feat: Add support of __GIT_WORKING_DIR__ placeholder for all hooks

[yermulnik]

Put an x into the box if that apply:

• This PR introduces breaking change.
• This PR fixes a bug.
• This PR adds new functionality.
• This PR enhances existing functionality.

Description of your changes

Move __GIT_WORKING_DIR__ permutation feature over right into common::parse_cmdline function so that it is available to all hooks that utilize common::parse_cmdline function.

Resolves #944

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Summary by CodeRabbit

• Documentation

  • Added guidance on using the __GIT_WORKING_DIR__ placeholder in hook arguments with practical examples.
  • Improved formatting and consistency across documentation sections.

• Refactor

  • Enhanced __GIT_WORKING_DIR__ placeholder handling to ensure consistent behavior across all hooks.

Walkthrough

Centralized runtime replacement of the __GIT_WORKING_DIR__ placeholder into common::parse_cmdline, removed per-hook replacement loops from four Terraform hooks, and added a README subsection documenting placeholder usage and examples.

Changes

Cohort / File(s)	Change summary
Documentation README.md	Added "All hooks: Usage of GIT_WORKING_DIR" subsection explaining runtime replacement and example; updated hooks TOC and adjusted formatting/code-blocks for consistency.
Common parsing hooks/_common.sh	common::parse_cmdline now replaces all occurrences of __GIT_WORKING_DIR__ with $PWD when building the ARGS array.
Terraform hooks (cleanup) hooks/terraform_checkov.sh, hooks/terraform_tflint.sh, hooks/terraform_tfsec.sh, hooks/terraform_trivy.sh	Removed per-hook loops that previously substituted __GIT_WORKING_DIR__ in ARGS; hooks now consume ARGS already substituted by _common.sh. Added shellcheck disable comments where applicable.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant CLI as pre-commit CLI
    participant Common as common::parse_cmdline
    participant Hook as terraform_* hook

    rect #f0f9ff
    CLI->>Common: invoke hook with --args (may include __GIT_WORKING_DIR__)
    note right of Common: Replace __GIT_WORKING_DIR__ → $PWD\nBuild ARGS, FILES, HOOK_ID
    Common-->>CLI: return parsed ARGS, FILES, HOOK_ID
    end

    rect #f6fff0
    CLI->>Hook: invoke hook main with ARGS, FILES
    Hook->>Hook: use ARGS (already substituted)
    Hook-->>CLI: run checks and return status
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

hook/terraform_trivy

Suggested reviewers

• antonbabenko

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Linked Issues Check	✅ Passed	The pull request successfully implements all coding-related objectives from issue #944. The __GIT_WORKING_DIR__ replacement logic has been centralized in common::parse_cmdline function as specified, the duplicate replacement loops have been removed from all four individual hook scripts (terraform_tflint.sh, terraform_trivy.sh, terraform_checkov.sh, terraform_tfsec.sh), and the README.md has been updated with documentation about the centralized __GIT_WORKING_DIR__ placeholder usage. The implementation follows the proposed pattern of iterating over ARGS and replacing occurrences of the placeholder with the working directory.
Out of Scope Changes Check	✅ Passed	All changes in the pull request are directly aligned with the objectives stated in issue #944. The modifications to hooks/_common.sh implement the central replacement logic, removals from individual hook scripts eliminate the duplicate implementations, and README.md updates document the new centralized behavior. Minor additions such as shellcheck directives in terraform_tflint.sh and terraform_trivy.sh are reasonable follow-up changes to clarify that ARGS is now set in the centralized common::parse_cmdline function rather than locally in each hook. No out-of-scope changes are present in this pull request.
Description Check	✅ Passed	The PR description directly relates to the changeset by explaining that the __GIT_WORKING_DIR__ permutation feature is being moved into the common::parse_cmdline function to make it available to all hooks that utilize that function. The description matches the actual implementation changes and provides sufficient context for understanding the intent of the pull request. The author also properly references the related issue (#944) that this PR resolves.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Title Check	✅ Passed	The PR title "feat: Add support of __GIT_WORKING_DIR__ placeholder for all hooks" accurately reflects the main objective of this changeset. The pull request centralizes the __GIT_WORKING_DIR__ replacement logic into the common::parse_cmdline function, making the placeholder support available to all hooks that use this function. The title is concise, specific, and clearly communicates the primary change—that users can now use the __GIT_WORKING_DIR__ placeholder across all hooks rather than only in individual hook scripts. The title is neither vague nor misleading, and it would allow a teammate scanning commit history to quickly understand the feature addition.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch issues/944/feat_Convert__GIT_WORKING_DIR__to_a_global_scope

