algo/.pre-commit-config.yaml at main · trailofbits/algo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# See https://prek.j178.dev for more information
---
# Apply to all files without committing:
#   prek run --all-files
# Update this file:
#   prek auto-update

repos:
  # Use prek built-in hooks (faster, Rust-native)
  - repo: builtin
    hooks:
      - id: check-yaml
        args: [--allow-multiple-documents]
        exclude: '(files/cloud-init/base\.yml|roles/cloud-.*/files/stack\.yaml)'
      - id: end-of-file-fixer
      - id: trailing-whitespace
      - id: check-added-large-files
        args: ['--maxkb=500']
      - id: check-merge-conflict
      - id: mixed-line-ending
        args: [--fix=lf]

  # Python linting with ruff (fast, replaces many tools)
  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: v0.14.14
    hooks:
      - id: ruff
        args: [--fix, --exit-non-zero-on-fix]
      - id: ruff-format

  # YAML linting
  - repo: https://github.com/adrienverge/yamllint
    rev: v1.38.0
    hooks:
      - id: yamllint
        args: [-c=.yamllint]
        exclude: '.git/.*'

  # Shell script linting
  - repo: https://github.com/shellcheck-py/shellcheck-py
    rev: v0.11.0.1
    hooks:
      - id: shellcheck
        exclude: '.git/.*'

  # Local hooks that use the project's installed tools
  - repo: local
    hooks:
      - id: ty-check
        name: Python type check
        entry: bash -c 'uv run --with ty ty check'
        language: system
        types: [python]
        pass_filenames: false

      - id: j2lint
        name: Jinja2 template lint
        entry: bash -c 'uv run j2lint roles/ --ignore S3 S5 S6 S7 V1'
        language: system
        files: '\.j2$'
        pass_filenames: false

      - id: ansible-lint
        name: Ansible-lint
        entry: bash -c 'uv run ansible-lint --force-color || echo "Ansible-lint had issues - check output"'
        language: system
        types: [yaml]
        files: \.(yml|yaml)$
        exclude: '^(.git/|.github/|requirements\.yml)'
        pass_filenames: false

      - id: ansible-syntax
        name: Ansible syntax check
        entry: bash -c 'uv run ansible-playbook main.yml --syntax-check'
        language: system
        files: 'main\.yml|server\.yml|users\.yml'
        pass_filenames: false

      - id: semgrep
        name: Semgrep security scan
        entry: >
          bash -c '
          command -v semgrep >/dev/null &&
          semgrep --config auto
          --exclude-rule dockerfile.security.last-user-is-root.last-user-is-root
          --error --quiet --skip-unknown-extensions .
          || echo "semgrep not installed - skipping"'
        language: system
        pass_filenames: false

      - id: actionlint
        name: GitHub Actions lint
        entry: bash -c 'command -v actionlint >/dev/null && actionlint .github/workflows/ || echo "actionlint not installed - skipping"'
        language: system
        files: '^\.github/workflows/.*\.yml$'
        pass_filenames: false

      - id: zizmor
        name: GitHub Actions security audit
        entry: bash -c 'command -v zizmor >/dev/null && zizmor .github/workflows/ || echo "zizmor not installed - skipping"'
        language: system
        files: '^\.github/workflows/.*\.yml$'
        pass_filenames: false

# Configuration for prek

# Files to exclude globally
exclude: |
  (?x)^(
    .env/.*|
    .venv/.*|
    .git/.*|
    __pycache__/.*|
    .*\.egg-info/.*
  )$