-29)

replace_old_markers (41-48)

Dockerfile (7)

hooks/_common.sh (1)

common::per_dir_hook (285-429)

hooks/terraform_trivy.sh (1)

main (10-21)

hooks/terraform_docs.sh (2)

main (18-29)

terraform_docs (59-264)

hooks/tfupdate.sh (2)

main (10-30)

per_dir_hook_unique_part (46-64)

hooks/terraform_checkov.sh (1)

main (10-26)

hooks/terraform_fmt.sh (1)

main (10-23)

hooks/terraform_tflint.sh (1)

main (11-36)

🔇 Additional comments (15)

.github/workflows/codeql.yml (1)

17-17: Adding main to CodeQL triggers — LGTM

Extending push triggers to include the main branch is consistent with the broader CI updates.

.github/workflows/scorecards.yml (1)

16-16: Adding main to Scorecards triggers — LGTM

Matches the repo-wide move to support main. Pinned actions and permissions remain appropriate.
.pre-commit-hooks.yaml (1)

193-203: Ensure Terraform init runs before validate in the Docker hook

The existing shell‐based hook (terraform_validate.sh) handles missing plugins by running terraform init on failure, but I didn’t see any terraform init or terraform validate logic in tools/entrypoint.sh.

Since you’re using the remote image ghcr.io/actuarysailor/pre-commit-terraform-tools:latest, we can’t confirm its entrypoint here. Without an explicit terraform init -backend=false -input=false, a fresh clone or CI run will make terraform validate error out.

Please verify that the container’s entrypoint performs:

terraform init -backend=false -input=false
terraform validate

If it does not, consider overriding the hook to chain init before validate, e.g.:
- id: terraform_validate_docker
  name: Terraform validate (Docker)
  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
  language: docker_image
  args:
    - sh
    - -c
    - |
      terraform init -backend=false -input=false && \
      terraform validate
  pass_filenames: false
  files: \.(tf|tofu|tfvars|terraform\.lock\.hcl)$
  exclude: \.terraform/.*
Let me know if you’d like a patch to implement this.
README.md (2)

52-52: TOC anchor addition looks correct.

The anchor matches the section header slug; no issues.

1332-1332: Good practice: pin checkout to a commit SHA.

Using a pinned SHA for actions/checkout is a security best practice. LGTM.

.github/workflows/build-image-test.yaml (4)

25-37: Matrix entries for both Dockerfile variants look good.

Explicitly testing both Dockerfile and Dockerfile.tools across amd64 and arm64 is appropriate.

60-65: Dynamic IMAGE tagging logic is clear and correct.

Lowercasing repository and suffixing -tools for Dockerfile.tools improves clarity.

71-77: Passing the matrix Dockerfile explicitly is correct.

Good use of the file input; keeps the job generic across variants.

122-139: Multi-arch build step naming and gating are sound.

Naming per dockerfile variant clarifies logs; gating to ubuntu-latest avoids the --load limitation. LGTM.

Dockerfile.tools (1)

3-3: Python base image SHA256 hash verified

The digest sha256:9b8808206f4a956130546a32cbdd8633bc973b19db2923b7298e6f90cc26db08 for python:3.12-alpine matches the official Docker Hub manifest—no changes needed.

.github/workflows/build-image.yaml (5)

5-8: LGTM! Improved trigger configuration.

The addition of workflow and Dockerfile paths to the push trigger ensures the workflow runs when relevant files are modified, improving CI efficiency.

15-16: LGTM! Centralized registry configuration.

Using an environment variable for the registry makes it easier to change the registry location if needed in the future.

26-33: LGTM! Well-structured matrix strategy.

The matrix strategy properly separates the main image and tools image builds, allowing for parallel execution and different configurations per image type.

50-62: LGTM! Comprehensive tagging strategy.

The metadata extraction provides a robust tagging strategy covering different scenarios (branches, PRs, releases, nightly builds) with proper conditional logic.

78-78: Verify that nightly builds are excluded appropriately.

The condition excludes schedule events from testing, but this might prevent catching issues in nightly builds.

Consider whether nightly builds should also run tests to catch potential issues early. The current exclusion might miss regressions in nightly images.

.github/workflows/build-image.yaml

.github/workflows/release.yml

.pre-commit-hooks.yaml

CHANGELOG.md

Dockerfile

Dockerfile.tools

examples/.pre-commit-config-docker.yaml

README.md

actuarysailor · 2025-08-12T18:24:42Z

.dockerignore

not sure if you want this; I think co-pilot added and i didn't see any issue with it

## [1.0.1](v1.0.0...v1.0.1) (2025-08-12) ### Bug Fixes * Build Docker image workflow ([#4](#4)) ([3e91a9c](3e91a9c))

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (1)

CHANGELOG.md (1)
12-167: Replace foreign 1.0.0 block with a concise, correct entry for Docker-based hooks (canonical repo + heading levels).

Issues in this block:

Wrong repo namespace (actuarysailor) and multiple malformed URLs (e.g., https://github.com//github.com/...).

Heading level is H1 (“# 1.0.0”) under an existing H1 “Changelog” (violates MD001).

Aggregates unrelated historical content; duplicates what already exists below (1.100.0, 1.99.x, etc.).

Replace the entire 1.0.0 block with a single entry summarizing this PR’s scope, using the canonical repo, correct heading level (H2), and accurate compare link. Suggested content aligns with PR #925 and linked issues #418 and #722.
-# 1.0.0 (2025-08-12)
-
-### Bug Fixes
-... hundreds of items with foreign org links and malformed URLs ...
-
-### Features
-... hundreds of items with foreign org links and malformed URLs ...
+## [1.101.0](https://github.com/antonbabenko/pre-commit-terraform/compare/v1.100.0...v1.101.0) (2025-08-12)
+
+### Features
+- Docker-based hooks: add terraform_fmt_docker, terraform_validate_docker, terraform_tflint_docker, terraform_docs_docker, terraform_checkov_docker, terraform_trivy_docker, infracost_breakdown_docker.
+- Tools image: introduce Dockerfile.tools packaging Terraform tooling used by the Docker hooks.
+- CI: update workflows to build/test and publish the tools image; matrix supports Dockerfile and Dockerfile.tools.
+- Docs: document Docker-based hooks and usage; add docker example config (.pre-commit-config-docker.yaml).
+
+References: [#418](https://github.com/antonbabenko/pre-commit-terraform/issues/418), [#722](https://github.com/antonbabenko/pre-commit-terraform/issues/722), [PR #925](https://github.com/antonbabenko/pre-commit-terraform/pull/925)
Notes:

This uses H2 for the release entry under the top-level “Changelog” H1 (fixes MD001).

All links point to the canonical repository namespace.

Removes malformed links and the foreign history dump; summarizes only this PR’s scope per semantic-release style.

🧹 Nitpick comments (3)

CHANGELOG.md (3)
15-15: Fix heading level under “Changelog” (MD001).

“### Bug Fixes” currently follows a “# 1.0.0” heading, which skips H2. With the proposed replacement above, the release becomes H2 and “### Bug Fixes/Features” becomes H3, resolving the linter warning.

22-22: Malformed URL detected; validate and correct.

This link contains a duplicated “github.com” and “issues/L216” path that will 404:

https://github.com//github.com/antonbabenko/pre-commit-terraform/blob/.../hooks/terraform_docs.sh/issues/L216

The full 1.0.0 block is being removed per the previous comment; if retained for any reason, fix to a proper blob anchor or issue link.

112-113: Strong emphasis via underscores likely unintended (MD050).

Entries like “Add GIT_WORKING_DIR ...” render as bold per Markdown rules. Use code formatting instead: __GIT_WORKING_DIR__.

This becomes moot if the block is replaced, but calling it out for completeness.
-* Add __GIT_WORKING_DIR__ to terraform_checkov (...)
-* add __GIT_WORKING_DIR__ to tfsec (...)
+* Add `__GIT_WORKING_DIR__` to `terraform_checkov` (...)
+* Add `__GIT_WORKING_DIR__` to `tfsec` (...)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3e91a9c and 17aa365.