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[yermulnik]

@GSokol Could you please verify if the 405a6d5 commit works for you? Thanks

@MaxymVlasov Do you have a use case to test it too please?

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

README.md (1)

497-517: Minor formatting inconsistencies in examples.

Lines 497-517 and 713-721 appear to have formatting changes (indentation/spacing). Static analysis flagged MD049 (emphasis style) at line 845 for asterisk vs. underscore usage. Ensure all code examples follow consistent formatting conventions throughout the README to maintain clarity and adherence to markdownlint rules.

Also applies to: 713-721

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 18cead2 and 405a6d5.

📒 Files selected for processing (6)

• README.md (5 hunks)
• hooks/_common.sh (1 hunks)
• hooks/terraform_checkov.sh (0 hunks)
• hooks/terraform_tflint.sh (1 hunks)
• hooks/terraform_tfsec.sh (0 hunks)
• hooks/terraform_trivy.sh (0 hunks)

💤 Files with no reviewable changes (3)

• hooks/terraform_checkov.sh
• hooks/terraform_tfsec.sh
• hooks/terraform_trivy.sh

🧰 Additional context used

🪛 GitHub Actions: Common issues check

hooks/terraform_tflint.sh

[error] 22-22: ShellCheck SC2153: Possible misspelling: ARGS may not be assigned. Did you mean args?

🪛 LanguageTool

README.md

[grammar] ~372-~372: There might be a mistake here.
Context: ...eholder in --args. It will be replaced by the Git working directory (repo root)...

(QB_NEW_EN)

---

[grammar] ~375-~375: There might be a mistake here.
Context: ...ave multiple directories and want to run terraform_tflint in all of them while ...

(QB_NEW_EN)

---

[grammar] ~376-~376: There might be a mistake here.
Context: ...e sharing a single config file — use the __GIT_WORKING_DIR__ placeholder in the...

(QB_NEW_EN)

---

[grammar] ~845-~845: Use a hyphen to join words.
Context: ...arning messages, rather than just module relative paths. *Note: this requires `tf...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)

README.md

55-55: Link fragments should be valid

(MD051, link-fragments)

---

506-506: Link text should be descriptive

(MD059, descriptive-link-text)

---

845-845: Emphasis style
Expected: underscore; Actual: asterisk

(MD049, emphasis-style)

---

845-845: Emphasis style
Expected: underscore; Actual: asterisk

(MD049, emphasis-style)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: 🧪 Tests / pytest@🐍3.13@windows-2025
• GitHub Check: 🧹 Linters / pre-commit@🐍3.13@ubuntu-latest
• GitHub Check: 🧪 Tests / pytest@🐍3.13@macos-13
• GitHub Check: 🧪 Tests / pytest@🐍3.9@macos-13
• GitHub Check: 🧪 Tests / pytest@🐍3.12@macos-13
• GitHub Check: 🧪 Tests / pytest@🐍3.9@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.10@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.10@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.9@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.12@windows-2025

🔇 Additional comments (4)

README.md (1)

370-384: Excellent documentation of the __GIT_WORKING_DIR__ placeholder feature.

The new section clearly explains the placeholder's purpose, provides a practical use case, and includes a concrete YAML configuration example. The placement after the environment variables section is logical and consistent with the documentation structure. Static analysis flagged minor grammar suggestions (LanguageTool), but these do not impede clarity.

hooks/_common.sh (1)

86-88: Correctly centralizes __GIT_WORKING_DIR__ placeholder replacement in parse_cmdline.

