span-sg/.pre-commit-config.yaml at main · Alexmacapple/span-sg · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Pre-commit hooks configuration for SPAN SG
# Installation: pip install pre-commit && pre-commit install
# Documentation: https://pre-commit.com/

repos:
  # Secrets scanner (prevents credential leaks)
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks
        name: Gitleaks Secrets Scanner
        stages: [commit]

  # Python security linter (static analysis)
  - repo: https://github.com/PyCQA/bandit
    rev: '1.8.0'
    hooks:
      - id: bandit
        name: Bandit Security Linter
        args: ['-ll', '-r', 'scripts/', 'hooks/']
        exclude: ^tests/
        stages: [commit]

  # Dependency vulnerability checker (CVE database)
  - repo: local
    hooks:
      - id: safety
        name: Safety CVE Check
        entry: safety
        args: ['check', '-r', 'requirements-dsfr.txt']
        language: system
        pass_filenames: false
        stages: [commit]

  # Code formatting
  - repo: https://github.com/psf/black
    rev: '24.1.1'
    hooks:
      - id: black
        name: Black Code Formatter
        language_version: python3.9

  # Linting
  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: 'v0.1.15'
    hooks:
      - id: ruff
        name: Ruff Linter
        args: [--fix]

  # Type checking
  - repo: https://github.com/pre-commit/mirrors-mypy
    rev: 'v1.8.0'
    hooks:
      - id: mypy
        name: Mypy Type Checker
        args: [--ignore-missing-imports, --check-untyped-defs]
        additional_dependencies: [pikepdf, types-requests]