bridgecrewio
checkov_secret git commit hook crushes when no tf files are dirty
Describe the issue checkov_secret git commit hook crushes when no tf files are dirty (on commit)
Examples This is my precommit hook config
- repo: local
hooks:
- id: checkov_secrets name: Checkov Secrets description: This hook looks for secrets with checkov. entry: checkov --framework secrets --enable-secret-scan-all-files --quiet --config-file .checkov.yml args: [ "-f" ] # required and must come last language: python always_run: true files: .tf$ exclude: (.+.terraform/.$)|(.+.terragrunt-cache/.$) require_serial: true
Expected outcome: shouldn't fail just because there was no dirty tf file
Exception Trace Terraform validate...................................(no files to check)Skipped Checkov..............................................(no files to check)Skipped Checkov Secrets..........................................................Failed
- hook id: checkov_secrets
- exit code: 2
usage: checkov [-h] [-v] [--support] [-d DIRECTORY] [--add-check] [-f FILE [FILE ...]] [--skip-path SKIP_PATH] [--external-checks-dir EXTERNAL_CHECKS_DIR] [--external-checks-git EXTERNAL_CHECKS_GIT] [-l] [-o {cli,csv,cyclonedx,cyclonedx_json,json,junitxml,github_failed_only,gitlab_sast,sarif,spdx}] [--output-file-path OUTPUT_FILE_PATH] [--output-bc-ids] [--include-all-checkov-policies] [--quiet] [--compact] [--framework FRAMEWORK [FRAMEWORK ...]] [--skip-framework SKIP_FRAMEWORK [SKIP_FRAMEWORK ...]] [-c CHECK] [--skip-check SKIP_CHECK] [--run-all-external-checks] [-s] [--soft-fail-on SOFT_FAIL_ON] [--hard-fail-on HARD_FAIL_ON] [--bc-api-key BC_API_KEY] [--prisma-api-url PRISMA_API_URL] [--skip-results-upload] [--docker-image DOCKER_IMAGE] [--dockerfile-path DOCKERFILE_PATH] [--repo-id REPO_ID] [-b BRANCH] [--skip-download] [--use-enforcement-rules] [--download-external-modules DOWNLOAD_EXTERNAL_MODULES] [--var-file VAR_FILE] [--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH] [--evaluate-variables EVALUATE_VARIABLES] [-ca CA_CERTIFICATE] [--no-cert-verify] [--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT] [--config-file CONFIG_FILE] [--create-config CREATE_CONFIG] [--show-config] [--create-baseline] [--baseline BASELINE] [--output-baseline-as-skipped] [--skip-cve-package SKIP_CVE_PACKAGE] [--policy-metadata-filter POLICY_METADATA_FILTER] [--policy-metadata-filter-exception POLICY_METADATA_FILTER_EXCEPTION] [--secrets-scan-file-type SECRETS_SCAN_FILE_TYPE] [--enable-secret-scan-all-files] [--block-list-secret-scan BLOCK_LIST_SECRET_SCAN] [--summary-position {top,bottom}] [--skip-resources-without-violations] [--deep-analysis] [--no-fail-on-crash] [--mask MASK] [--scan-secrets-history] [--secrets-history-timeout SECRETS_HISTORY_TIMEOUT] [--openai-api-key OPENAI_API_KEY] [--custom-tool-name CUSTOM_TOOL_NAME] checkov: error: argument -f/--file: expected at least one argument
CRLF end-lines checker...................................................Passed CRLF end-lines remover...................................................Passed No-tabs checker..........................................................Passed Tabs remover.............................................................Passed Set file permissions.................................(no files to check)Skipped Insert license in comments...........................(no files to check)Skipped Insert license in comments...........................(no files to check)Skipped Insert license in comments...........................(no files to check)Skipped Check license headers................................(no files to check)Skipped Terragrunt hclfmt....................................(no files to check)Skipped Clean Up Debugger Provider...........................(no files to check)Skipped Sync terraform/*.md files to mkdocs..................(no files to check)Skipped ~/PROJECTS/NC-I/azure_secure_ai_foundation_terragrunt feature/docs4 *50 !1 ❯ azure_secure_ai_foundation_terragrunt 12:09:08 ~/PROJECTS/NC-I/azure_secure_ai_foundation_terragrunt feature/docs4 *50 !1 ❯ azure_secure_ai_foundation_terragrunt 12:09:36 ~/PROJECTS/NC-I/azure_secure_ai_foundation_terragrunt feature/docs4 *50 !1 ❯ azure_secure_ai_foundation_terragrunt 12:09:36 ~/PROJECTS/NC-I/azure_secure_ai_foundation_terragrunt feature/docs4 *50 !1 ❯ gca azure_secure_ai_foundation_terragrunt 12:09:36 check for added large files..............................................Passed check python ast.....................................(no files to check)Skipped check BOM - deprecated: use fix-byte-order-marker........................Passed check builtin type constructor use...................(no files to check)Skipped check for case conflicts.................................................Passed check docstring is first.............................(no files to check)Skipped check that executables have shebangs.................(no files to check)Skipped check json...........................................(no files to check)Skipped check that scripts with shebangs are executable..........................Passed pretty format json...................................(no files to check)Skipped check for merge conflicts................................................Passed check for broken symlinks............................(no files to check)Skipped check toml...........................................(no files to check)Skipped check vcs permalinks.....................................................Passed check xml............................................(no files to check)Skipped check yaml...............................................................Passed debug statements (python)............................(no files to check)Skipped detect destroyed symlinks................................................Passed detect private key.......................................................Passed fix end of files.........................................................Passed file contents sorter.................................(no files to check)Skipped fix utf-8 byte order marker..............................................Passed forbid new submodules................................(no files to check)Skipped forbid submodules....................................(no files to check)Skipped mixed line ending........................................................Passed python tests naming..................................(no files to check)Skipped don't commit to branch...................................................Passed fix requirements.txt.................................(no files to check)Skipped sort simple yaml files...............................(no files to check)Skipped trim trailing whitespace.................................................Passed isort (python).......................................(no files to check)Skipped setup-cfg-fmt........................................(no files to check)Skipped Add trailing commas..................................(no files to check)Skipped pyupgrade............................................(no files to check)Skipped autopep8.............................................(no files to check)Skipped black................................................(no files to check)Skipped flake8...............................................(no files to check)Skipped blacken-docs.........................................(no files to check)Skipped Copy Debugger Provider...............................(no files to check)Skipped Terraform fmt........................................(no files to check)Skipped Terraform docs.......................................(no files to check)Skipped Terraform validate with tflint.......................(no files to check)Skipped Aborting commit due to empty commit message.
Desktop (please complete the following information):
- OS: [ubuntu 24.04]
- Checkov Version [3.2.410]
Additional context it shouldn't fail when no tf file is dirty in the commit. the main checkov hook behaves as expected but checkov_secret doesn't.
Temporal remedy: I had to fix this by adding a tailing empty string to the args: args: [ "-f", "" ] # (worked)
Temporal remedy: I had to fix this by adding a tailing empty string to the args: args: [ "-f", "" ] # (worked)
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!