JudgeFinder/.pre-commit-config.yaml at main · thefiredev-cloud/JudgeFinder · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Pre-commit hooks for Your App Name Platform
# Prevents committing secrets and enforces code quality
#
# Installation:
#   brew install pre-commit  # macOS
#   pre-commit install       # Enable hooks
#
# Usage:
#   pre-commit run --all-files  # Run manually on all files
#   git commit                  # Runs automatically on staged files

repos:
  # Gitleaks - Secret Scanning
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.1
    hooks:
      - id: gitleaks
        name: Detect secrets with Gitleaks
        description: Scan for hardcoded secrets, API keys, and credentials
        entry: gitleaks protect --verbose --redact --staged
        language: golang
        pass_filenames: false

  # Basic file hygiene
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.5.0
    hooks:
      # Prevent committing to main/master directly
      - id: no-commit-to-branch
        name: Prevent direct commits to main
        args: ['--branch', 'main', '--branch', 'master']

      # Check for large files (>500KB)
      - id: check-added-large-files
        name: Check for large files
        args: ['--maxkb=500']

      # Detect AWS credentials
      - id: detect-aws-credentials
        name: Detect AWS credentials
        args: ['--allow-missing-credentials']

      # Detect private keys
      - id: detect-private-key
        name: Detect private keys

      # Check for merge conflicts
      - id: check-merge-conflict
        name: Check for merge conflicts

      # Check YAML syntax
      - id: check-yaml
        name: Check YAML syntax
        args: ['--safe']
        exclude: '^\.github/workflows/' # GitHub Actions syntax differs

      # Check JSON syntax
      - id: check-json
        name: Check JSON syntax

      # Trim trailing whitespace
      - id: trailing-whitespace
        name: Trim trailing whitespace
        args: ['--markdown-linebreak-ext=md']

      # Fix end of files
      - id: end-of-file-fixer
        name: Fix end of file newlines

      # Mixed line endings
      - id: mixed-line-ending
        name: Check for mixed line endings
        args: ['--fix=lf']

  # TypeScript/JavaScript linting
  - repo: local
    hooks:
      - id: eslint
        name: ESLint
        entry: npx eslint --fix
        language: system
        types: [javascript, jsx, ts, tsx]
        files: \.(js|jsx|ts|tsx)$
        exclude: '^(node_modules|\.next|dist|build)/'

      - id: typescript-check
        name: TypeScript type checking
        entry: npx tsc --noEmit
        language: system
        types: [ts, tsx]
        pass_filenames: false
        files: \.(ts|tsx)$

  # Environment variable validation
  - repo: local
    hooks:
      - id: check-env-vars
        name: Validate environment variables
        entry: bash
        args:
          [
            '-c',
            'if [ -f .env.local ]; then echo "⚠️  WARNING: .env.local exists. Ensure it is gitignored and contains no production secrets."; fi',
          ]
        language: system
        pass_filenames: false
        always_run: true

# Global file exclusions
exclude: |
  (?x)^(
    \.next/.*|
    node_modules/.*|
    dist/.*|
    build/.*|
    coverage/.*|
    \.env\.local|
    \.env\.production|
    package-lock\.json|
    pnpm-lock\.yaml|
    yarn\.lock
  )$