-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.pre-commit-config.yaml
More file actions
72 lines (66 loc) · 2.15 KB
/
Copy path.pre-commit-config.yaml
File metadata and controls
72 lines (66 loc) · 2.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# .pre-commit-config.yaml — hooks aligned with CI (ci.yml + security.yml)
#
# Local parity:
# ruff check + ruff format → CI job lint
# pyright → CI job typecheck
# pytest (unit only) → CI job test (excludes -m integration)
# gitleaks → security.yml secrets-scan
# bandit (high) → security.yml sast gate
# pip-audit → security.yml dependency-audit gate
#
# CI-only (slow / needs Docker): docker-smoke, integration, trivy, syft, helm, terraform
#
# Setup: uv sync && uv run pre-commit install
# Manual: uv run pre-commit run --all-files
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.21.2
hooks:
- id: gitleaks
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.15.8
hooks:
- id: ruff
args: [--fix]
- id: ruff-format
- repo: local
hooks:
- id: pyright
name: pyright
entry: uv run pyright
language: system
types: [python]
pass_filenames: false
- id: bandit
name: bandit (high)
entry: >
uv run bandit
--recursive
--format screen
--severity-level high
--confidence-level high
--exclude .venv,tests
api/ core/ agents/ pack_kernel/ domain_packs/ connectors/ control_plane/
language: system
pass_filenames: false
types: [python]
- id: pytest-unit
name: pytest (unit, no integration)
entry: >
bash -c
'uv sync --frozen --all-extras --quiet
&& uv run pytest -m "not integration" --tb=short -q'
language: system
pass_filenames: false
types: [python]
- id: pip-audit
name: pip-audit (production deps)
entry: >
bash -c
'uv export --frozen --no-dev --extra anthropic --no-hashes
-o .pip-audit-requirements.txt
&& uvx pip-audit -r .pip-audit-requirements.txt --progress-spinner off
; rm -f .pip-audit-requirements.txt'
language: system
pass_filenames: false
files: ^(pyproject\.toml|uv\.lock)$