📒 Files selected for processing (1)

CHANGELOG.md (1 hunks)

🧰 Additional context used

🪛 markdownlint-cli2 (0.17.2)

CHANGELOG.md

15-15: Heading levels should only increment by one level at a time
Expected: h2; Actual: h3

(MD001, heading-increment)

112-112: Strong style
Expected: asterisk; Actual: underscore

(MD050, strong-style)

112-112: Strong style
Expected: asterisk; Actual: underscore

(MD050, strong-style)

113-113: Strong style
Expected: asterisk; Actual: underscore

(MD050, strong-style)

113-113: Strong style
Expected: asterisk; Actual: underscore

(MD050, strong-style)

CHANGELOG.md

# [1.101.0](v1.100.0...v1.101.0) (2025-08-12) ### Bug Fixes * Build Docker image workflow ([#4](#4)) ([3e91a9c](3e91a9c)) * Changelog dysync due to tag issue ([aa0d873](aa0d873)) ### Features * Added Docker based pre-commit-hooks ([#1](#1)) ([f326080](f326080))

coderabbitai

Actionable comments posted: 3

♻️ Duplicate comments (1)

CHANGELOG.md (1)
5-5: Use canonical repository namespace in release link

The release header links to the contributor’s fork. For the changelog in this repo, point to antonbabenko/pre-commit-terraform.

Apply this diff:
-# [1.101.0](https://github.com/actuarysailor/pre-commit-terraform/compare/v1.100.0...v1.101.0) (2025-08-12)
+# [1.101.0](https://github.com/antonbabenko/pre-commit-terraform/compare/v1.100.0...v1.101.0) (2025-08-12)

🧹 Nitpick comments (1)

CHANGELOG.md (1)

8-8: markdownlint MD001: heading-level jump (H1 → H3)

The file uses H1 for release headers and H3 for “Bug Fixes/Features”. This triggers MD001. Given the rest of the changelog follows this pattern, prefer consistency and suppress the rule rather than changing levels only here.

Two options:

Keep as-is and add a local disable before the first subheading (and re-enable after), or project-wide config ignore for MD001.

Or, if maintainers agree to change structure, convert release headers to H2 (“## [x.y.z]”) and keep subsections at H3 across the file in a separate sweep.

Would you like me to submit a follow-up patch to add a markdownlint configuration override?

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 17aa365 and 8c61c89.

📒 Files selected for processing (1)

CHANGELOG.md (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

🪛 markdownlint-cli2 (0.17.2)

CHANGELOG.md

8-8: Heading levels should only increment by one level at a time
Expected: h2; Actual: h3

(MD001, heading-increment)

CHANGELOG.md

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (1)

Dockerfile.tools (1)

160-179: Duplicate COPYs for hooks/lib_getopt are intentional for caching.

Acknowledging the prior rationale: duplicating to both /usr/bin and /usr/local/bin (and at this point in the Dockerfile) helps avoid cache busting/serial builds in CI. No change requested.

🧹 Nitpick comments (4)

Dockerfile.tools (4)
158-173: entrypoint.sh is copied but never used; either make it executable for future use or remove it.

At present ENTRYPOINT is empty. Keeping a non-executable, unused /entrypoint.sh is a minor smell.

Apply one of these:

If you want to keep it available:
 COPY tools/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
If not needed:
-COPY tools/entrypoint.sh /entrypoint.sh
165-168: Combine ENV lines to reduce layers.

Minor layer optimization; keeps the Dockerfile tidy without changing behavior.
-ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always}
-
-ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-}
-ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false}
+ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always} \
+    INFRACOST_API_KEY=${INFRACOST_API_KEY:-} \
+    INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false}
114-128: Optional: run as non-root for safer defaults.

Not strictly required for this tools image, but consider adding a non-root user and switching to it post-install to reduce risk when running in CI or dev shells.

For example (add near the end of the final stage):
# Create unprivileged user and switch
RUN adduser -D -u 10001 pct
USER 10001:10001
If some hooks need elevated permissions, you can document running with --user or temporarily su-exec.

129-136: Make COPY explicit for checkov binary

Replace the wildcard COPY in Dockerfile.tools (around lines 130–136) with explicit paths to avoid ambiguity across Docker versions:
- # Copy tools
- COPY --from=builder \
-     /usr/local/bin/pre-commit \
-     /bin_dir/ \
-     /usr/local/bin/checkov* \
-         /usr/bin/
+ # Copy tools
+ COPY --from=builder /usr/local/bin/pre-commit /usr/bin/pre-commit
+ COPY --from=builder /bin_dir/             /usr/bin/
+ COPY --from=builder /usr/local/bin/checkov /usr/bin/checkov
If your build actually produces multiple checkov-prefixed binaries (e.g. a wrapper or audit tool), list each one explicitly rather than relying on a glob.

[optional_refactors_recommended]

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 12e5de2 and 1731092.

📒 Files selected for processing (1)

Dockerfile.tools (1 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:158-177
Timestamp: 2025-08-12T19:49:33.728Z
Learning: In Dockerfile.tools for the pre-commit-terraform project, the duplicate COPY operations for hooks/ and lib_getopt (copying to both /usr/bin and /usr/local/bin) are intentional to avoid Docker build caching issues and prevent the need for serial build steps that would make CI/CD workflows longer. This is a pragmatic trade-off prioritizing build performance over Dockerfile cleanliness.

📚 Learning: 2025-08-12T19:49:33.728Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:158-177
Timestamp: 2025-08-12T19:49:33.728Z
Learning: In Dockerfile.tools for the pre-commit-terraform project, the duplicate COPY operations for hooks/ and lib_getopt (copying to both /usr/bin and /usr/local/bin) are intentional to avoid Docker build caching issues and prevent the need for serial build steps that would make CI/CD workflows longer. This is a pragmatic trade-off prioritizing build performance over Dockerfile cleanliness.

Applied to files:

Dockerfile.tools

📚 Learning: 2025-08-12T19:43:31.274Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:92-108
Timestamp: 2025-08-12T19:43:31.274Z
Learning: In Dockerfile.tools, the version checking script at the end of the builder stage is intentionally designed to download the latest versions of tools when not specified in build args and echo the installed versions for verification/debugging purposes during the build process. This behavior is by design to track what actual tool versions end up in the container.

Applied to files:

Dockerfile.tools

📚 Learning: 2025-08-12T19:38:31.957Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Applied to files:

Dockerfile.tools

📚 Learning: 2025-08-15T22:32:20.677Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

Applied to files:

Dockerfile.tools

🔇 Additional comments (7)

Dockerfile.tools (7)

24-31: Solid PRE_COMMIT_VERSION validation (prevents broken images).

Good guardrails: rejects "false" and empty values up-front. This avoids producing an unusable tools image.

54-70: INSTALL_ALL gate is now correct and explicit.

Syntax issues are resolved and invalid values fail fast with a clear error. This is deterministic and easy to reason about.

72-87: Intentional separate RUNs for caching are acceptable here.

Given the per-tool installers and desire for layer caching, keeping separate RUN steps is reasonable despite hadolint’s preference to squash.

94-110: Version logging is robust and debuggable.

Sourcing /.env, clearly marking SKIPPED, and tolerating missing tools with “ERROR” makes build logs actionable. This also aligns with the documented behavior of echoing actual tool versions.

147-153: Correct grep patterns prevent unnecessary package installs.

Using grep -q with the colon in “: SKIPPED” ensures perl/jq are installed only when needed, keeping the image lean.

1-3: Good base image pinning.

Using python:3.12-alpine with a digest ensures reproducible builds. Nice.

5-7: All installer scripts correctly honor TARGETOS and TARGETARCH

I’ve verified that each tools/install/*.sh script uses the TARGETOS/TARGETARCH build args to construct download URLs (with only the expected amd64 → x86_64 and amd64 → 64bit mappings) and there are no uname -m or arch fallbacks hardcoding architectures. No further changes required here.

