repos: ## GENERAL - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.6.0 hooks: - id: check-merge-conflict - id: check-yaml args: ["--unsafe"] exclude: prowler/config/llm_config.yaml - id: check-json - id: end-of-file-fixer - id: trailing-whitespace - id: no-commit-to-branch - id: pretty-format-json args: ["--autofix", --no-sort-keys, --no-ensure-ascii] ## TOML - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks rev: v2.13.0 hooks: - id: pretty-format-toml args: [--autofix] files: pyproject.toml ## BASH - repo: https://github.com/koalaman/shellcheck-precommit rev: v0.10.0 hooks: - id: shellcheck exclude: contrib ## PYTHON - repo: https://github.com/myint/autoflake rev: v2.3.1 hooks: - id: autoflake args: [ "--in-place", "--remove-all-unused-imports", "--remove-unused-variable", ] - repo: https://github.com/timothycrosley/isort rev: 5.13.2 hooks: - id: isort args: ["--profile", "black"] - repo: https://github.com/psf/black rev: 24.4.2 hooks: - id: black - repo: https://github.com/pycqa/flake8 rev: 7.0.0 hooks: - id: flake8 exclude: contrib args: ["--ignore=E266,W503,E203,E501,W605"] - repo: https://github.com/python-poetry/poetry rev: 2.1.1 hooks: - id: poetry-check name: API - poetry-check args: ["--directory=./api"] pass_filenames: false - id: poetry-lock name: API - poetry-lock args: ["--directory=./api"] pass_filenames: false - id: poetry-check name: SDK - poetry-check args: ["--directory=./"] pass_filenames: false - id: poetry-lock name: SDK - poetry-lock args: ["--directory=./"] pass_filenames: false - repo: https://github.com/hadolint/hadolint rev: v2.13.0-beta hooks: - id: hadolint args: ["--ignore=DL3013"] - repo: local hooks: - id: pylint name: pylint entry: bash -c 'pylint --disable=W,C,R,E -j 0 -rn -sn prowler/' language: system files: '.*\.py' - id: trufflehog name: TruffleHog description: Detect secrets in your data. entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail' # For running trufflehog in docker, use the following entry instead: # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail' language: system stages: ["pre-commit", "pre-push"] - id: bandit name: bandit description: "Bandit is a tool for finding common security issues in Python code" entry: bash -c 'bandit -q -lll -x '*_test.py,./contrib/,./.venv/' -r .' language: system files: '.*\.py' - id: safety name: safety description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities" # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745' language: system - id: vulture name: vulture description: "Vulture finds unused code in Python programs." entry: bash -c 'vulture --exclude "contrib,.venv,api/src/backend/api/tests/,api/src/backend/conftest.py,api/src/backend/tasks/tests/" --min-confidence 100 .' language: system files: '.*\.py' - id: ui-checks name: UI - Husky Pre-commit description: "Run UI pre-commit checks (Claude Code validation + healthcheck)" entry: bash -c 'cd ui && .husky/pre-commit' language: system files: '^ui/.*\.(ts|tsx|js|jsx|json|css)$' pass_filenames: false verbose: true