-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.pre-commit-config.yaml
More file actions
159 lines (141 loc) · 5.29 KB
/
Copy path.pre-commit-config.yaml
File metadata and controls
159 lines (141 loc) · 5.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# Pre-commit hooks for backpropagate
# Install: pip install pre-commit && pre-commit install
# Run manually: pre-commit run --all-files
#
# 2026 Security Best Practices:
# - Security hooks run before commits to catch issues early
# - Use --severity-level high for faster commits (CI catches medium)
# - Secret detection prevents credential leaks
# See: https://github.com/PyCQA/bandit
repos:
# ==========================================================================
# CODE QUALITY
# ==========================================================================
# Ruff - Fast Python linter and formatter
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.9.2
hooks:
- id: ruff
args: [--fix, --exit-non-zero-on-fix]
- id: ruff-format
# ==========================================================================
# SECURITY SCANNING
# ==========================================================================
# Bandit - Python SAST (Static Application Security Testing)
# Only high severity for speed; medium+ caught in CI
- repo: https://github.com/PyCQA/bandit
rev: 1.8.3
hooks:
- id: bandit
name: bandit (security scan)
args:
- "-c"
- "pyproject.toml"
- "-r"
- "backpropagate/"
- "--severity-level"
- "high" # Only high severity for fast commits
- "-ll" # Only high confidence
additional_dependencies: ["bandit[toml]"]
# Detect hardcoded secrets
- repo: https://github.com/Yelp/detect-secrets
rev: v1.5.0
hooks:
- id: detect-secrets
name: detect-secrets (credential scan)
args: ['--baseline', '.secrets.baseline']
exclude: package.lock.json
# pip-audit - Check for vulnerable dependencies (fast check)
- repo: https://github.com/pypa/pip-audit
rev: v2.10.0
hooks:
- id: pip-audit
name: pip-audit (dependency vulnerabilities)
args:
- "--require-hashes=false"
- "--progress-spinner=off"
stages: [pre-push] # Only on push (slower check)
# ==========================================================================
# FILE HYGIENE & SAFETY
# ==========================================================================
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
# Whitespace and formatting
- id: trailing-whitespace
- id: end-of-file-fixer
- id: mixed-line-ending
args: ['--fix=lf']
# Syntax validation
- id: check-yaml
args: ['--unsafe'] # Allow custom tags
- id: check-toml
- id: check-json
- id: check-xml
# Safety checks
- id: check-added-large-files
args: ['--maxkb=1000']
- id: check-merge-conflict
- id: check-case-conflict
- id: check-symlinks
- id: destroyed-symlinks
# Security - detect credentials
- id: detect-private-key
- id: detect-aws-credentials
args: ['--allow-missing-credentials']
# Python specific
- id: check-ast
- id: debug-statements
- id: check-docstring-first
# ==========================================================================
# TYPE CHECKING (Optional - slower)
# ==========================================================================
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.14.1
hooks:
- id: mypy
name: mypy (type check)
additional_dependencies:
- types-all
- pydantic
args: [--ignore-missing-imports, --no-error-summary]
pass_filenames: true
stages: [pre-push] # Only on push (slower)
# ==========================================================================
# DOC-DRIFT GATE (CIDOCS-F-010, v1.4 Wave 6a)
# ==========================================================================
# check_doc_drift.py is the within-swarm-doc-lie-drift-detection forcing
# function. Runs on pre-push (not pre-commit) because the 5-class
# extension walks the AST of cli.py + config.py + every workflow YAML —
# ~100ms total, which is comfortable on push but not on every commit.
# Stdlib-only, so no `additional_dependencies` block. Falls through to
# CI as a redundant safety net.
- repo: local
hooks:
- id: check-doc-drift
name: check-doc-drift (within-swarm doc-lie detector)
entry: python scripts/check_doc_drift.py
language: system
pass_filenames: false
stages: [pre-push]
always_run: true
# ==========================================================================
# COMMIT MESSAGE VALIDATION
# ==========================================================================
- repo: https://github.com/commitizen-tools/commitizen
rev: v4.2.0
hooks:
- id: commitizen
stages: [commit-msg]
# ==========================================================================
# CI CONFIGURATION
# ==========================================================================
ci:
autofix_commit_msg: |
[pre-commit.ci] auto fixes from hooks
autofix_prs: true
autoupdate_branch: ''
autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
autoupdate_schedule: weekly
skip: [pip-audit] # Skip slow checks in CI (handled by ci.yml security jobs)
submodules: false