Co-authored-by: Copilot <[email protected]>

Copilot

Pull Request Overview

This PR adds comprehensive Docker-based hook support to pre-commit-terraform, enabling users to run Terraform tooling without local installations. The implementation provides Docker variants for 7 major hooks while maintaining full backward compatibility with existing script-based hooks.

Docker-based hooks using a pre-built image with all tools included
New Dockerfile.tools for building the tools container image
Updated CI/CD workflows to build and test both container images
Comprehensive documentation and example configurations

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
`.pre-commit-hooks.yaml`	Adds 7 new Docker-based hook definitions using `docker_image` language
`Dockerfile.tools`	New multi-stage Dockerfile for building tools container with all dependencies
`README.md`	Documents Docker hook usage with comparison table and examples
`examples/.pre-commit-config-docker.yaml`	Complete example configuration showing Docker hook usage
`.github/workflows/build-image.yaml`	Enhanced CI workflow to build both standard and tools images with testing
`.github/workflows/build-image-test.yaml`	Updated test workflow to handle both Dockerfile variants
`.github/workflows/release.yml`	Updates to trigger builds and use standard GitHub token
`.github/workflows/scorecards.yml`	Adds main branch to workflow triggers
`.github/workflows/codeql.yml`	Adds main branch to workflow triggers
`.dockerignore`	Updated to include necessary files for tools image build

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

README.md

examples/.pre-commit-config-docker.yaml

.github/workflows/release.yml

Dockerfile.tools

actuarysailor · 2025-08-15T22:55:33Z

@MaxymVlasov or @antonbabenko - I don't like how accepting the coderabbit suggestions trigger a commit for each one, might be better if you could hit the rerequest button on the reviewer panel like you can with copilot instead of each commit triggering it which causes the rate limit to get hit easily.

That said, I kind of do like coderabbit - is this the free version, or what tier are you guys using?

Co-authored-by: Copilot <[email protected]>

## [1.101.1](v1.101.0...v1.101.1) (2025-08-16) ### Bug Fixes * Disable docker hooks on pre-commit.ci ([#5](#5)) ([dd977d1](dd977d1))

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (4)

CHANGELOG.md (1)

5-11: Avoid fork-scoped changelog entry; let upstream release tooling generate notes

This repo’s CHANGELOG is auto-generated on release. The new 1.101.1 block links to your fork (actuarysailor) and will mislead users here. Remove this section and rely on the upstream release workflow to produce the correct entry post-merge.

Apply this diff to drop the fork-scoped section:
-## [1.101.1](https://github.com/actuarysailor/pre-commit-terraform/compare/v1.101.0...v1.101.1) (2025-08-16)
-
-
-### Bug Fixes
-
-* Disable docker hooks on pre-commit.ci ([#5](https://github.com/actuarysailor/pre-commit-terraform/issues/5)) ([dd977d1](https://github.com/actuarysailor/pre-commit-terraform/commit/dd977d17ffb5f5d5f6cd57036d08a945ff4f719c))
-

Dockerfile.tools (3)

94-110: Make version capture robust; current echo-wrapping hides failures

For several tools you use echo "name $(cmd --version)" || echo "name: ERROR". Since echo succeeds even when the subshell fails, the fallback never triggers, and you may write “name ” without signaling an error. Use the pattern you already applied for infracost/terraform-docs/terragrunt/tflint.

-    (if [ "$CHECKOV_VERSION"        != "false" ]; then (echo "checkov $(checkov --version 2>/dev/null)" || echo "checkov: ERROR") >> $F;     else echo "checkov: SKIPPED" >> $F        ; fi) && \
-    (if [ "$HCLEDIT_VERSION"        != "false" ]; then (echo "hcledit $(./hcledit version 2>/dev/null)" || echo "hcledit: ERROR") >> $F;     else echo "hcledit: SKIPPED" >> $F        ; fi) && \
+    (if [ "$CHECKOV_VERSION"        != "false" ]; then (checkov --version 2>/dev/null || echo "checkov: ERROR") >> $F;           else echo "checkov: SKIPPED" >> $F        ; fi) && \
+    (if [ "$HCLEDIT_VERSION"        != "false" ]; then (./hcledit version 2>/dev/null || echo "hcledit: ERROR") >> $F;           else echo "hcledit: SKIPPED" >> $F        ; fi) && \
-    (if [ "$TERRASCAN_VERSION"      != "false" ]; then (echo "terrascan $(./terrascan version 2>/dev/null)" || echo "terrascan: ERROR") >> $F; else echo "terrascan: SKIPPED" >> $F      ; fi) && \
+    (if [ "$TERRASCAN_VERSION"      != "false" ]; then (./terrascan version 2>/dev/null || echo "terrascan: ERROR") >> $F;       else echo "terrascan: SKIPPED" >> $F      ; fi) && \
-    (if [ "$TFSEC_VERSION"          != "false" ]; then (echo "tfsec $(./tfsec --version 2>/dev/null)" || echo "tfsec: ERROR") >> $F;       else echo "tfsec: SKIPPED" >> $F          ; fi) && \
-    (if [ "$TFUPDATE_VERSION"       != "false" ]; then (echo "tfupdate $(./tfupdate --version 2>/dev/null)" || echo "tfupdate: ERROR") >> $F; else echo "tfupdate: SKIPPED" >> $F       ; fi) && \
-    (if [ "$TRIVY_VERSION"          != "false" ]; then (echo "trivy $(./trivy --version 2>/dev/null)" || echo "trivy: ERROR") >> $F;       else echo "trivy: SKIPPED" >> $F          ; fi) && \
+    (if [ "$TFSEC_VERSION"          != "false" ]; then (./tfsec --version 2>/dev/null || echo "tfsec: ERROR") >> $F;             else echo "tfsec: SKIPPED" >> $F          ; fi) && \
+    (if [ "$TFUPDATE_VERSION"       != "false" ]; then (./tfupdate --version 2>/dev/null || echo "tfupdate: ERROR") >> $F;       else echo "tfupdate: SKIPPED" >> $F       ; fi) && \
+    (if [ "$TRIVY_VERSION"          != "false" ]; then (./trivy --version 2>/dev/null || echo "trivy: ERROR") >> $F;             else echo "trivy: SKIPPED" >> $F          ; fi) && \

161-166: Remove duplicate COPY of lib_getopt to the same destination

lib_getopt is copied to /usr/bin/lib_getopt twice (Lines 162 and 165). Drop the redundant second COPY.

 COPY hooks/ /usr/bin/hooks/
 COPY lib_getopt /usr/bin/lib_getopt
 RUN chmod +x /usr/bin/hooks/*.sh
-# (Removed redundant COPY hooks/ /usr/bin/hooks/)
-COPY lib_getopt /usr/bin/lib_getopt

164-179: Clean up leftover reviewer marker comments

The “(Removed redundant …)” comments are artifacts and add noise. Remove them to keep the Dockerfile concise.

-# (Removed redundant COPY hooks/ /usr/bin/hooks/)
-# Copy hook scripts to make advanced functionality available
-# (Removed redundant COPY hooks/ /usr/local/bin/hooks/)
-
 # Make hooks executable
 RUN chmod +x /usr/local/bin/hooks/*.sh

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1731092 and 2dec291.

📒 Files selected for processing (3)

.pre-commit-hooks.yaml (1 hunks)
CHANGELOG.md (1 hunks)
Dockerfile.tools (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

.pre-commit-hooks.yaml

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:158-177
Timestamp: 2025-08-12T19:49:33.728Z
Learning: In Dockerfile.tools for the pre-commit-terraform project, the duplicate COPY operations for hooks/ and lib_getopt (copying to both /usr/bin and /usr/local/bin) are intentional to avoid Docker build caching issues and prevent the need for serial build steps that would make CI/CD workflows longer. This is a pragmatic trade-off prioritizing build performance over Dockerfile cleanliness.