The logic "${ARG//__GIT_WORKING_DIR__/$PWD}" uses proper bash parameter expansion to replace all occurrences of the placeholder with the current working directory. By centralizing this in parse_cmdline, all hooks using this function automatically benefit from the feature without per-hook duplication. The strategic placement before appending to the ARGS array ensures every argument is processed consistently.

Consider verifying that edge cases like paths containing special characters (spaces, quotes) are handled correctly by downstream hooks.

hooks/terraform_tflint.sh (2)

1-77: Correctly removes per-hook __GIT_WORKING_DIR__ replacement now that logic is centralized.

The removal of the per-hook replacement loop aligns with the PR objective to consolidate this logic into common::parse_cmdline. The rest of the hook's logic remains intact and will benefit from the centralized replacement in _common.sh.

---

22-22: ShellCheck warning SC2153 is likely a false positive.

The pipeline reports a warning that ARGS may not be assigned (line 22: tflint --init "${ARGS[@]}"). However, ARGS is a global array declared and populated in common::parse_cmdline (in _common.sh line 55), which is sourced and called before this line. ShellCheck may not detect globals from sourced scripts. This is a known limitation.

If the warning persists, you can suppress it with a shellcheck directive:

# shellcheck disable=SC2153

Verify whether similar warnings appear in other hook files (terraform_checkov.sh, terraform_trivy.sh, terraform_tfsec.sh) or if this is specific to terraform_tflint.sh.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

README.md (1)

370-376: Minor grammar issue: Rephrase for clarity.

Line 372 uses "It will be replaced" in a slightly awkward construction. Consider: "The placeholder will be replaced at runtime with the Git working directory (repo root)." This reads more naturally. Similarly, line 375 uses "For instance" which is acceptable but could be tightened: "For example, if you have multiple directories and want to run terraform_tflint across all of them while sharing a single config file—use the GIT_WORKING_DIR placeholder in the file path:"

- You can use `__GIT_WORKING_DIR__` placeholder in `--args`. It will be replaced
- by the Git working directory (repo root) at run time.
- 
- For instance, if you have multiple directories and want to run
- `terraform_tflint` in all of them while sharing a single config file — use the
- `__GIT_WORKING_DIR__` placeholder in the file path. For example:
+ You can use the `__GIT_WORKING_DIR__` placeholder in `--args`. At runtime, it is replaced
+ with the Git working directory (repo root).
+ 
+ For example, if you have multiple directories and want to run `terraform_tflint`
+ across all of them while sharing a single config file, use the `__GIT_WORKING_DIR__`
+ placeholder in the file path:

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 405a6d5 and 9faa857.

📒 Files selected for processing (1)

• README.md (5 hunks)

🧰 Additional context used

🪛 LanguageTool

README.md

[grammar] ~372-~372: There might be a mistake here.
Context: ...eholder in --args. It will be replaced by the Git working directory (repo root)...

(QB_NEW_EN)

---

[grammar] ~375-~375: There might be a mistake here.
Context: ...ave multiple directories and want to run terraform_tflint in all of them while ...

(QB_NEW_EN)

---

[grammar] ~376-~376: There might be a mistake here.
Context: ...e sharing a single config file — use the __GIT_WORKING_DIR__ placeholder in the...

(QB_NEW_EN)

---

[grammar] ~845-~845: Use a hyphen to join words.
Context: ...arning messages, rather than just module relative paths. *Note: this requires `tf...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)

README.md

506-506: Link text should be descriptive

(MD059, descriptive-link-text)

---

845-845: Emphasis style
Expected: underscore; Actual: asterisk

(MD049, emphasis-style)

---

845-845: Emphasis style
Expected: underscore; Actual: asterisk

(MD049, emphasis-style)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: 🧪 Tests / pytest@🐍3.11@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.13@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.9@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.10@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.12@macos-14
• GitHub Check: 🧹 Linters / pre-commit@🐍3.13@ubuntu-latest
• GitHub Check: pre-commit

🔇 Additional comments (2)

README.md (2)

55-55: The TOC link fragment is correct and requires no changes.

