Merge branch 'master' into add-graph-hook

Author: MaxymVlasov

.github/workflows/build-image-test.yaml

@@ -38,7 +38,7 @@ jobs:
 
     - name: Get changed Docker related files
       id: changed-files-specific
-      uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32  # v46.0.1
+      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c  # v46.0.5
       with:
         files: |
           .dockerignore

.github/workflows/ci-cd.yml

@@ -105,7 +105,7 @@ jobs:
 
     steps:
     - name: Switch to using Python 3.13 by default
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38  # v5.4.0
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
       with:
         python-version: 3.13
     - name: Check out src from Git
@@ -161,7 +161,7 @@ jobs:
         echo "dir=$(python -m pip cache dir)" >> "${GITHUB_OUTPUT}"
       shell: bash
     - name: Set up pip cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf  # v4.2.2
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
       with:
         path: ${{ steps.pip-cache-dir.outputs.dir }}
         key: >-
@@ -274,7 +274,7 @@ jobs:
 
     steps:
     - name: Switch to using Python 3.13
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38  # v5.4.0
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
       with:
         python-version: 3.13
 
@@ -307,7 +307,7 @@ jobs:
       run: >-
         echo "dir=$(python -m pip cache dir)" >> "${GITHUB_OUTPUT}"
     - name: Set up pip cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf  # v4.2.2
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
       with:
         path: ${{ steps.pip-cache-dir.outputs.dir }}
         key: >-
@@ -372,7 +372,7 @@ jobs:
         >> "${GITHUB_OUTPUT}"
       working-directory: dist
     - name: Store the distribution packages
-      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1  # v4.6.1
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: >-
           ${{ needs.pre-setup.outputs.dists-artifact-name }}

.github/workflows/codeql.yml

@@ -46,7 +46,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5  # v3.28.11
+      uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in
@@ -58,7 +58,7 @@ jobs:
     # If this step fails, then you should remove it and run the build
     # manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5  # v3.28.11
+      uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
 
     # ℹ️ Command-line programs to run using the OS shell.
     # yamllint disable-line rule:line-length
@@ -73,6 +73,6 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5  # v3.28.11
+      uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
       with:
         category: /language:${{matrix.language}}

.github/workflows/pre-commit.yaml

@@ -56,7 +56,7 @@ jobs:
         # https://web.archive.org/web/20210731173012/https://github.community/t/required-check-is-expected-after-automated-push/187545/
         ssh-key: ${{ secrets.GHA_AUTOFIX_COMMIT_KEY }}
     # Skip terraform_tflint which interferes to commit pre-commit auto-fixes
-    - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38  # v5.4.0
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
       with:
         python-version: '3.13'
 

.github/workflows/reusable-tox.yml

@@ -158,7 +158,7 @@ jobs:
         Switch to using Python v${{ inputs.python-version }}
         by default
       id: python-install
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38  # v5.4.0
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
       with:
         python-version: ${{ inputs.python-version }}
 
@@ -181,7 +181,7 @@ jobs:
 
     - name: Cache pre-commit.com virtualenvs
       if: inputs.toxenv == 'pre-commit'
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf  # v4.2.2
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
       with:
         path: ~/.cache/pre-commit
         key: >-
@@ -239,7 +239,7 @@ jobs:
       shell: bash
     - name: Set up pip cache
       if: fromJSON(steps.py-abi.outputs.is-stable-abi)
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf  # v4.2.2
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4.2.3
       with:
         path: ${{ steps.pip-cache-dir.outputs.dir }}
         key: >-
@@ -266,7 +266,7 @@ jobs:
     - name: Download all the dists
       if: >-
         contains(fromJSON('["metadata-validation", "pytest"]'), inputs.toxenv)
-      uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765  # v4.2.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
       with:
         name: ${{ inputs.dists-artifact-name }}
         path: dist/

.github/workflows/scorecards.yml

@@ -66,14 +66,14 @@ jobs:
     # Upload the results as artifacts (optional). Commenting out will disable
     # uploads of run results in SARIF format to the repository Actions tab.
     - name: Upload artifact
-      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1  # v4.6.1
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: SARIF file
         path: results.sarif
         retention-days: 5
 
     # Upload the results to GitHub's code scanning dashboard.
     - name: Upload to code-scanning
-      uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5  # v3.28.11
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b  # v3.28.17
       with:
         sarif_file: results.sarif

.pre-commit-config.yaml

@@ -43,7 +43,7 @@ repos:
 
   # Detect hardcoded secrets
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.24.2
+  rev: v8.26.0
   hooks:
   - id: gitleaks
 
