-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.pre-commit-config.yaml
More file actions
69 lines (66 loc) · 1.74 KB
/
.pre-commit-config.yaml
File metadata and controls
69 lines (66 loc) · 1.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Pre-commit Hook Configuration
# ==============================
# Automated security scanning before commits
# Install: pre-commit install
# Run manually: pre-commit run --all-files
repos:
# Semgrep - SAST for secrets and vulnerabilities
- repo: https://github.com/returntocorp/semgrep
rev: v1.52.0
hooks:
- id: semgrep
name: Semgrep Security Scan
entry: semgrep
language: python
types: [text]
args:
- --config=p/secrets
- --config=p/security-audit
- --config=p/owasp-top-ten
- --error
- --strict
- --verbose
exclude: |
(?x)^(
.*\.min\.js|
.*\.map|
node_modules/|
vendor/|
\.git/|
\.venv/|
venv/|
__pycache__/|
\.pytest_cache/|
\.mypy_cache/|
dist/|
build/|
\.lock$|
package-lock\.json|
yarn\.lock
)
# Standard pre-commit hooks
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: trailing-whitespace
exclude: \.md$
- id: end-of-file-fixer
- id: check-yaml
args: [--unsafe]
- id: check-json
- id: check-added-large-files
args: [--maxkb=1024]
- id: detect-private-key
- id: detect-aws-credentials
args: [--allow-missing-credentials]
# YAML linting
- repo: https://github.com/adrienverge/yamllint
rev: v1.33.0
hooks:
- id: yamllint
args: [-d, '{extends: relaxed, rules: {line-length: {max: 120}}}']
exclude: |
(?x)^(
\.github/workflows/|
vulnerable_repos/
)