📚 Learning: 2025-08-12T19:38:31.957Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Applied to files:

CHANGELOG.md
Dockerfile.tools

📚 Learning: 2025-08-15T22:32:20.677Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

Applied to files:

CHANGELOG.md
Dockerfile.tools

📚 Learning: 2025-08-12T19:43:31.274Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:92-108
Timestamp: 2025-08-12T19:43:31.274Z
Learning: In Dockerfile.tools, the version checking script at the end of the builder stage is intentionally designed to download the latest versions of tools when not specified in build args and echo the installed versions for verification/debugging purposes during the build process. This behavior is by design to track what actual tool versions end up in the container.

Applied to files:

Dockerfile.tools

📚 Learning: 2025-08-12T19:49:33.728Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:158-177
Timestamp: 2025-08-12T19:49:33.728Z
Learning: In Dockerfile.tools for the pre-commit-terraform project, the duplicate COPY operations for hooks/ and lib_getopt (copying to both /usr/bin and /usr/local/bin) are intentional to avoid Docker build caching issues and prevent the need for serial build steps that would make CI/CD workflows longer. This is a pragmatic trade-off prioritizing build performance over Dockerfile cleanliness.

Applied to files:

Dockerfile.tools

🔇 Additional comments (1)

Dockerfile.tools (1)

55-70: INSTALL_ALL validation and gating look good

The boolean gate correctly sets “latest” and guards invalid values with a clear error. Good balance between safety and ergonomics.

Co-authored-by: Copilot <[email protected]>

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (2)

README.md (1)

1349-1349: Pinning actions/checkout to a commit is consistent with repo policy

Keeping GitHub Actions pinned by SHA matches the repository’s security posture discussed earlier.

.pre-commit-hooks.yaml (1)

223-236: Docs docker hook design is aligned with common workflows

Per earlier discussion, running terraform-docs against “.” with pass_filenames: false is appropriate for single-module repos to avoid churn in vendored modules. Users needing recursion can adjust args in their config.

🧹 Nitpick comments (7)

README.md (4)
97-97: Tighten wording: avoid “available … available”

Minor nit: the sentence is slightly redundant.
-All available tags are [available on GitHub Container Registry](https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform/versions).
+All tags are [available on GitHub Container Registry](https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform/versions).
365-371: Minor grammar/clarity improvement for pre-commit.ci note

Tweaking phrasing improves readability without changing meaning.
-* For pre-commit.ci users: At this time, these hooks must be skipped as pre-commit.ci agents do not have Docker available.
-  * _Note: pre-commit has a Docker setup for hooks, so Docker support may be added in the future._
+* For pre-commit.ci users: At this time, skip these hooks because pre-commit.ci agents do not have Docker available.
+  * _Note: pre-commit has a Docker setup for hooks, so Docker support may be added in the future._
429-431: Subject-verb agreement nit

Tiny grammar fix for the bullet point.
-* No interpolation or expansion are applied
+* No interpolation or expansion is applied
1275-1276: Quote paths in docker run example

Quoting avoids issues when paths contain spaces and keeps this consistent with the earlier example.
-docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:latest run -a
+docker run -e "USERID=$(id -u):$(id -g)" -v "$(pwd):/lint" -w "/lint" ghcr.io/antonbabenko/pre-commit-terraform:latest run -a
.pre-commit-hooks.yaml (3)
182-194: Consider switching to the official image before merge and avoid ‘latest’

The Docker hooks currently point to the contributor’s image and tag ‘latest’. Before merging upstream, switch to the project’s official image namespace, and (ideally) pin by digest for immutability, consistent with how this repo pins actions by SHA.

Proposed minimal change to official namespace (keep tag for now):
-  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
+  entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest
If you prefer immutable pins, replace :latest with a digest (example digest placeholder shown):
-  entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest
+  entry: ghcr.io/antonbabenko/pre-commit-terraform-tools@sha256:<IMAGE_DIGEST>
Apply similarly to all Docker hook entries:

Lines: 189, 202, 216, 230, 243, 260, 273.

195-208: Validate parity: docker validate may not mirror script behavior

The docker variant runs terraform validate once in the repo root with pass_filenames: false. This diverges from the script’s per-directory orchestration, re-init logic, and --retry-once-with-cleanup support. In multi-module repos where the root isn’t a Terraform module, this can fail or miss validation.

Two options:

Route through the project’s hook script inside the image to preserve behavior:
-  args: [terraform, validate]
+  args: [/usr/bin/hooks/terraform_validate.sh]
Or document that docker variants are scoped to the current directory and require users to run pre-commit from a module root, or adjust with -chdir in args for their layout.

Would you like me to update other docker hooks similarly to use their corresponding scripts for feature parity?

209-222: TFLint docker hook: deliberate scope; parity caveat

Using --chdir=. with pass_filenames: false scopes the run to the current directory (repo root). That’s fine for single-module repos, but unlike the script hook, it won’t iterate modules. Consider noting this in README or routing via /usr/bin/hooks/terraform_tflint.sh for parity.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 70a37a8 and d1629ba.

📒 Files selected for processing (3)

.pre-commit-hooks.yaml (1 hunks)
README.md (6 hunks)
examples/.pre-commit-config-docker.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

examples/.pre-commit-config-docker.yaml

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:158-177
Timestamp: 2025-08-12T19:49:33.728Z
Learning: In Dockerfile.tools for the pre-commit-terraform project, the duplicate COPY operations for hooks/ and lib_getopt (copying to both /usr/bin and /usr/local/bin) are intentional to avoid Docker build caching issues and prevent the need for serial build steps that would make CI/CD workflows longer. This is a pragmatic trade-off prioritizing build performance over Dockerfile cleanliness.

📚 Learning: 2025-08-12T19:38:31.957Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Applied to files:

README.md
.pre-commit-hooks.yaml

📚 Learning: 2025-08-15T22:32:20.677Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

Applied to files:

README.md
.pre-commit-hooks.yaml

📚 Learning: 2025-08-12T19:49:33.728Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:158-177
Timestamp: 2025-08-12T19:49:33.728Z
Learning: In Dockerfile.tools for the pre-commit-terraform project, the duplicate COPY operations for hooks/ and lib_getopt (copying to both /usr/bin and /usr/local/bin) are intentional to avoid Docker build caching issues and prevent the need for serial build steps that would make CI/CD workflows longer. This is a pragmatic trade-off prioritizing build performance over Dockerfile cleanliness.

Applied to files:

README.md
.pre-commit-hooks.yaml

📚 Learning: 2025-08-12T19:49:13.208Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: .pre-commit-hooks.yaml:216-227
Timestamp: 2025-08-12T19:49:13.208Z
Learning: In Terraform projects, most module folders are downloaded dependencies (similar to GitHub Actions) rather than locally maintained code. Users typically want to document only the root module to avoid commit noise from modules they consume but don't maintain. The terraform_docs_docker hook's current design with pass_filenames: false and args targeting the current directory (.) is appropriate for this common single-module repository pattern.

Applied to files:

README.md
.pre-commit-hooks.yaml

📚 Learning: 2025-08-12T19:43:31.274Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:92-108
Timestamp: 2025-08-12T19:43:31.274Z
Learning: In Dockerfile.tools, the version checking script at the end of the builder stage is intentionally designed to download the latest versions of tools when not specified in build args and echo the installed versions for verification/debugging purposes during the build process. This behavior is by design to track what actual tool versions end up in the container.

Applied to files:

.pre-commit-hooks.yaml

🧬 Code Graph Analysis (1)

.pre-commit-hooks.yaml (4)

hooks/_common.sh (1)

common::per_dir_hook (285-429)

hooks/terraform_docs.sh (2)

terraform_docs (59-264)

main (18-29)

hooks/terraform_tfsec.sh (1)

main (10-29)

hooks/terraform_trivy.sh (1)

main (10-21)

🪛 LanguageTool

README.md

[grammar] ~368-~368: There might be a mistake here.
Context: ....ci agents do not have Docker available. * _Note: pre-commit has a Docker setup for ...