The heading anchor generated from ### All hooks: Usage of \GIT_WORKING_DIR` placeholder in `--args`matches the TOC fragment#all-hooks-usage-of-git_working_dir-placeholder-in---args` exactly. GitHub's markdown slug rules strip backticks and special characters consistently, so the link will resolve correctly.

Additionally, there is no markdown linter (markdownlint, mdl, etc.) configured in the project's .pre-commit-config.yaml or CI/CD pipeline—only Git hooks, YAML, Bash, Python, and GitHub Actions linting are enabled. The MD051 concern does not apply.

Likely an incorrect or invalid review comment.

---

370-384: Documentation and implementation are consistent and correct.

The verification confirms:

1. Pre-commit framework and Git itself guarantee that hooks execute with working directory set to the repository root
2. Using $PWD in the replacement logic (line 88 of hooks/_common.sh) is appropriate and accurate
3. The README documentation statement "will be replaced by the Git working directory (repo root) at run time" correctly describes the actual behavior
4. The YAML example aligns with implementation expectations

[GSokol]

@GSokol Could you please verify if the 405a6d5 commit works for you? Thanks

That works:

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    #rev: v1.101.0
    rev: 405a6d5477725b2f50a6eb9245c09d8eccaf2efe
    hooks:
      # Octopus
      - id: terrascan
        files: ^infrastructure/.*\.tf$
        args:
          - --args=--config-path=/__GIT_WORKING_DIR__/.terrascan.toml

The following command passes with the config now:

podman run --rm \
--userns=keep-id -v "$(pwd):/project:U" \
-w /project \
-u="${UID}:${GID}" \
localhost/ci-helper:latest pre-commit run --all-files

[Copilot]

Pull Request Overview

This PR converts the __GIT_WORKING_DIR__ placeholder functionality from individual hook implementations to a global feature available in the common::parse_cmdline function. This makes the placeholder available to all hooks that use this common parsing function instead of being limited to specific hooks.

Key changes:

• Moved __GIT_WORKING_DIR__ replacement logic from individual hooks to the common parsing function
• Removed duplicate code blocks from four different hook files
• Updated documentation to reflect the global availability of this feature

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
hooks/_common.sh	Added __GIT_WORKING_DIR__ placeholder replacement logic to the common::parse_cmdline function
hooks/terraform_trivy.sh	Removed duplicate __GIT_WORKING_DIR__ replacement code and added shellcheck disable comment
hooks/terraform_tfsec.sh	Removed duplicate __GIT_WORKING_DIR__ replacement code
hooks/terraform_tflint.sh	Removed duplicate __GIT_WORKING_DIR__ replacement code and added shellcheck disable comment
hooks/terraform_checkov.sh	Removed duplicate __GIT_WORKING_DIR__ replacement code and added shellcheck disable comment
README.md	Updated documentation to describe the global __GIT_WORKING_DIR__ feature and removed hook-specific examples

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[yermulnik]

@MaxymVlasov Please validate code change and review PR when you have a chance 🤞🏻

[MaxymVlasov]

Works fine

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 84a07ea and 145d6f8.

📒 Files selected for processing (1)

• README.md (5 hunks)

🧰 Additional context used

🪛 LanguageTool

README.md

[grammar] ~848-~848: Use a hyphen to join words.
Context: ...arning messages, rather than just module relative paths. *Note: this requires `tf...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)

README.md

509-509: Link text should be descriptive

(MD059, descriptive-link-text)

---

848-848: Emphasis style
Expected: underscore; Actual: asterisk

(MD049, emphasis-style)

---

848-848: Emphasis style
Expected: underscore; Actual: asterisk

(MD049, emphasis-style)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: 🧪 Tests / pytest@🐍3.13@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.12@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.9@macos-13
• GitHub Check: 🧪 Tests / pytest@🐍3.10@macos-13
• GitHub Check: 🧪 Tests / pytest@🐍3.13@macos-13

🔇 Additional comments (1)

README.md (1)

370-386: New section appropriately documents centralized __GIT_WORKING_DIR__ replacement.

