forked from finos/open-resource-broker
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.pre-commit-config.yaml
More file actions
172 lines (153 loc) · 5.61 KB
/
Copy path.pre-commit-config.yaml
File metadata and controls
172 lines (153 loc) · 5.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# Pre-commit hooks configuration
repos:
- repo: local
hooks:
- id: format-fix
name: Auto-Format Code
entry: make format-fix
language: system
files: \.(py)$
pass_filenames: false
description: "Auto-format Python code with Ruff"
- id: ruff-check
name: Ruff (Code Quality - Required)
entry: make ci-quality-ruff
language: system
files: \.(py)$
pass_filenames: false
description: "Check Python code quality with Ruff (must pass)"
- id: ruff-optional
name: Ruff (Extended Checks - Optional)
entry: make ci-quality-ruff-optional
language: system
files: \.(py)$
pass_filenames: false
description: "Extended Python code checks with Ruff (warnings only)"
stages: [manual] # Optional check - run as warning only
- id: pyright
name: pyright (Type Checking)
entry: make ci-quality-pyright
language: system
files: \.(py)$
pass_filenames: false
description: "Check Python type annotations with pyright"
- id: bandit
name: bandit (Security Analysis)
entry: make ci-security-bandit
language: system
files: \.(py)$
pass_filenames: false
description: "Run bandit security analysis"
stages: [pre-push]
- id: safety
name: safety (Dependency Security)
entry: make ci-security-safety
language: system
files: requirements.*\.txt$|pyproject\.toml$
pass_filenames: false
description: "Check dependencies for known security vulnerabilities"
stages: [pre-push]
- id: hadolint
name: hadolint (Dockerfile Linting)
entry: make hadolint-check
language: system
files: Dockerfile.*
pass_filenames: false
description: "Lint Dockerfile with hadolint"
stages: [manual] # Optional check - run as warning only
- id: validate-imports
name: Validate Python Imports
entry: make ci-arch-imports
language: system
files: \.(py)$
pass_filenames: false
description: "Validate that all critical imports work correctly"
stages: [pre-push]
- id: validate-cqrs
name: Validate CQRS Patterns
entry: make ci-arch-cqrs
language: system
files: \.(py)$
pass_filenames: false
description: "Validate CQRS architecture patterns"
stages: [pre-push]
- id: check-architecture
name: Check Architecture Compliance
entry: make ci-arch-clean
language: system
files: \.(py)$
pass_filenames: false
description: "Check Clean Architecture compliance"
stages: [pre-push]
- id: check-file-sizes-arch
name: Check File Sizes (Architecture)
entry: make ci-arch-file-sizes
language: system
files: \.(py)$
pass_filenames: false
description: "Check file sizes for architecture compliance"
stages: [manual] # Optional check - run as warning only
- id: security-scan
name: Security Scan
entry: make security-scan
language: system
files: \.(py|txt|yml|yaml|toml|Dockerfile)$
pass_filenames: false
description: "Run comprehensive security scan"
stages: [manual] # Optional check - run as warning only
- id: semgrep
name: Semgrep (Static Analysis)
entry: make ci-security-semgrep
language: system
files: \.(py)$
pass_filenames: false
description: "Run Semgrep static analysis"
stages: [manual] # Optional check - run as warning only
- id: trivy-fs
name: Trivy (Filesystem Scan)
entry: make ci-security-trivy-fs
language: system
files: \.(py|txt|yml|yaml|toml|json)$
pass_filenames: false
description: "Run Trivy filesystem vulnerability scanner"
stages: [manual] # Optional check - run as warning only
- id: trufflehog
name: TruffleHog (Secrets Scan)
entry: make ci-security-trufflehog
language: system
files: \.(py|txt|yml|yaml|toml|json|md|sh)$
pass_filenames: false
description: "Check for secrets with TruffleHog"
stages: [manual] # Optional check - run as warning only
- id: validate-workflows
name: Validate Workflows
entry: make validate-workflows
language: system
files: \.github/workflows/.*\.(yml|yaml)$
pass_filenames: false
description: "Validate GitHub Actions workflow YAML files"
stages: [pre-push]
- id: validate-actionlint
name: Validate Workflows (actionlint)
entry: make validate-actionlint
language: system
files: \.github/workflows/.*\.(yml|yaml)$
pass_filenames: false
description: "Validate GitHub Actions workflows with actionlint"
stages: [manual] # Optional check - run as warning only
- id: validate-shell-scripts
name: Validate Shell Scripts (shellcheck)
entry: make validate-shell-scripts
language: system
files: \.sh$
pass_filenames: false
description: "Validate shell scripts with shellcheck"
stages: [manual] # Optional check - run as warning only
- id: check-file-sizes
name: Check File Sizes
entry: make file-sizes
language: system
files: \.(py)$
pass_filenames: false
description: "Check for files that may violate Single Responsibility Principle"
stages: [manual] # Optional check - run as warning only