(QB_NEW_EN)

🔇 Additional comments (9)

README.md (6)

52-52: Nice ToC addition for Docker hooks

The new Table of Contents entry correctly links to the Docker-based hooks section.

344-357: Clear, non-breaking introduction of Docker-based hooks

The section is concise, maps Docker hook IDs to their script counterparts, and sets correct expectations.

376-379: Skip list is correct for pre-commit.ci

The list of Docker hook IDs aligns with the new hooks and will prevent pre-commit.ci failures.

381-391: Good example with version placeholder

Using <VERSION_WITH_DOCKER_HOOKS> avoids broken examples before a release is cut. Remember to update this after the release.

When the first release with Docker hooks is published, replace <VERSION_WITH_DOCKER_HOOKS> with that tag in both README and examples/.pre-commit-config-docker.yaml.

393-394: Corrected example path

Pointing to examples/.pre-commit-config-docker.yaml matches the repo layout and avoids 404s.

543-543: Good: direct link to Checkov CLI reference

This is more helpful than the generic link.

.pre-commit-hooks.yaml (3)

237-251: Checkov docker hook looks good

Running checkov -d . with require_serial: true and pass_filenames: false mirrors the intended whole-repo scan behavior.

252-266: Trivy docker hook is consistent with project conventions

trivy config . with require_serial: true matches typical usage and the existing script hook’s scope.

267-279: Infracost docker hook: note about API key already covered in README

The hook definition is correct; README includes the guidance to set INFRACOST_API_KEY when using Docker.

* chore: Retry logic for terraform validate * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * chore: Linting * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * chore: One more tweak * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * ci: One more tweak * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * chore: Temporary hack to use specific version * chore: Fixing hook still * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * chore: Fixing lint nightmare * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * chore: Restore latest docker image --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (5)

.pre-commit-hooks.yaml (2)
189-191: Pin the Docker image to an immutable digest instead of latest.

Using latest can cause unexpected drifts. Prefer a content-addressable digest once the image is published. If a digest isn’t available yet, consider a temporary explicit tag and follow up with a digest pin.

Apply this change when the image digest is known:
-  entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest
+  entry: ghcr.io/antonbabenko/pre-commit-terraform-tools@sha256:<digest>
Repeat for all Docker hooks in this file.

Also applies to: 204-206, 223-225, 237-239, 250-252, 267-269, 280-282

239-242: Root-only terraform-docs behavior is fine; consider a one-liner in README for multi-module repos.

The pass_filenames: false with explicit . target is appropriate for the common “document only root module” use case. As a small UX nicety, you could add a README note that multi-module users may customize args (e.g., add --recursive) in their own .pre-commit-config.yaml if desired.
README.md (3)
348-357: Explicitly mention the image powering Docker hooks to reduce ambiguity.

Add a short note clarifying that users don’t need to specify an image in their .pre-commit-config.yaml; the hooks already point to the tools image.
 For users who prefer not to install tools locally, Docker-based versions are available for most hooks. These hooks use a Docker image with all tools pre-installed and provide the same functionality as their script-based counterparts.
+These hooks run inside the tools image defined by the hook itself (no image configuration needed in your .pre-commit-config.yaml). The image is published at ghcr.io/antonbabenko/pre-commit-terraform-tools with a tag or digest pinned in .pre-commit-hooks.yaml.
365-371: Tighten wording and fix the nested bullet note about pre-commit.ci Docker support.

Minor clarity/grammar improvements and more precise phrasing.
-**Requirements and limitations:**
+**Requirements and limitations:**
 
-* Docker must be installed and accessible
-* For pre-commit.ci users: At this time, skip these hooks because pre-commit.ci agents do not have Docker available.
-  * _Note: pre-commit has a Docker setup for hooks, so Docker support may be added in the future._
-* **You can still use Docker-based hooks in CI/CD pipelines** (such as GitHub Actions, GitLab CI, etc.) by running `pre-commit run --all-files` (or `pre-commit run -a`) on a self-hosted or GitHub-hosted runner where Docker is available. This allows you to enforce the same checks in CI as locally, even if pre-commit.ci does not support Docker yet.
+* Docker must be installed and accessible.
+* For pre-commit.ci: its agents do not have Docker; skip these hooks for now.
+  * Note: pre-commit supports Docker hooks, so pre-commit.ci may add Docker support in the future.
+* You can still use Docker-based hooks in CI/CD (e.g., GitHub Actions, GitLab CI) by running `pre-commit run --all-files` (or `pre-commit run -a`) on runners where Docker is available. This enforces the same checks in CI as locally, even if pre-commit.ci doesn’t support Docker yet.
1275-1276: Keep run examples consistent: reuse $TAG variable instead of hardcoding latest.

Earlier you introduced TAG=latest; reuse it here for consistency and easier overrides.
-docker run -e "USERID=$(id -u):$(id -g)" -v "$(pwd):/lint" -w "/lint" ghcr.io/antonbabenko/pre-commit-terraform:latest run -a
+docker run -e "USERID=$(id -u):$(id -g)" -v "$(pwd):/lint" -w "/lint" ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1815705 and 5aed527.

📒 Files selected for processing (3)

.pre-commit-hooks.yaml (1 hunks)
README.md (7 hunks)
examples/.pre-commit-config-docker.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

examples/.pre-commit-config-docker.yaml

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

📚 Learning: 2025-08-12T19:49:13.208Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: .pre-commit-hooks.yaml:216-227
Timestamp: 2025-08-12T19:49:13.208Z
Learning: In Terraform projects, most module folders are downloaded dependencies (similar to GitHub Actions) rather than locally maintained code. Users typically want to document only the root module to avoid commit noise from modules they consume but don't maintain. The terraform_docs_docker hook's current design with pass_filenames: false and args targeting the current directory (.) is appropriate for this common single-module repository pattern.

Applied to files:

.pre-commit-hooks.yaml
README.md

📚 Learning: 2025-08-12T19:38:31.957Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Applied to files:

.pre-commit-hooks.yaml
README.md

📚 Learning: 2025-08-15T22:32:20.677Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

Applied to files:

.pre-commit-hooks.yaml
README.md

📚 Learning: 2025-08-12T19:43:31.274Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:92-108
Timestamp: 2025-08-12T19:43:31.274Z
Learning: In Dockerfile.tools, the version checking script at the end of the builder stage is intentionally designed to download the latest versions of tools when not specified in build args and echo the installed versions for verification/debugging purposes during the build process. This behavior is by design to track what actual tool versions end up in the container.

Applied to files:

.pre-commit-hooks.yaml

📚 Learning: 2025-08-12T19:49:33.728Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:158-177
Timestamp: 2025-08-12T19:49:33.728Z
Learning: In Dockerfile.tools for the pre-commit-terraform project, the duplicate COPY operations for hooks/ and lib_getopt (copying to both /usr/bin and /usr/local/bin) are intentional to avoid Docker build caching issues and prevent the need for serial build steps that would make CI/CD workflows longer. This is a pragmatic trade-off prioritizing build performance over Dockerfile cleanliness.

Applied to files:

.pre-commit-hooks.yaml
README.md

🧬 Code Graph Analysis (1)

.pre-commit-hooks.yaml (3)

hooks/_common.sh (1)

common::per_dir_hook (285-429)

hooks/terraform_docs.sh (2)

terraform_docs (59-264)

main (18-29)

hooks/terraform_tfsec.sh (1)

main (10-29)

🪛 LanguageTool

README.md

[grammar] ~368-~368: There might be a mistake here.
Context: ....ci agents do not have Docker available. * _Note: pre-commit has a Docker setup for ...

(QB_NEW_EN)

🔇 Additional comments (3)

.pre-commit-hooks.yaml (2)

182-287: Docker hook variants look well-integrated and non-breaking.

Correct use of language: docker_image with image specified via entry.

Hook IDs, files/exclude patterns, and require_serial mirror script hooks appropriately.

Nice callout in descriptions about pre-commit.ci environments.

