-
Notifications
You must be signed in to change notification settings - Fork 16
/
.pre-commit-config.yaml
123 lines (111 loc) · 3.64 KB
/
.pre-commit-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
# Checks for files that contain merge conflict strings.
- id: check-merge-conflict
# Detects aws credentials from the aws cli credentials file.
- id: detect-aws-credentials
args: [--allow-missing-credentials]
# detects the presence of private keys.
- id: detect-private-key
# Trims trailing whitespace in codebase.
- id: trailing-whitespace
# Protect commit to main branch
- id: no-commit-to-branch
args: [--branch,main]
# Check is the Commit is Signed off using `--signoff/-s`
- repo: https://github.com/KAUTH/pre-commit-git-checks
rev: v0.0.1 # Use the SHA or tag you want to point to
hooks:
- id: git-signoff
stages: [commit-msg]
# Checks your git commit messages for style.
- repo: https://github.com/jorisroovers/gitlint
rev: v0.19.1
hooks:
- id: gitlint
name: Scan Commit messages
# Detects hardcoded secrets, security vulnerabilities and policy breaks using GGShield
- repo: https://github.com/zricethezav/gitleaks
rev: v8.18.1
hooks:
- id: gitleaks
name: Detect hardcoded secrets
description: Detect hardcoded secrets using Gitleaks
entry: gitleaks protect --verbose --redact --staged
language: golang
pass_filenames: false
- repo: https://github.com/Bahjat/pre-commit-golang
rev: v1.0.3
hooks:
# Formats Go code
# - id: gofumpt # requires gofumpt to be installed from github.com/mvdan/gofumpt
# name: Go formatter
# description: Runs a strict Go formatter
- id: go-fmt-import
name: Go formatter
description: Go formatter with fmt and imports
# Runs Unit tests
- id: go-unit-tests
name: Run Unit tests
desription: Runs all the unit tests in the repo
# Runs static analysis of the Go code
- id: go-static-check
name: Go Static Check
description: Finds bugs and performance issues
# Local hooks
- repo: https://github.com/intelops/gitrepos-templates-policies
rev: v0.0.1
hooks:
- id: check-devcontainer
name: Check devcontainer
description: Checks for existance of .devcontainer.json in the project
- id: check-gitsign
name: Check gitsign
description: Check if the last commit is signed with Sigstore gitsign
- id: check-multistage-dockerfile
name: Check multi-stage Dockerfile
description: Check the existance of Dockerfile in the project and verify that its a multi-stage Dockerfile
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: check-yaml
name: Verify YAML syntax
args:
- --allow-multiple-documents
- repo: https://github.com/hadolint/hadolint
rev: v2.12.0
hooks:
- id: hadolint
# Rules you want to ignore may be found here: https://github.com/hadolint/hadolint?tab=readme-ov-file#rules
name: Dockerfile linter
description: Dockerfile linter following best-practices
args: [--ignore, DL3051]
- repo: local
hooks:
- name: Check Dockerfile
id: check-dockerfile-sh
entry: bash
args:
- -c
- |
check_dockerfile() {
if [[ $1 == *"Dockerfile"* ]]; then
base_image=$(grep '^FROM' "$1" | awk '{print $2}')
if [[ $base_image != golang:* ]]; then
echo "Error: Base image in $1 is not from cgr.dev/chianguard"
return 1
fi
fi
return 0
}
export -f check_dockerfile
if find . -type f -exec bash -c 'check_dockerfile "$0"' {} \; | grep -q 'Error'; then
echo "Commit failed due to non-compliant Dockerfile(s)."
exit 1
fi
echo "All Dockerfiles are compliant."
exit 0
language: system
pass_filenames: false