Custom hooks: zero-config security & cost scanners
ยท 5 min read
Atmos hooks now have a kind system โ same before-terraform-plan /
after-terraform-plan lifecycle you already know, but the dispatch is
pluggable and built-in kinds ship for common tools. Two lines in a stack
manifest gets you cost analysis from infracost, or SARIF scanning from
checkov, trivy, or kics, with tools auto-installed via the Atmos
toolchain.
components:
terraform:
vpc:
dependencies:
tools:
checkov: "3.2.529"
hooks:
security:
events: [after-terraform-plan]
kind: checkov
That's the whole config. No scanner binary on PATH, no custom command
wrapper, no GitHub Actions glue โ atmos terraform plan vpc -s prod
auto-installs checkov via the toolchain, runs it against the component,
parses the SARIF, renders the findings as a markdown table in your
terminal, and (when Atmos Pro is connected) ships the same body to the
run page.