206-213: Path to terraform_validate.sh inside the image is consistent with the tooling layout.

Referencing /usr/bin/hooks/terraform_validate.sh aligns with the image’s hooks installation approach, so this should work under pre-commit’s docker_image runner.

README.md (1)

344-394: Docs section for Docker-based hooks is clear and actionable.

Good overview, benefits/limitations, and pre-commit.ci skip example.

Example config uses a placeholder rev, which avoids pointing to a release that doesn’t yet include these hooks.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (3)

README.md (3)
344-357: Nice, clear intro and mapping table for Docker-based hooks

The section is concise and the mapping between Docker and script hook IDs is clear.

Consider adding a one-liner clarifying how these hooks are implemented in pre-commit, so users understand where the Docker image is specified:
 ### Docker-based hooks (no local tool installation required)

 For users who prefer not to install tools locally, Docker-based versions are available for most hooks. These hooks use a Docker image with all tools pre-installed and provide the same functionality as their script-based counterparts.
+Note: These hooks are defined with pre-commit language: docker_image and reference the Docker image via the entry parameter in .pre-commit-hooks.yaml.
369-375: Minor grammar polish in the pre-commit.ci note

Tighten the punctuation for readability.

Apply this diff:
-* For pre-commit.ci: its agents do not have Docker; skip these hooks for now.
-  * Note: pre-commit supports Docker hooks, so pre-commit.ci may add Docker support in the future.
+* For pre-commit.ci: its agents do not have Docker; skip these hooks for now.
+  * Note: pre-commit supports Docker hooks; pre-commit.ci may add Docker support in the future.
1279-1280: Add --rm and keep quoting consistent in docker run example

Adding --rm prevents leftover containers; quoting the image string matches earlier examples.

Apply this diff:
-docker run -e "USERID=$(id -u):$(id -g)" -v "$(pwd):/lint" -w "/lint" ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a
+docker run --rm -e "USERID=$(id -u):$(id -g)" -v "$(pwd):/lint" -w "/lint" "ghcr.io/antonbabenko/pre-commit-terraform:$TAG" run -a
Also consider updating the earlier command under “4. Run” for consistency.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5aed527 and 75e7837.

📒 Files selected for processing (1)

README.md (7 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

📚 Learning: 2025-08-12T19:38:31.957Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Applied to files:

README.md

📚 Learning: 2025-08-15T22:32:20.677Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

Applied to files:

README.md

📚 Learning: 2025-08-12T19:49:33.728Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:158-177
Timestamp: 2025-08-12T19:49:33.728Z
Learning: In Dockerfile.tools for the pre-commit-terraform project, the duplicate COPY operations for hooks/ and lib_getopt (copying to both /usr/bin and /usr/local/bin) are intentional to avoid Docker build caching issues and prevent the need for serial build steps that would make CI/CD workflows longer. This is a pragmatic trade-off prioritizing build performance over Dockerfile cleanliness.

Applied to files:

README.md

📚 Learning: 2025-08-12T19:49:13.208Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: .pre-commit-hooks.yaml:216-227
Timestamp: 2025-08-12T19:49:13.208Z
Learning: In Terraform projects, most module folders are downloaded dependencies (similar to GitHub Actions) rather than locally maintained code. Users typically want to document only the root module to avoid commit noise from modules they consume but don't maintain. The terraform_docs_docker hook's current design with pass_filenames: false and args targeting the current directory (.) is appropriate for this common single-module repository pattern.

Applied to files:

README.md

🪛 LanguageTool

README.md

[grammar] ~372-~372: There might be a mistake here.
Context: ...t have Docker; skip these hooks for now. * Note: pre-commit supports Docker hooks, ...

(QB_NEW_EN)

🔇 Additional comments (8)

README.md (8)

52-52: TOC entry for Docker-based hooks looks good

Anchor matches the section header and renders correctly.

97-97: Good addition: link to GHCR image tags

The link to all available tags on GHCR is accurate and helpful.

358-360: Docs align with intended terraform_docs_docker behavior

The note about pass_filenames: false and targeting . matches how users typically want terraform-docs applied in single-module repos.

431-436: Env var semantics clarified well

Explicitly stating “no interpolation or expansion” and quote-stripping avoids ambiguity for users.

547-547: Updated Checkov CLI docs link is correct

Pointing to the CLI Command Reference is the right target.

1353-1353: Pinned SHA for actions/checkout is consistent with repo policy

Acknowledged and agreed given this repository’s preference for immutable, pinned action SHAs.

376-384: Verified: README skip example is correct and complete

The ci.skip list in README.md exactly matches the seven Docker-based hook IDs defined in .pre-commit-hooks.yaml. No changes needed.

385-397: Verified example file and placeholder

examples/.pre-commit-config-docker.yaml exists.

<VERSION_WITH_DOCKER_HOOKS> is present in README.md (line 390).

No further changes needed.

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (1)

README.md (1)

400-400: Correct example path – LGTM (addresses earlier feedback)

Linking to examples/.pre-commit-config-docker.yaml prevents a 404.

🧹 Nitpick comments (2)

README.md (2)

344-349: Tighten wording and formatting for Docker hook configuration (minor nit)

Small grammar/formatting tweaks improve accuracy and align with pre-commit’s expected fields. Also clarifies pinning by tag or digest and distinguishes the two images used in this repo.

Apply:

-For users who prefer not to install tools locally, Docker-based versions are available for most hooks. These hooks use a Docker image with all tools pre-installed and provide the same functionality as their script-based counterparts.
-Note: These hooks are defined with pre-commit language: docker_image and reference the Docker image via the entry parameter in .pre-commit-hooks.yaml.
-These hooks run inside the tools image defined by the hook itself (no image configuration needed in your .pre-commit-config.yaml). The image is published at ghcr.io/antonbabenko/pre-commit-terraform-tools with a tag or digest pinned in .pre-commit-hooks.yaml.
+For users who prefer not to install tools locally, Docker-based versions are available for most hooks. These hooks use a Docker image with all tools pre-installed and provide the same functionality as their script-based counterparts.
+Note: These hooks are defined with pre-commit `language: docker_image` and reference the Docker image via the `entry` field in `.pre-commit-hooks.yaml`.
+These hooks run inside the tools image defined by the hook itself (no image configuration needed in your `.pre-commit-config.yaml`). The image is published at `ghcr.io/antonbabenko/pre-commit-terraform-tools` and can be pinned by tag (e.g., `entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest`) or by digest (e.g., `entry: ghcr.io/antonbabenko/pre-commit-terraform-tools@sha256:...`).
+Tip: `ghcr.io/antonbabenko/pre-commit-terraform` is the container image for running pre-commit itself, whereas `...-tools` is the image used by the Docker-based hooks.

372-378: Clarify pre-commit.ci wording (minor grammar) and scope

Tighten phrasing; make it explicit that pre-commit (framework) supports Docker hooks but pre-commit.ci runners do not (yet).

-* For pre-commit.ci: its agents do not have Docker; skip these hooks for now.
-  * Note: pre-commit supports Docker hooks; pre-commit.ci may add Docker support in the future.
+* pre-commit.ci runners do not support Docker; skip these hooks there for now.
+  * Note: pre-commit (the framework) supports Docker hooks; pre-commit.ci may add Docker support in the future.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 75e7837 and 246cbe5.

📒 Files selected for processing (1)

README.md (7 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

📚 Learning: 2025-08-12T19:38:31.957Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Applied to files:

README.md

📚 Learning: 2025-08-15T22:32:20.677Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

Applied to files:

README.md

📚 Learning: 2025-08-12T19:49:33.728Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:158-177
Timestamp: 2025-08-12T19:49:33.728Z
Learning: In Dockerfile.tools for the pre-commit-terraform project, the duplicate COPY operations for hooks/ and lib_getopt (copying to both /usr/bin and /usr/local/bin) are intentional to avoid Docker build caching issues and prevent the need for serial build steps that would make CI/CD workflows longer. This is a pragmatic trade-off prioritizing build performance over Dockerfile cleanliness.