The documentation is clear, includes rationale, and provides a practical example. Placement mirrors the environment variable section, maintaining consistency.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Improve link text for accessibility and clarity.

At line 509, the link text "here" is not descriptive. Replace with text that indicates the destination, e.g., "Check all available checkov CLI arguments."

- Check all available arguments [here](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html).
+ Check all available [checkov CLI arguments](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	You can specify custom arguments. E.g.:
	For deprecated hook you need to specify each argument separately:
	```yaml
	- id: terraform_checkov
	args:
	- --args=--quiet
	- --args=--skip-check CKV2_AWS_8
	```
	```yaml
	- id: checkov
	args: [
	"-d", ".",
	"--skip-check", "CKV2_AWS_8",
	]
	```
	Check all available arguments [here](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html).
	2. When you have multiple directories and want to run `terraform_checkov` in all of them and share a single config file - use the `__GIT_WORKING_DIR__` placeholder. It will be replaced by `terraform_checkov` hooks with the Git working directory (repo root) at run time. For example:
	For deprecated hook you need to specify each argument separately:
	```yaml
	- id: terraform_checkov
	args:
	- --args=--config-file __GIT_WORKING_DIR__/.checkov.yml
	```
	```yaml
	- id: checkov
	args: [
	"-d", ".",
	"--skip-check", "CKV2_AWS_8",
	]
	```
	You can specify custom arguments. E.g.:

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

509-509: Link text should be descriptive

(MD059, descriptive-link-text)

🤖 Prompt for AI Agents

In README.md around lines 500 to 519, the link text "here" is not descriptive;
update the link text to a meaningful phrase like "checkov CLI arguments" so the
sentence reads: "Check all available checkov CLI arguments" with the existing
URL. Ensure you replace only the link text (not the URL) and keep surrounding
punctuation and markdown formatting intact for accessibility and clarity.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix emphasis style and grammar issues.

Two minor style issues flagged by linting:

1. Emphasis style (MD049): Use underscores instead of asterisks for consistency. Change *Note: this requires...* to _Note: this requires..._
2. Hyphenation (grammar): Use hyphen for compound adjective: "module-relative paths" instead of "module relative paths"

- 2. By default, pre-commit-terraform performs directory switching into the terraform modules for you. If you want to delegate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module relative paths. *Note: this requires `tflint>=0.44.0`.* For example:
+ 2. By default, pre-commit-terraform performs directory switching into the terraform modules for you. If you want to delegate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module-relative paths. _Note: this requires `tflint>=0.44.0`._  For example:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	2. By default, pre-commit-terraform performs directory switching into the terraform modules for you. If you want to delegate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module relative paths. *Note: this requires `tflint>=0.44.0`.* For example:
	2. By default, pre-commit-terraform performs directory switching into the terraform modules for you. If you want to delegate the directory changing to the binary - this will allow tflint to determine the full paths for error/warning messages, rather than just module-relative paths. _Note: this requires `tflint>=0.44.0`._ For example:

🧰 Tools

🪛 LanguageTool

[grammar] ~848-~848: Use a hyphen to join words.
Context: ...arning messages, rather than just module relative paths. *Note: this requires `tf...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)

848-848: Emphasis style
Expected: underscore; Actual: asterisk

(MD049, emphasis-style)

---

848-848: Emphasis style
Expected: underscore; Actual: asterisk

(MD049, emphasis-style)

🤖 Prompt for AI Agents

In README.md around line 848, fix two style issues: replace the
asterisk-emphasized phrase "*Note: this requires `tflint>=0.44.0`.*" with
underscore emphasis `_Note: this requires \`tflint>=0.44.0\`._` and change
"module relative paths" to the hyphenated "module-relative paths" so the
sentence reads with consistent Markdown emphasis and correct compound adjective
hyphenation.

[antonbabenko]

This PR is included in version 1.103.0 🎉