@@ -66,7 +66,7 @@ repos:
     - --implicit_start
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.37.0
+  rev: v1.37.1
   hooks:
   - id: yamllint
     types:

README.md

@@ -2,10 +2,11 @@
 
 [![Latest Github tag]](https://github.com/antonbabenko/pre-commit-terraform/releases)
 ![Maintenance status](https://img.shields.io/maintenance/yes/2025.svg)
-[![Codetriage - Help Contribute to Open Source Badge]](https://www.codetriage.com/antonbabenko/pre-commit-terraform)
 [![GHA Tests CI/CD Badge]](https://github.com/antonbabenko/pre-commit-terraform/actions/workflows/ci-cd.yml)
 [![Codecov pytest Badge]](https://app.codecov.io/gh/antonbabenko/pre-commit-terraform?flags[]=pytest)
 [![OpenSSF Scorecard Badge]](https://scorecard.dev/viewer/?uri=github.com/antonbabenko/pre-commit-terraform)
+[![OpenSSF Best Practices Badge]](https://www.bestpractices.dev/projects/9963)
+[![Codetriage - Help Contribute to Open Source Badge]](https://www.codetriage.com/antonbabenko/pre-commit-terraform)
 
 [![StandWithUkraine Banner]](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)
 
@@ -29,6 +30,7 @@ and [contributing notes](/.github/CONTRIBUTING.md).
 [GHA Tests CI/CD Badge]: https://github.com/antonbabenko/pre-commit-terraform/actions/workflows/ci-cd.yml/badge.svg?branch=master
 [Codecov Pytest Badge]: https://codecov.io/gh/antonbabenko/pre-commit-terraform/branch/master/graph/badge.svg?flag=pytest
 [OpenSSF Scorecard Badge]: https://api.scorecard.dev/projects/github.com/antonbabenko/pre-commit-terraform/badge
+[OpenSSF Best Practices Badge]: https://www.bestpractices.dev/projects/9963/badge
 [StandWithUkraine Banner]: https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner-direct.svg
 
 ## Sponsors
@@ -81,44 +83,6 @@ If you want to support the development of `pre-commit-terraform` and [many other
 ## How to install
 
 ### 1. Install dependencies
-<!-- (Do not remove html tags here) -->
-* [`pre-commit`](https://pre-commit.com/#install),
-  <sub><sup>[`terraform`](https://www.terraform.io/downloads.html) or [`opentofu`](https://opentofu.org/docs/intro/install/),
-  <sub><sup>[`git`](https://git-scm.com/downloads),
-  <sub><sup>[BASH `3.2.57` or newer](https://www.gnu.org/software/bash/#download),
-  <sub><sup>Internet connection (on first run),
-  <sub><sup>x86_64 or arm64 compatible operating system,
-  <sub><sup>Some hardware where this OS will run,
-  <sub><sup>Electricity for hardware and internet connection,
-  <sub><sup>Some basic physical laws,
-  <sub><sup>Hope that it all will work.
-  </sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub><br><br>
-* [`checkov`][checkov repo] required for `terraform_checkov` hook
-* [`terraform-docs`][terraform-docs repo] 0.12.0+ required for `terraform_docs` hook
-* [`terragrunt`][terragrunt repo] required for `terragrunt_validate` and `terragrunt_valid_inputs` hooks
-* [`terrascan`][terrascan repo] required for `terrascan` hook
-* [`TFLint`][tflint repo] required for `terraform_tflint` hook
-* [`TFSec`][tfsec repo] required for `terraform_tfsec` hook
-* [`Trivy`][trivy repo] required for `terraform_trivy` hook
-* [`infracost`][infracost repo] required for `infracost_breakdown` hook
-* [`jq`][jq repo] required for `terraform_validate` with `--retry-once-with-cleanup` flag, and for `infracost_breakdown` hook
-* [`tfupdate`][tfupdate repo] required for `tfupdate` hook
-* [`graphviz`](https://www.graphviz.org/download)  required for `terraform_graph` hook.
-* [`hcledit`][hcledit repo] required for `terraform_wrapper_module_for_each` hook
-
-
-#### 1.1 Custom Terraform binaries and OpenTofu support
-
-It is possible to set custom path to `terraform` binary.  
-This makes it possible to use [OpenTofu](https://opentofu.org) binary `tofu` instead of `terraform`.
-
-How binary discovery works and how you can redefine it (first matched takes precedence):
-
-1. Check if per hook configuration `--hook-config=--tf-path=<path_to_binary_or_binary_name>` is set
-2. Check if `PCT_TFPATH=<path_to_binary_or_binary_name>` environment variable is set
-3. Check if `TERRAGRUNT_TFPATH=<path_to_binary_or_binary_name>` environment variable is set
-4. Check if `terraform` binary can be found in the user's $PATH
-5. Check if `tofu` binary can be found in the user's $PATH
 
