postgresai/.pre-commit-config.yaml at main · postgres-ai/postgresai · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.30.0
    hooks:
      - id: gitleaks

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      # Prevent large files from being committed
      - id: check-added-large-files
        args: ['--maxkb=500']
      # Ensure JSON files are valid
      - id: check-json
      # Ensure YAML files are valid
      - id: check-yaml
        args: ['--allow-multiple-documents']
        # Skip Helm chart templates: they contain Go templating ({{- ... }})
        # at the top of the file which is not valid YAML until rendered.
        exclude: '^postgres_ai_helm/templates/'
      # Prevent committing to main directly
      - id: no-commit-to-branch
        args: ['--branch', 'main']
      # Ensure files end with newline
      - id: end-of-file-fixer
      # Remove trailing whitespace
      - id: trailing-whitespace
        args: ['--markdown-linebreak-ext=md']

  - repo: local
    hooks:
      # Catch potential SQL injection patterns in TypeScript.
      # NOTE: `entry` MUST be a literal block scalar (|-). A plain YAML scalar
      # breaks parsing because the bash command contains `: ` (e.g. in the
      # "ERROR: Possible ..." echo), which YAML interprets as a mapping
      # separator inside the value. Don't "simplify" back to a plain scalar.
      - id: sql-injection-check
        name: SQL injection check (TypeScript)
        entry: |-
          bash -c 'grep -rn --include="*.ts" -E "(\`SELECT|\`INSERT|\`UPDATE|\`DELETE|\`DROP|\`ALTER|\`CREATE).*\$\{" "$@" && echo "ERROR: Possible SQL injection — use parameterized queries" && exit 1 || exit 0' --
        language: system
        files: '\.(ts|js)$'
        exclude: '(test|spec|__tests__)'
        pass_filenames: false

      # Verify JSON schemas are valid
      - id: validate-schemas
        name: Validate JSON schemas
        entry: python3 -c "import json, sys; [json.load(open(f)) for f in sys.argv[1:]]"
        language: system
        files: '\.schema\.json$'
        types: [json]