forked from semgrep/semgrep
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.pre-commit-config.yaml
266 lines (250 loc) · 10.4 KB
/
.pre-commit-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
# Semgrep pre-commit configuration.
# See https://pre-commit.com/ for more information.
# Once pre-commit is installed, you can run it locally with `pre-commit run --all`.
#
# This config defines also 2 "jobs" with the `stages: [manual]` directive
# which are only exercised in CI (see .github/workflows/lint.yml).
exclude: "^tests|^cli/tests/e2e/(targets|snapshots|rules/syntax)|^cli/src/semgrep/external|^cli/src/semdep/external|^cli/bin|\\binvalid\\b|TOPORT"
default_stages: [commit]
# See https://pre-commit.com/#pre-commit-configyaml---repos
# for more information on the format of the content below
repos:
# ----------------------------------------------------------
# Standard pre-commit hooks
# ----------------------------------------------------------
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.3.0
hooks:
- id: check-added-large-files
- id: check-ast
- id: check-builtin-literals
- id: check-case-conflict
- id: check-docstring-first
- id: check-executables-have-shebangs
- id: check-json
exclude: ".devcontainer/devcontainer.json"
- id: check-merge-conflict
- id: check-shebang-scripts-are-executable
- id: check-symlinks
- id: check-toml
- id: check-vcs-permalinks
- id: check-xml
- id: check-yaml
args: [--allow-multiple-documents]
- id: debug-statements
- id: destroyed-symlinks
- id: detect-private-key
- id: end-of-file-fixer
- id: fix-byte-order-marker
- id: fix-encoding-pragma
args: [--remove]
- id: mixed-line-ending
args: [--fix=lf]
- id: no-commit-to-branch
- id: requirements-txt-fixer
- id: trailing-whitespace
args: [--markdown-linebreak-ext=md]
# ----------------------------------------------------------
# Extra hooks with repositories defining their own hooks
# ----------------------------------------------------------
- repo: https://github.com/myint/autoflake
rev: v1.4
hooks:
- id: autoflake
args:
- --in-place
- --remove-unused-variables
- --remove-duplicate-keys
- --remove-all-unused-imports
- --ignore-init-module-imports
- --exclude=/cli/src/semgrep/output_from_core.py
- repo: https://github.com/psf/black
rev: 22.6.0
hooks:
- id: black
args: [--exclude=/cli/src/semgrep/output_from_core.py]
- repo: https://github.com/asottile/reorder_python_imports
rev: v3.1.0
hooks:
- id: reorder-python-imports
args: ["--application-directories=cli/src", --py37-plus]
- repo: https://github.com/asottile/pyupgrade
rev: v2.34.0
hooks:
- id: pyupgrade
args: ["--py37-plus"]
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.0.0
hooks:
- id: mypy
exclude: ^cli/tests/.+$|^setup.py$|^cli/src/semdep/external/packaging/.*$|^cli/src/semdep/external/parsy/.*$|^cli/scripts/.*$|^scripts/.+$|^stats/parsing-stats/.+$|^perf/.+$$
args: [--config, mypy.ini, --show-error-codes, --python-version, "3.11"]
additional_dependencies: &mypy-deps
# versions must be manually synced:
# - cli/setup.py lists dependencies
# - cli/Pipfile lists type hint packages for dev env
# - .pre-commit-config.yaml's mypy hooks also list type hint packages
# some packages ship with type definitions
- attrs~=21.3
# click 8.1.4's new decorator type hints don't seem to work well
- click<8.1.4
- defusedxml~=0.7.1
- packaging~=21.0
- requests~=2.22
- rich>=12.6.0
- tomli~=2.0.1
# other packages have separate typings published
- types-colorama~=0.4.0
- types-freezegun
- types-Jinja2
- types-jsonschema~=4.6.0
- types-python-dateutil
- types-requests
- types-setuptools
- id: mypy
alias: mypy-test
name: mypy (test files)
files: ^cli/tests/.+$
args: [--config, mypy-tests.ini, --show-error-codes]
additional_dependencies: *mypy-deps
- repo: https://github.com/PyCQA/flake8
rev: 3.9.2
hooks:
- id: flake8
additional_dependencies: ["flake8-bugbear==22.1.11"]
args: ["--select=B,E9,F4,F63,F7,F82"]
# Reformat YAML, JSON, and Markdown files
- repo: https://github.com/pre-commit/mirrors-prettier
rev: v2.7.1
hooks:
- id: prettier
exclude: "^perf/bench/dummy/.+$|^cli/tests/e2e/rules/.+$|^.+/Pipfile.lock$|^.devcontainer/devcontainer.json$"
# ----------------------------------------------------------
# Extra hooks using additional_dependencies
# ----------------------------------------------------------
- repo: local
hooks:
- id: gitignore-to-dockerignore
name: Convert .gitignore to .dockerignore
language: node
entry: gitignore-to-dockerignore
files: ^.(git|docker)ignore$
additional_dependencies: ["[email protected]"]
# ----------------------------------------------------------
# Simple docker-based hooks
# ----------------------------------------------------------
- repo: local
hooks:
- id: shellcheck
name: shellcheck
language: docker_image
entry: koalaman/shellcheck:v0.8.0
files: "[.]sh$"
- id: hadolint
name: hadolint
language: docker_image
types:
- dockerfile
exclude: "^scripts/release/linuxbrew[.]Dockerfile$"
entry: hadolint/hadolint:v2.8.0-alpine hadolint
args: ["--ignore", "DL3008", "--ignore", "DL3018"]