 <details><summary><b>Docker</b></summary><br>
 
@@ -250,6 +214,48 @@ E.g. `C:\Users\USERNAME\AppData\Local\Programs\Python\Python39\Lib\site-packages
 
 </details>
 
+Full list of dependencies and where they are used:
+
+<!-- (Do not remove html tags here) -->
+* [`pre-commit`](https://pre-commit.com/#install),
+  <sub><sup>[`terraform`](https://www.terraform.io/downloads.html) or [`opentofu`](https://opentofu.org/docs/intro/install/),
+  <sub><sup>[`git`](https://git-scm.com/downloads),
+  <sub><sup>[BASH `3.2.57` or newer](https://www.gnu.org/software/bash/#download),
+  <sub><sup>Internet connection (on first run),
+  <sub><sup>x86_64 or arm64 compatible operating system,
+  <sub><sup>Some hardware where this OS will run,
+  <sub><sup>Electricity for hardware and internet connection,
+  <sub><sup>Some basic physical laws,
+  <sub><sup>Hope that it all will work.
+  </sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub></sup></sub><br><br>
+* [`checkov`][checkov repo] required for `terraform_checkov` hook
+* [`terraform-docs`][terraform-docs repo] 0.12.0+ required for `terraform_docs` hook
+* [`terragrunt`][terragrunt repo] required for `terragrunt_validate` and `terragrunt_valid_inputs` hooks
+* [`terrascan`][terrascan repo] required for `terrascan` hook
+* [`TFLint`][tflint repo] required for `terraform_tflint` hook
+* [`TFSec`][tfsec repo] required for `terraform_tfsec` hook
+* [`Trivy`][trivy repo] required for `terraform_trivy` hook
+* [`infracost`][infracost repo] required for `infracost_breakdown` hook
+* [`jq`][jq repo] required for `terraform_validate` with `--retry-once-with-cleanup` flag, and for `infracost_breakdown` hook
+* [`tfupdate`][tfupdate repo] required for `tfupdate` hook
+* [`graphviz`](https://www.graphviz.org/download)  required for `terraform_graph` hook.
+* [`hcledit`][hcledit repo] required for `terraform_wrapper_module_for_each` hook
+
+
+#### 1.1 Custom Terraform binaries and OpenTofu support
+
+It is possible to set custom path to `terraform` binary.  
+This makes it possible to use [OpenTofu](https://opentofu.org) binary (`tofu`) instead of `terraform`.
+
+How binary discovery works and how you can redefine it (first matched takes precedence):
+
+1. Check if per hook configuration `--hook-config=--tf-path=<path_to_binary_or_binary_name>` is set
+2. Check if `PCT_TFPATH=<path_to_binary_or_binary_name>` environment variable is set
+3. Check if `TERRAGRUNT_TFPATH=<path_to_binary_or_binary_name>` environment variable is set
+4. Check if `terraform` binary can be found in the user's `$PATH`
+5. Check if `tofu` binary can be found in the user's `$PATH`
+
+
 ### 2. Install the pre-commit hook globally
 
 > [!NOTE]
@@ -277,6 +283,14 @@ repos:
 EOF
 ```
 
+If this repository was initialized locally via `git init` or `git clone` _before_
+you installed the pre-commit hook globally ([step 2](#2-install-the-pre-commit-hook-globally)),
+you will need to run:
+
+```bash
+pre-commit install
+```
+
 ### 4. Run
 
 Execute this command to run `pre-commit` on all files in the repository (not only changed files):
@@ -352,10 +366,10 @@ Config example:
 - id: terraform_tflint
   args:
   - --args=--config=${CONFIG_NAME}.${CONFIG_EXT}
-  - --args=--module
+  - --args=--call-module-type="all"
 ```
 
-If for config above set up `export CONFIG_NAME=.tflint; export CONFIG_EXT=hcl` before `pre-commit run`, args will be expanded to `--config=.tflint.hcl --module`.
+If for config above set up `export CONFIG_NAME=.tflint; export CONFIG_EXT=hcl` before `pre-commit run`, args will be expanded to `--config=.tflint.hcl --call-module-type="all"`.
 
 ### All hooks: Set env vars inside hook at runtime