Applied to files:

README.md

📚 Learning: 2025-08-12T19:49:13.208Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: .pre-commit-hooks.yaml:216-227
Timestamp: 2025-08-12T19:49:13.208Z
Learning: In Terraform projects, most module folders are downloaded dependencies (similar to GitHub Actions) rather than locally maintained code. Users typically want to document only the root module to avoid commit noise from modules they consume but don't maintain. The terraform_docs_docker hook's current design with pass_filenames: false and args targeting the current directory (.) is appropriate for this common single-module repository pattern.

Applied to files:

README.md

🪛 LanguageTool

README.md

[grammar] ~347-~347: There might be a mistake here.
Context: ...try parameter in .pre-commit-hooks.yaml. These hooks run inside the tools image d...

(QB_NEW_EN)

[grammar] ~375-~375: There might be a mistake here.
Context: ...t have Docker; skip these hooks for now. * Note: pre-commit supports Docker hooks; ...

(QB_NEW_EN)

🔇 Additional comments (9)

README.md (9)

52-52: ToC addition for Docker hooks – LGTM

Good addition; the anchor matches the section header below.

97-97: Registry tags link – LGTM

Clear pointer to GC Registry versions. No issues.

351-360: Docker-to-script hook mapping – LGTM

Helpful table; names match the new Docker hook IDs.

361-363: Default for terraform_docs_docker matches common usage – LGTM

Using pass_filenames: false and explicit “.” for root module aligns with typical single-module repos. This matches prior discussion and learnings.

390-398: Example configuration uses placeholder version – LGTM

Thanks for avoiding a stale tag; this prevents broken examples until a release with Docker hooks is cut.

550-551: Direct link to Checkov CLI reference – LGTM

Accurate and more helpful than generic docs.

1282-1283: Docker run example improvements – LGTM

Adding --rm and quoting the image/tag is good practice and avoids leftover containers or word-splitting issues.

1356-1356: Pinning actions/checkout by commit – LGTM

Consistent with this repo’s security posture to use immutable SHAs.

383-386: README skip list is synchronized with Docker hook IDs
The pre-commit.ci skip list in README.md matches the Docker hook IDs defined in .pre-commit-hooks.yaml. No updates are needed.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (4)

README.md (4)

344-350: Docker-based hooks docs are correct; add GHCR tags link for the tools image and clarify mixing with script hooks.

The section accurately explains language: docker_image and that the image is specified via entry. Two small doc gains:

Link to the tools image tags to help users pin by tag/digest.
Explicitly state that Docker- and script-based hooks can be mixed in the same .pre-commit-config.yaml.

Apply this diff to enrich the section:

 For users who prefer not to install tools locally, Docker-based versions are available for most hooks. These hooks use a Docker image with all tools pre-installed and provide the same functionality as their script-based counterparts.
 Note: These hooks are defined with pre-commit `language: docker_image` and reference the Docker image via the `entry` field in `.pre-commit-hooks.yaml`.
-These hooks run inside the tools image defined by the hook itself (no image configuration needed in your `.pre-commit-config.yaml`). The image is published at `ghcr.io/antonbabenko/pre-commit-terraform-tools` and can be pinned by tag (e.g., `entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest`) or by digest (e.g., `entry: ghcr.io/antonbabenko/pre-commit-terraform-tools@sha256:...`).
+These hooks run inside the tools image defined by the hook itself (no image configuration needed in your `.pre-commit-config.yaml`). The image is published at `ghcr.io/antonbabenko/pre-commit-terraform-tools` and can be pinned by tag (e.g., `entry: ghcr.io/antonbabenko/pre-commit-terraform-tools:latest`) or by digest (e.g., `entry: ghcr.io/antonbabenko/pre-commit-terraform-tools@sha256:...`).
+All tags for the tools image are available on GitHub Container Registry:
+https://github.com/antonbabenko/pre-commit-terraform/pkgs/container/pre-commit-terraform-tools/versions
+
+You can freely mix Docker-based hooks with the original script-based hooks within the same `.pre-commit-config.yaml`.
 Tip: `ghcr.io/antonbabenko/pre-commit-terraform` is the container image for running pre-commit itself, whereas `...-tools` is the image used by the Docker-based hooks.

375-379: Add a short tip for Infracost when using Docker-based hooks.

Many users hit auth issues with Infracost in containers. A one-liner here improves DX by pointing to the correct way to inject the API key for the Docker hook.

 **Requirements and limitations:**
 
 * Docker must be installed and accessible.
 * pre-commit.ci runners do not support Docker; skip these hooks there for now.
   * Note: pre-commit (the framework) supports Docker hooks; pre-commit.ci may add Docker support in the future.
 * You can still use Docker-based hooks in CI/CD (e.g., GitHub Actions, GitLab CI) by running `pre-commit run --all-files` (or `pre-commit run -a`) on runners where Docker is available. This enforces the same checks in CI as locally, even if pre-commit.ci doesn’t support Docker yet.
+* For `infracost_breakdown_docker`, ensure `INFRACOST_API_KEY` is set (for example via `--env-vars=INFRACOST_API_KEY="..."`) or exported in the environment. See the [infracost_breakdown](#infracost_breakdown) section for details.

300-308: Consistency: include --rm on both docker run examples.

The File Permissions section uses --rm, but this earlier example doesn’t. Align them to avoid leaving stopped containers behind.

 TAG=latest
-docker run -e "USERID=$(id -u):$(id -g)" -v "$(pwd):/lint" -w "/lint" "ghcr.io/antonbabenko/pre-commit-terraform:$TAG" run -a
+docker run --rm -e "USERID=$(id -u):$(id -g)" -v "$(pwd):/lint" -w "/lint" "ghcr.io/antonbabenko/pre-commit-terraform:$TAG" run -a

1266-1274: Clarify that security guidance applies to both images (pre-commit-terraform and pre-commit-terraform-tools).

Minor wording tweak to make it explicit that both images follow the same security posture.

-Pre-built Docker images contain the latest versions of tools available at the time of their build and remain unchanged afterward. Tags should be immutable whenever possible, and it is highly recommended to pin them using hash sums for security and reproducibility.
+Pre-built Docker images (both `ghcr.io/antonbabenko/pre-commit-terraform` and `ghcr.io/antonbabenko/pre-commit-terraform-tools`) contain the latest versions of tools available at the time of their build and remain unchanged afterward. Tags should be immutable whenever possible, and it is highly recommended to pin them using hash sums for security and reproducibility.
 
 This means that most Docker images will include known CVEs, and the longer an image exists, the more CVEs it may accumulate. This applies even to the latest `vX.Y.Z` tags.
 To address this, you can use the `nightly` tag, which rebuilds nightly with the latest versions of all dependencies and latest `pre-commit-terraform` hooks. However, using mutable tags introduces different security concerns.
 
 Note: Currently, we DO NOT test third-party tools or their dependencies for security vulnerabilities, corruption, or injection (including obfuscated content). If you have ideas for introducing image scans or other security improvements, please open an issue or submit a PR. Some ideas are already tracked in [#835](https://github.com/antonbabenko/pre-commit-terraform/issues/835).
 
-From a security perspective, the best approach is to manage the Docker image yourself and update its dependencies as needed. This allows you to remove unnecessary dependencies, reducing the number of potential CVEs and improving overall security.
+From a security perspective, the best approach is to manage these Docker images yourself and update their dependencies as needed. This allows you to remove unnecessary dependencies, reducing the number of potential CVEs and improving overall security.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 246cbe5 and d848eb1.

📒 Files selected for processing (1)

README.md (7 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

📚 Learning: 2025-08-12T19:38:31.957Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: examples/.pre-commit-config-docker.yaml:5-6
Timestamp: 2025-08-12T19:38:31.957Z
Learning: When contributing Docker-based pre-commit hooks, examples may temporarily need to reference the contributor's forked repository where the Docker image is built and published, until the PR is merged and the maintainer can update references to point to the canonical repository and publish the image from the official source.

