Enable checkov in pre-commit (#43)

.github/workflows/add-to-projects.yml

@@ -8,6 +8,9 @@ on:
     types:
       - opened
 
+permissions:
+  issues: write
+
 jobs:
   add-to-osinfra-project:
     name: Open Source Infrastructure (as Code)

.github/workflows/dependabot.yml

@@ -2,6 +2,9 @@ name: Dependabot Approve and Merge
 
 on: pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   dependabot:
     name: Dependabot

.pre-commit-config.yaml

@@ -11,7 +11,7 @@ repos:
       - id: check-symlinks
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.89.1
+    rev: v1.91.0
     hooks:
       - id: terraform_fmt
 
@@ -22,8 +22,16 @@ repos:
         args:
           - --hook-config=--retry-once-with-cleanup=true
           - --tf-init-args=-upgrade
-        exclude: fixtures/shared
+        exclude: tests/fixtures/shared
 
       # Always run after terraform_validate
 
       - id: terraform_docs
+
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: 3.2.129
+    hooks:
+      - id: checkov
+        verbose: true
+        args:
+          - --quiet

README.md

@@ -74,7 +74,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 5.26.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.32.0 |
 
 ### Modules
 
@@ -96,6 +96,7 @@ No modules.
 | <a name="input_location"></a> [location](#input\_location) | The location the storage bucket will be created in | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | The name of the storage bucket | `any` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The ID of the project in which the resource belongs | `string` | n/a | yes |
+| <a name="input_public_access_prevention"></a> [public\_access\_prevention](#input\_public\_access\_prevention) | The public access prevention configuration for the bucket | `string` | `"enforced"` | no |
 | <a name="input_storage_class"></a> [storage\_class](#input\_storage\_class) | The Storage Class of the new bucket. Supported values include: STANDARD, MULTI\_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE | `string` | `"STANDARD"` | no |
 | <a name="input_versioning"></a> [versioning](#input\_versioning) | The bucket's Versioning configuration | `bool` | `true` | no |
 

main.tf

@@ -3,7 +3,8 @@
 
 resource "google_storage_bucket" "this" {
 
-  # In most cases, Cloud Audit Logs is the recommended method for generating logs that track API operations
+  # Bucket should log access
+  # checkov:skip=CKV_GCP_62: In most cases, Cloud Audit Logs is the recommended method for generating logs that track API operations
   # performed in Cloud Storage.
 
   dynamic "encryption" {
@@ -13,12 +14,13 @@ resource "google_storage_bucket" "this" {
     }
   }
 
-  force_destroy = var.force_destroy
-  labels        = var.labels
-  location      = var.location
-  name          = var.name
-  project       = var.project
-  storage_class = var.storage_class
+  force_destroy            = var.force_destroy
+  labels                   = var.labels
+  location                 = var.location
+  name                     = var.name
+  project                  = var.project
+  public_access_prevention = var.public_access_prevention
+  storage_class            = var.storage_class
 
   # Generally, using uniform bucket-level access is recommended, because it unifies and simplifies how you grant access
   # to your Cloud Storage resources.

variables.tf

@@ -28,6 +28,12 @@ variable "name" {
   description = "The name of the storage bucket"
 }
 
+variable "public_access_prevention" {
+  description = "The public access prevention configuration for the bucket"
+  type        = string
+  default     = "enforced"
+}
+
 variable "project" {
   description = "The ID of the project in which the resource belongs"
   type        = string