-
Notifications
You must be signed in to change notification settings - Fork 33
Expand file tree
/
Copy path.pre-commit-config.yaml
More file actions
172 lines (154 loc) Β· 4.62 KB
/
Copy path.pre-commit-config.yaml
File metadata and controls
172 lines (154 loc) Β· 4.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
fail_fast: true
repos:
# Go formatting (runs first, auto-fixes files)
- repo: local
hooks:
- id: gofmt
name: gofmt
entry: gofmt -w
language: system
files: \.go$
pass_filenames: true
# Go modernization fixes (auto-applies stdlib improvements, iterator rewrites, etc.)
- repo: local
hooks:
- id: go-fix
name: go fix
entry: bash -c 'go fix ./...'
language: system
files: \.go$
pass_filenames: false
# Go linting
- repo: local
hooks:
- id: golangci-lint
name: golangci-lint
entry: bash -c '~/go/bin/golangci-lint cache clean && ~/go/bin/golangci-lint run ./...'
language: system
files: \.go$
pass_filenames: false
# Nil safety analysis
- repo: local
hooks:
- id: nilaway
name: nilaway (nil safety)
entry: bash -c '~/go/bin/nilaway ./...'
language: system
files: \.go$
pass_filenames: false
# Swift formatting (auto-fixes files, runs before linting)
- repo: local
hooks:
- id: swiftformat
name: swiftformat
entry: swiftformat
language: system
files: \.swift$
exclude: \.build/
# Swift linting
- repo: local
hooks:
- id: swiftlint
name: swiftlint
entry: swiftlint lint --quiet --strict
language: system
files: \.swift$
exclude: \.build/
# Shell script checking
- repo: local
hooks:
- id: shellcheck
name: shellcheck
entry: shellcheck
args: [--severity=warning]
language: system
types: [shell]
# YAML linting
- repo: https://github.com/adrienverge/yamllint
rev: v1.37.0
hooks:
- id: yamllint
name: yamllint
files: \.ya?ml$
args: [-d, "{extends: relaxed, rules: {line-length: {max: 150}}}"]
# GitHub Actions linting
- repo: https://github.com/rhysd/actionlint
rev: v1.7.7
hooks:
- id: actionlint
name: actionlint (GitHub Actions)
files: ^\.github/workflows/
# Secret detection
- repo: https://github.com/gitleaks/gitleaks
rev: v8.24.2
hooks:
- id: gitleaks
name: gitleaks (secret detection)
exclude: (node_modules/|\.venv/|\.git/|__pycache__/)
# Dependency vulnerability check (govulncheck)
- repo: local
hooks:
- id: govulncheck
name: govulncheck (dependency CVEs)
entry: bash -c '~/go/bin/govulncheck ./...'
language: system
pass_filenames: false
files: (go\.mod|go\.sum|\.go)$
stages: [pre-commit]
# Semgrep SAST scan
- repo: local
hooks:
- id: semgrep
name: semgrep (SAST)
entry: bash -c 'semgrep scan --config auto --error .'
language: system
pass_filenames: false
files: \.go$
stages: [pre-push]
# Rule linting - validate rule syntax and patterns
- repo: local
hooks:
- id: rule-lint
name: rule lint
entry: bash -c 'go build -o /tmp/crust-lint . && /tmp/crust-lint lint-rules'
language: system
pass_filenames: false
files: (internal/rules/builtin/.*\.yaml)$
# Rule coverage check - ensure all rules have unit tests and fuzz tests
- repo: local
hooks:
- id: rule-coverage
name: rule coverage check
entry: scripts/check-rule-coverage.sh
language: script
pass_filenames: false
files: (internal/rules/builtin/security\.yaml|internal/rules/.*_test\.go)$
# Doc consistency β fast check that README counts match source (rule counts, etc.)
- repo: local
hooks:
- id: doc-consistency
name: doc consistency
entry: bash -c 'go test ./internal/rules/ -run=TestDocConsistency -short'
language: system
pass_filenames: false
files: (internal/rules/builtin/security\.yaml|internal/rules/.*\.go|README\.md|docs/cli\.md|docs/cve-tracker\.md|docs/how-it-works\.md|internal/.*fuzz.*\.go|\.pre-commit-config\.yaml)$
# Go unit tests
- repo: local
hooks:
- id: go-test
name: go test
entry: bash -c 'go test -race ./... -short'
language: system
pass_filenames: false
files: \.go$
stages: [pre-commit]
# Demo GIF regeneration (pre-push only, skips if vhs not installed)
- repo: local
hooks:
- id: demo-gif
name: demo-gif (regenerate docs/demo.gif)
entry: scripts/generate-demo-gif.sh
language: script
pass_filenames: false
files: (internal/tui/.*\.go|internal/logger/logger\.go|scripts/demo\.tape|scripts/demo-attack\.sh)$
stages: [pre-push]