feat(ci): add security scanning hooks to pre-commit#633
feat(ci): add security scanning hooks to pre-commit#633jakob1379 wants to merge 1 commit intorendercv:mainfrom
Conversation
jakob1379
force-pushed
the
ci/improve-security
branch
from
2d808ca to
3a382fe
Compare
| ci: | ||
| autoupdate_commit_msg: "chore: update pre-commit hooks" | ||
| autofix_commit_msg: "style: pre-commit fixes" | ||
| autoupdate_schedule: monthly | ||
| skip: [] | ||
| submodules: false |
There was a problem hiding this comment.
this is only if you use https://pre-commit.ci and will help keep these up-to-date and run in PRs etc.
In general the pre-commit.ci is much faster than github runners due to them caching a lot of the dependencies
| 'ARG', # flake8-unused-arguments: detects unused function arguments | ||
| 'B', # flake8-bugbear: catches common bugs and design problems | ||
| 'C4', # flake8-comprehensions: improves comprehension readability | ||
| 'C901', # McCabe complexity: flags functions with high cyclomatic complexity | ||
| 'EM', # flake8-errmsg: ensures error messages are formatted with variables | ||
| 'EXE', # flake8-executable: checks executable file shebangs | ||
| 'G', # flake8-logging-format: enforces proper logging format strings | ||
| 'I', # isort: enforces import ordering and organization | ||
| 'ICN', # flake8-import-conventions: enforces standard import aliases | ||
| 'ISC', # flake8-implicit-str-concat: catches implicit string concatenation | ||
| 'NPY', # NumPy-specific rules: enforces NumPy best practices | ||
| 'PD', # pandas-vet: checks pandas-specific code quality | ||
| 'PGH', # pygrep-hooks: checks for common errors in configuration files | ||
| 'PIE', # flake8-pie: miscellaneous Python improvement suggestions | ||
| 'PL', # Pylint: comprehensive code quality and complexity analysis | ||
| 'PT', # flake8-pytest-style: enforces pytest best practices | ||
| 'PTH', # flake8-use-pathlib: encourages pathlib over os.path | ||
| 'RET', # flake8-return: improves return statement logic | ||
| 'RUF', # Ruff-specific rules: custom Ruff linter rules | ||
| 'SIM', # flake8-simplify: suggests simpler code alternatives | ||
| 'T20', # flake8-print: catches print statement usage (should use logging) | ||
| 'UP', # pyupgrade: suggests modern Python syntax features | ||
| 'YTT', # flake8-2020: detects outdated Python 2 compatibility code |
There was a problem hiding this comment.
I added the C901 and sorted the list.
|
I don’t know much about these topics. Could you explain why we need them? We don’t use pre-commit.ci anymore, by the way. |
|
Feel free to close if you do not think this adds any value to the project. The pre-commits might seem excessive, but they do catch a bunch of bad practices, lints for consistent style afross the project, captures spelling mistakes, common security issues, etc. The ci section en the |
sinaatalay
force-pushed
the
main
branch
3 times, most recently
from
cff31ca to
2b08030
Compare
|
Hello, I’m not very familiar with the changes you’ve added. I’ve marked all PRs with failing workflows as draft for now. There are quite a few PRs, and I can’t fully understand each one, so I’ve skipped the ones I’m not very familiar with. Thank you for your work. |
2 participants
Closes #621. Adds gitleaks, uv‑secure, bandit, and expanded Ruff security rules to pre‑commit hooks.
In an effort to improve general health and quality of the repo the pre-commit hooks has been expanded. Some more invasive than others e.g. rigid formatting of all files using prettier, an effort to reduce code complexity (read: make code human friendly) with complexipy, security through bandit to catch many types in insecurities not caught by the ruff-bandit rules and much more.
Each repo and hook has explanation for what they do so hopefully everything is clear and serves a purpose.