pre-commit

• Website
• GitHub

• 2k commits, 13k ⭐

• Supported hooks
• Cached hooks: ~/.cache/pre-commit
• Custom hooks (see below): ~/projects/git/pre-commit/pre-commit-config-varac

Install:

sudo apt install pre-commit

Usage:

pre-commit sample-config > .pre-commit-config.yaml
pre-commit install
pre-commit run --all-files
pre-commit run --all-files --show-diff-on-failure

Skip hooks:

SKIP=terraform_fmt,terraform_validate,terraform_tflint pre-commit ...

General hooks

Good documentation including expected stdin/parameters

Global hooks activated by:

git config --global core.hooksPath ~/.config/git/hooks

Filtering files with types

Filtering files with types

Identify file type discovered by pre-commit:

$ identify-cli setup.py
["file", "non-executable", "python", "text"]

Issues

Global hooks / include statement

• Ability to include additional hooks
• Doesn't work well together with global hooks
• Global hook to detect pre-commit config per repo and run if present
• Metahooks / nested config
• How can I configure pre-commit globally for all projects?
  • A few workarounds listed by @asottile
• Support global git hooks in git v2.9

Workarounds:

• Using global pre-commit hook to prevent committing unwanted code
• My own hack around

Integrations / plugins / shared hooks

Terraform

• When used in pre-commit, there's no indication about the file location Output directory tflint is executed from

Ansible

cat ~/projects/git/pre-commit/custom/ansible.yaml >> .pre-commit-config.yaml

Chef

https://github.com/mattlqx/pre-commit-ruby

YAML

• Feature: Add a param to check_json and check_yaml to support jsonschema closed :/

Docker

cat ~/projects/git/pre-commit/custom/docker.yaml >> .pre-commit-config.yaml

Kubernetes

Kubeval:

cat ~/projects/git/pre-commit/custom/kubeval.yaml >> .pre-commit-config.yaml

• Using k8validate doesn't work

Gitlab Ci Linter

See ../gitlab/ci.md

Check for secret material

gitleaks

• gitleaks
• Diskussion about what passwords to protect
• pre-commit-hook integration

Install:

sudo pacman -S gitleaks

Scan git history:

gitleaks detect -v

Ignore/allow false-positives:

• Add a # gitleaks:allow at the end of the line with an allowed false-positive
• For retroactive ignores from already committed false-positives add the fingerprint shown by gitleaks detect -v to a .gitleaksignore, see this repos .gitleaksignore as example

talisman

https://github.com/thoughtworks/talisman/

If you are sure you want to ignore detected secret material:

echo 'aarwolf.yaml # ignore:filecontent' >> .talismanignore

Issues:

• No way to Permanent ignore for scoped file patterns
  • see also no Option to permanently ignore a file

git-secrets

• Stale, no new release including pre-commit support
• Last tag 2019
• Example pre-commit-hooks.yml
• Doesn't detect a kubeconfig file!

Commit message linters

• Conventional Commits

gitlint

Website Config files

Add a default .gitlint file:

gitlint generate-config

Ignore body-is-missing rule:

echo '[general]\nignore=body-is-missing' > .gitlint

Other (noteworthy) commit message linters:

• https://marionebl.github.io/commitlint/#/ (nodejs)

commitlint

https://github.com/conventional-changelog/commitlint

gitmoji

https://gitmoji.carloscuesta.me/ https://hackernoon.com/using-github-as-a-team-the-holy-grail-of-commit-messages-f5b10c925d62

Other tools

https://github.com/zeke/semantic-pull-requests: Stale, last commit 2021

pre-commit in CI

• Pre-Commit.ci : Integrating Pre-Commit into CI/CD

Container images

• kiwicom/pre-commit
• yesolutions/docker-pre-commit: Last commit 2022-02

Gitlab CI Templates

• yesolutions/gitlab-ci-templates: pre-commit-autofix