Applied to files:

README.md

📚 Learning: 2025-08-15T22:32:20.677Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: README.md:344-357
Timestamp: 2025-08-15T22:32:20.677Z
Learning: For Docker-based pre-commit hooks, the Docker image is specified in the `entry` parameter, not in a separate `image` field. The correct format uses `language: docker_image` and `entry: <docker-image-name>` with any additional arguments.

Applied to files:

README.md

📚 Learning: 2025-08-12T19:49:33.728Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: Dockerfile.tools:158-177
Timestamp: 2025-08-12T19:49:33.728Z
Learning: In Dockerfile.tools for the pre-commit-terraform project, the duplicate COPY operations for hooks/ and lib_getopt (copying to both /usr/bin and /usr/local/bin) are intentional to avoid Docker build caching issues and prevent the need for serial build steps that would make CI/CD workflows longer. This is a pragmatic trade-off prioritizing build performance over Dockerfile cleanliness.

Applied to files:

README.md

📚 Learning: 2025-08-12T19:49:13.208Z

Learnt from: actuarysailor
PR: antonbabenko/pre-commit-terraform#925
File: .pre-commit-hooks.yaml:216-227
Timestamp: 2025-08-12T19:49:13.208Z
Learning: In Terraform projects, most module folders are downloaded dependencies (similar to GitHub Actions) rather than locally maintained code. Users typically want to document only the root module to avoid commit noise from modules they consume but don't maintain. The terraform_docs_docker hook's current design with pass_filenames: false and args targeting the current directory (.) is appropriate for this common single-module repository pattern.

Applied to files:

README.md

🔇 Additional comments (1)

README.md (1)

391-402: Example config uses a placeholder version correctly.

Good call using <VERSION_WITH_DOCKER_HOOKS> to avoid breaking users until a release with Docker hooks is cut. The reference to examples/.pre-commit-config-docker.yaml is also correct.

actuarysailor and others added 6 commits August 12, 2025 04:16

chore(ci): Update default branches

d8bb39a

chore(ci): Fix release workflow (#2)

d70be2c

actuarysailor commented Aug 12, 2025

View reviewed changes

Dockerfile.tools

Copy link

Author

actuarysailor Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

new Dockerfile to avoid it being a breaking change

actuarysailor commented Aug 12, 2025

View reviewed changes

CHANGELOG.md Outdated Show resolved Hide resolved

actuarysailor commented Aug 12, 2025

View reviewed changes

.pre-commit-hooks.yaml

Copy link

Author

actuarysailor Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the new pre-commit-hooks, left your original ones unchanged

actuarysailor commented Aug 12, 2025

View reviewed changes

.github/workflows/build-image-test.yaml Outdated

Copy link

Author

actuarysailor Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

largely just matrix blow-out to handle the additional docker file

coderabbitai bot reviewed Aug 12, 2025

View reviewed changes

actuarysailor commented Aug 12, 2025

View reviewed changes

.dockerignore

Copy link

Author

actuarysailor Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure if you want this; I think co-pilot added and i didn't see any issue with it

actuarysailor and others added 2 commits August 12, 2025 14:26

Update Dockerfile

bb38650

chore(release): version 1.0.1 [skip ci]

17aa365

## [1.0.1](v1.0.0...v1.0.1) (2025-08-12) ### Bug Fixes * Build Docker image workflow ([#4](#4)) ([3e91a9c](3e91a9c))

actuarysailor marked this pull request as ready for review August 12, 2025 18:30

Copilot AI review requested due to automatic review settings August 12, 2025 18:30

actuarysailor requested review from MaxymVlasov, yermulnik and antonbabenko as code owners August 12, 2025 18:30

coderabbitai bot reviewed Aug 12, 2025

View reviewed changes

CHANGELOG.md Outdated Show resolved Hide resolved

CHANGELOG.md Outdated Show resolved Hide resolved

actuarysailor and others added 2 commits August 12, 2025 15:05

fix: Changelog dysync due to tag issue

aa0d873

coderabbitai bot reviewed Aug 12, 2025

View reviewed changes

CHANGELOG.md Outdated Show resolved Hide resolved

CHANGELOG.md Outdated Show resolved Hide resolved

CHANGELOG.md Outdated Show resolved Hide resolved

actuarysailor added 2 commits August 15, 2025 18:24

chore: Fix coderabbit suggestion

8455c2e

chore: trigger CI with empty commit

1731092

actuarysailor requested a review from Copilot August 15, 2025 22:42

This comment was marked as outdated.

Sign in to view

coderabbitai bot reviewed Aug 15, 2025

View reviewed changes

actuarysailor and others added 2 commits August 15, 2025 18:47

Update Dockerfile.tools

8fb27aa

Co-authored-by: Copilot <[email protected]>

Update Dockerfile.tools

2f4a2a3

Co-authored-by: Copilot <[email protected]>

actuarysailor requested a review from Copilot August 15, 2025 22:52

Copilot AI reviewed Aug 15, 2025

View reviewed changes

README.md Show resolved Hide resolved

examples/.pre-commit-config-docker.yaml Outdated Show resolved Hide resolved

.github/workflows/release.yml Show resolved Hide resolved

Dockerfile.tools Outdated Show resolved Hide resolved

Dockerfile.tools Outdated Show resolved Hide resolved

actuarysailor and others added 3 commits August 15, 2025 19:00

Update Dockerfile.tools

5aab062

Co-authored-by: Copilot <[email protected]>

fix: Disable docker hooks on pre-commit.ci (#5)

dd977d1

chore(release): version 1.101.1 [skip ci]

2dec291

## [1.101.1](v1.101.0...v1.101.1) (2025-08-16) ### Bug Fixes * Disable docker hooks on pre-commit.ci ([#5](#5)) ([dd977d1](dd977d1))

coderabbitai bot reviewed Aug 16, 2025

View reviewed changes

actuarysailor and others added 2 commits August 15, 2025 20:40

Update Dockerfile.tools

70a37a8

Co-authored-by: Copilot <[email protected]>

chore: Improved documentation for pre-commit

d1629ba

coderabbitai bot reviewed Aug 16, 2025

View reviewed changes

actuarysailor and others added 3 commits August 16, 2025 00:41

chore: Fix Changelog

1815705

chore: Remaining coderabbit comments

5aed527

coderabbitai bot reviewed Aug 16, 2025

View reviewed changes

actuarysailor added 2 commits August 16, 2025 01:22

chore: Coderabbit nitpicks

75e7837

chore: One last nitpic

3d20103

coderabbitai bot reviewed Aug 16, 2025

View reviewed changes

actuarysailor added 2 commits August 16, 2025 01:32

chore: More coderabbit nitpicks

9e0a309

Trigger CodeRabbit

246cbe5

coderabbitai bot reviewed Aug 16, 2025

View reviewed changes

actuarysailor added 2 commits August 16, 2025 01:57

chore: More coderabbit nitpicks

1108a8f

Trigger coderabbit

d848eb1

coderabbitai bot reviewed Aug 16, 2025

View reviewed changes

Uh oh!

feat: Docker Pre-Commit-Hooks #925

Are you sure you want to change the base?

feat: Docker Pre-Commit-Hooks #925

Uh oh!

Conversation

actuarysailor commented Aug 12, 2025

Description of your changes

How can we test changes

Uh oh!

coderabbitai bot commented Aug 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Other AI code review bot(s) detected

Summary by CodeRabbit

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Assessment against linked issues

Assessment against linked issues: Out-of-scope changes

Suggested reviewers

Summary by CodeRabbit

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Assessment against linked issues

Assessment against linked issues: Out-of-scope changes

Suggested reviewers

Chat

Support

CodeRabbit Commands (Invoked using PR/Issue comments)

Other keywords and placeholders

Status, Documentation and Community

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot commented Aug 12, 2025 •

edited

Loading

actuarysailor commented Aug 15, 2025 •

edited

Loading