prowler/api/.pre-commit-config.yaml

repos:
  ## GENERAL
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.6.0
    hooks:
      - id: check-merge-conflict
      - id: check-yaml
        args: ["--unsafe"]
      - id: check-json
      - id: end-of-file-fixer
      - id: trailing-whitespace
      - id: no-commit-to-branch
      - id: pretty-format-json
        args: ["--autofix", "--no-sort-keys", "--no-ensure-ascii"]
        exclude: 'src/backend/api/fixtures/dev/.*\.json$'

  ## TOML
  - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
    rev: v2.13.0
    hooks:
      - id: pretty-format-toml
        args: [--autofix]
        files: pyproject.toml

  ## BASH
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.10.0
    hooks:
      - id: shellcheck
        exclude: contrib
  ## PYTHON
  - repo: https://github.com/astral-sh/ruff-pre-commit
    # Ruff version.
    rev: v0.5.0
    hooks:
      # Run the linter.
      - id: ruff
        args: [ --fix ]
      # Run the formatter.
      - id: ruff-format

  - repo: https://github.com/python-poetry/poetry
    rev: 1.8.0
    hooks:
      - id: poetry-check
        args: ["--directory=src"]
      - id: poetry-lock
        args: ["--no-update", "--directory=src"]

  - repo: https://github.com/hadolint/hadolint
    rev: v2.13.0-beta
    hooks:
      - id: hadolint
        args: ["--ignore=DL3013", "Dockerfile"]

  - repo: local
    hooks:
      - id: pylint
        name: pylint
        entry: bash -c 'poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/'
        language: system
        files: '.*\.py'

      - id: trufflehog
        name: TruffleHog
        description: Detect secrets in your data.
        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
        # For running trufflehog in docker, use the following entry instead:
        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
        language: system
        stages: ["commit", "push"]

      - id: bandit
        name: bandit
        description: "Bandit is a tool for finding common security issues in Python code"
        entry: bash -c 'poetry run bandit -q -lll -x '*_test.py,./contrib/,./.venv/' -r .'
        language: system
        files: '.*\.py'

      - id: safety
        name: safety
        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
        entry: bash -c 'poetry run safety check --ignore 70612,66963'
        language: system

      - id: vulture
        name: vulture
        description: "Vulture finds unused code in Python programs."
        entry: bash -c 'poetry run vulture --exclude "contrib,.venv,tests,conftest.py" --min-confidence 100 .'
        language: system
        files: '.*\.py'