rust-security/.pre-commit-config.yaml at main · lsendel/rust-security · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# Supply Chain Security Pre-commit Hooks
# Comprehensive security checks before code is committed

repos:
  # Security scanning for secrets
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']
        exclude: package.lock

  # Git secrets scanning
  - repo: https://github.com/awslabs/git-secrets
    rev: master
    hooks:
      - id: git-secrets
        entry: 'git-secrets --scan'
        language: system
        types: [text]

  # Rust security and quality checks
  - repo: local
    hooks:
      # Cargo format check
      - id: cargo-fmt
        name: Cargo Format
        entry: cargo fmt --all -- --check
        language: system
        files: \.rs$
        pass_filenames: false

      # Cargo clippy with security lints
      - id: cargo-clippy
        name: Cargo Clippy (Security Focus)
        entry: cargo clippy --all-targets --all-features -- -D warnings -D clippy::suspicious -D clippy::perf -W clippy::nursery
        language: system
        files: \.rs$
        pass_filenames: false

      # Cargo security audit
      - id: cargo-audit
        name: Cargo Security Audit
        entry: cargo audit --deny warnings
        language: system
        files: Cargo\.(toml|lock)$
        pass_filenames: false

      # Dependency policy check
      - id: cargo-deny
        name: Cargo Deny Check
        entry: cargo deny check
        language: system
        files: Cargo\.(toml|lock)$
        pass_filenames: false

      # Unsafe code detection
      - id: cargo-geiger
        name: Cargo Geiger (Unsafe Code Scanner)
        entry: cargo geiger --deny-warnings
        language: system
        files: \.rs$
        pass_filenames: false

      # Unit tests (quick feedback)
      - id: cargo-test
        name: Cargo Test
        entry: bash -c 'TEST_MODE=1 cargo test --workspace --all-features -- --test-threads=1'
        language: system
        files: \.rs$
        pass_filenames: false

      # Generate SBOM on dependency changes
      - id: sbom-generation
        name: SBOM Generation
        entry: bash -c 'cd compliance-tools && cargo run --bin sbom-generator -- --project-root .. --output ../sbom.spdx.json --verify'
        language: system
        files: Cargo\.(toml|lock)$
        pass_filenames: false

      # Check for unsafe code blocks
      - id: unsafe-code-check
        name: Unsafe Code Detection
        entry: bash -c 'if grep -rn "unsafe" --include="*.rs" src/; then echo "⚠️  Unsafe code detected. Please review security implications."; exit 1; fi'
        language: system
        files: \.rs$

      # License headers check
      - id: license-headers
        name: License Headers
        entry: bash -c 'find src/ -name "*.rs" -exec grep -L "Licensed under" {} \; | if read; then echo "❌ Missing license headers in Rust files"; exit 1; fi'
        language: system
        files: \.rs$

  # YAML/JSON security
  - repo: https://github.com/adrienverge/yamllint.git
    rev: v1.32.0
    hooks:
      - id: yamllint
        args: [--format, parsable, --strict]
        exclude: \.github/workflows/.*\.yml$

  # Docker security
  - repo: https://github.com/hadolint/hadolint
    rev: v2.12.0
    hooks:
      - id: hadolint-docker
        args: [--ignore, DL3008, --ignore, DL3009]

  # Infrastructure as Code security
  - repo: https://github.com/bridgecrewio/checkov.git
    rev: 2.4.9
    hooks:
      - id: checkov
        args: [--framework, dockerfile, --framework, kubernetes]

  # General security patterns
  - repo: https://github.com/returntocorp/semgrep
    rev: v1.35.0
    hooks:
      - id: semgrep
        args: ['--config=auto', '--error', '--exclude=target/']

  # File security checks
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # Prevent large files
      - id: check-added-large-files
        args: ['--maxkb=1000']

      # Check for private keys
      - id: detect-private-key

      # Check for AWS credentials
      - id: detect-aws-credentials
        args: [--allow-missing-credentials]

      # Ensure files end with newline
      - id: end-of-file-fixer
        exclude: \.bin$

      # Remove trailing whitespace
      - id: trailing-whitespace
        exclude: \.md$

      # Check YAML validity
      - id: check-yaml
        exclude: \.github/workflows/.*\.yml$

      # Check JSON validity
      - id: check-json

      # Check for merge conflicts
      - id: check-merge-conflict

  # Custom security hooks
  - repo: local
    hooks:
      # Check for hardcoded secrets patterns
      - id: hardcoded-secrets
        name: Hardcoded Secrets Check
        entry: bash -c 'if grep -rE "(password|secret|key|token|credential)\s*[:=]\s*[\"'\''][^\"\']*[\"'\'']" --include="*.rs" --include="*.toml" --include="*.yml" --include="*.yaml" --include="*.json" .; then echo "❌ Potential hardcoded secrets found"; exit 1; fi'
        language: system

      # Verify dependencies are pinned
      - id: dependency-pinning
        name: Dependency Pinning Check
        entry: bash -c 'if grep -E "^\s*[a-zA-Z0-9_-]+\s*=\s*[\"'\''][^\"'\'']*\*[^\"'\'']*[\"'\'']" Cargo.toml; then echo "❌ Unpinned dependencies found (wildcards)"; exit 1; fi'
        language: system
        files: Cargo\.toml$

      # Check for debug/development artifacts
      - id: debug-artifacts
        name: Debug Artifacts Check
        entry: bash -c 'if grep -rE "(println!|dbg!|eprintln!)" --include="*.rs" src/; then echo "⚠️  Debug statements found. Consider removing for production."; exit 1; fi'
        language: system
        files: \.rs$

      # Verify TLS/security configurations
      - id: security-config-check
        name: Security Configuration Check
        entry: bash -c 'if grep -rE "(http://|insecure|verify.*false)" --include="*.rs" --include="*.toml" --include="*.yml" .; then echo "⚠️  Insecure configuration detected"; exit 1; fi'
        language: system

      # License compliance check
      - id: license-compliance
        name: License Compliance
        entry: bash -c '
if ! grep -q "^license.*=" Cargo.toml; then
    echo "❌ Missing license in Cargo.toml"
    exit 1
fi
license=$(grep "^license.*=" Cargo.toml | cut -d"\"" -f2)
case "$license" in
    "MIT"|"Apache-2.0"|"BSD-3-Clause")
        echo "✅ License $license is compliant"
        ;;
    *)
        echo "❌ License $license not in approved list: MIT, Apache-2.0, BSD-3-Clause"
        exit 1
        ;;
esac'
        language: system
        files: Cargo\.toml$

# Pre-commit CI configuration
ci:
  autofix_commit_msg: |
    [pre-commit.ci] auto fixes from pre-commit hooks

    for more information, see https://pre-commit.ci
  autofix_prs: true
  autoupdate_branch: ''
  autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
  autoupdate_schedule: weekly
  skip: [cargo-audit, cargo-deny, sbom-generation]  # Skip tools not available in CI
  submodules: false