chore(pre-commit): scope hooks per monorepo component (#10815)

.pre-commit-config.yaml

@@ -1,12 +1,11 @@
 repos:
-  ## GENERAL
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
+  ## GENERAL (prek built-in — no external repo needed)
+  - repo: builtin
     hooks:
       - id: check-merge-conflict
       - id: check-yaml
-        args: ["--unsafe"]
-        exclude: prowler/config/llm_config.yaml
+        args: ["--allow-multiple-documents"]
+        exclude: (prowler/config/llm_config.yaml|contrib/)
       - id: check-json
       - id: end-of-file-fixer
       - id: trailing-whitespace
@@ -36,12 +35,13 @@ repos:
       - id: shellcheck
         exclude: contrib
 
-  ## PYTHON
+  ## PYTHON — SDK (prowler/, tests/, dashboard/, util/, scripts/)
   - repo: https://github.com/myint/autoflake
     rev: v2.3.3
     hooks:
       - id: autoflake
-        exclude: ^skills/
+        name: "SDK - autoflake"
+        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
         args:
           [
             "--in-place",
@@ -53,74 +53,101 @@ repos:
     rev: 8.0.1
     hooks:
       - id: isort
-        exclude: ^skills/
+        name: "SDK - isort"
+        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
         args: ["--profile", "black"]
 
   - repo: https://github.com/psf/black
     rev: 26.3.1
     hooks:
       - id: black
-        exclude: ^skills/
+        name: "SDK - black"
+        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
 
   - repo: https://github.com/pycqa/flake8
     rev: 7.3.0
     hooks:
       - id: flake8
-        exclude: (contrib|^skills/)
+        name: "SDK - flake8"
+        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
         args: ["--ignore=E266,W503,E203,E501,W605"]
 
+  ## PYTHON — API + MCP Server (ruff)
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.11
+    hooks:
+      - id: ruff
+        name: "API + MCP - ruff check"
+        files: { glob: ["{api,mcp_server}/**/*.py"] }
+        args: ["--fix"]
+      - id: ruff-format
+        name: "API + MCP - ruff format"
+        files: { glob: ["{api,mcp_server}/**/*.py"] }
+
+  ## PYTHON — Poetry
   - repo: https://github.com/python-poetry/poetry
     rev: 2.3.4
     hooks:
       - id: poetry-check
         name: API - poetry-check
         args: ["--directory=./api"]
+        files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
 
       - id: poetry-lock
         name: API - poetry-lock
         args: ["--directory=./api"]
+        files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
 
       - id: poetry-check
         name: SDK - poetry-check
         args: ["--directory=./"]
+        files: { glob: ["{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
 
       - id: poetry-lock
         name: SDK - poetry-lock
         args: ["--directory=./"]
+        files: { glob: ["{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
 
+  ## CONTAINERS
   - repo: https://github.com/hadolint/hadolint
     rev: v2.14.0
     hooks:
       - id: hadolint
         args: ["--ignore=DL3013"]
 
+  ## LOCAL HOOKS
   - repo: local
     hooks:
       - id: pylint
-        name: pylint
-        entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/'
+        name: "SDK - pylint"
+        entry: pylint --disable=W,C,R,E -j 0 -rn -sn
         language: system
-        files: '.*\.py'
+        types: [python]
+        files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
 
       - id: trufflehog
         name: TruffleHog
         description: Detect secrets in your data.
-        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
+        entry: bash -c 'trufflehog --no-update git file://. --since-commit HEAD --only-verified --fail'
         # For running trufflehog in docker, use the following entry instead:
         # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
         language: system
+        pass_filenames: false
         stages: ["pre-commit", "pre-push"]
 
       - id: bandit
         name: bandit
         description: "Bandit is a tool for finding common security issues in Python code"
-        entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/,./skills/' -r .'
+        entry: bandit -q -lll
         language: system
+        types: [python]
         files: '.*\.py'
+        exclude:
+          { glob: ["{contrib,skills}/**", "**/.venv/**", "**/*_test.py"] }
 
       - id: safety
         name: safety
@@ -129,12 +156,19 @@ repos:
         # TODO: 79023 & 79027 knack ReDoS until `azure-cli-core` (via `cartography`) allows `knack` >=0.13.0
         # TODO: 86217 because `alibabacloud-tea-openapi == 0.4.3` don't let us upgrade `cryptography >= 46.0.0`
         # TODO: 71600 CVE-2024-1135 false positive - fixed in gunicorn 22.0.0, project uses 23.0.0
-        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027,86217,71600'
+        entry: safety check --ignore 70612,66963,74429,76352,76353,77744,77745,79023,79027,86217,71600
         language: system
+        pass_filenames: false
+        files:
+          {
+            glob:
+              ["**/pyproject.toml", "**/poetry.lock", "**/requirements*.txt"],
+          }
 
       - id: vulture
         name: vulture
         description: "Vulture finds unused code in Python programs."
-        entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/,skills/" --min-confidence 100 .'
+        entry: vulture --min-confidence 100
         language: system
+        types: [python]
         files: '.*\.py'