# ----------------------------------------------------------
# Local hooks
# ----------------------------------------------------------
# Reformat OCaml code (ml, mli) with ocamlformat if ocamlformat is
# present. If ocamlformat is missing, this step will succeed.
# This allows pure python users to run 'pre-commit run --all' without
# installing opam and ocamlformat.
- repo: local
hooks:
- id: lint-ocaml
name: Reformat OCaml code
entry: ./scripts/lint-ocaml
language: script
files: "\\.mli?$"
# ----------------------------------------------------------
# Dogfood! running semgrep in pre-commit!
# ----------------------------------------------------------
- repo: https://github.com/returntocorp/semgrep
rev: v1.30.0
hooks:
- id: semgrep
name: Semgrep Jsonnet
# This uses the Python "hook" in .pre-commit-hooks.yaml and setup.py.
# alt: use 'repo: local', and 'language: docker', which can use
# the very latest docker image, which is nice, but is far slower.
language: python
# Both the .semgrepignore file and the --exclude option
# do nothing because the target files are passed
# explicitly on the command line by pre-commit!
# TODO: remove once file targeting is revamped and supports
# filtering for explicit targets (a command-line flag should do)
# exclude: "xxx.ml"
# TODO: we could also set 'pass_filenames: false', see
# https://stackoverflow.com/questions/57199833/run-pre-commit-com-hook-once-not-for-every-file-if-a-matched-file-is-detected
#coupling: 'make check' and the SEMGREP_ARGS variable
args: [
# use osemgrep!
"--experimental",
# use jsonnet!
"--config",
"semgrep.jsonnet",
# classic flag to use in CI or pre-commit, return error code if findings
"--error",
# Quiet or not quiet? Debug or not debug?
# Pre-commit can call multiple times semgrep in
# one run if there are many files in a PR (or in CI where
# it runs on all the files in a repo). In that case I
# think pre-commit splits the list of files in multiple
# batches and run one semgrep per batch. This is why it's
# important to use --quiet otherwise you can have the same
# banner repeated many times in the output in case of errors.
# It's a much bigger problem though to not see the error messages.
#"--verbose",
#
# this last option is useful in a pre-commit context because
# pre-commit calls the hooks with all the files in the PR
# (or in CI with all the files in the repo) but we don't
# want an OCaml rule to be applied on a script.
"--skip-unknown-extensions",
]
# Dogfooding .pre-commit-hooks.yml and setup.py
# Use a fixed version of p/python and p/bandit to not get new findings
# We run `semgrep ci` for our main rulesets
- repo: https://github.com/returntocorp/semgrep
rev: v1.5.1
hooks:
- id: semgrep
name: Semgrep Python
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "tests/precommit_dogfooding/python.yml", "--error"]
- id: semgrep
name: Semgrep Bandit
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "tests/precommit_dogfooding/bandit.yml", "--error"]
# Run Semgrep Docker images. Only used in CI since it's slower for local developmemt.
# To run locally use `pre-commit run --hook-stage manual semgrep-docker-develop`
- repo: https://github.com/returntocorp/semgrep
# Note that the 'rev:' below is the revision to use to clone the URL
# above and to fetch its .pre-commit-hooks.yaml file. It does not always
# mean which version of semgrep to use for the hook itself.
# For example in .pre-commit-hooks.yaml if you use an entry with
# the 'language: docker_image', the 'entry:' field will then specify
# which version to use. In the case below, we're actually running
# returntocorp/semgrep:develop if you look at .pre-commit-hooks.yaml
rev: v1.5.1
hooks:
- id: semgrep-docker-develop
name: Semgrep Develop Python
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "tests/precommit_dogfooding/python.yml", "--error"]
stages: [manual]
- id: semgrep-docker-develop
name: Semgrep Develop Bandit
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "tests/precommit_dogfooding/bandit.yml", "--error"]
stages: [manual]