-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.pre-commit-config.yaml
More file actions
67 lines (63 loc) · 2.79 KB
/
Copy path.pre-commit-config.yaml
File metadata and controls
67 lines (63 loc) · 2.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Pre-commit hooks for masterblasterbrain.
#
# Install once per clone:
# pip install pre-commit
# pre-commit install
#
# From then on, every `git commit` runs these checks and aborts if any
# rule matches. You can bypass with `git commit --no-verify`, but don't
# do that unless you *really* know what you are bypassing.
repos:
# Built-in basic hygiene from pre-commit itself
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: detect-private-key # SSH/GPG/TLS private keys
- id: detect-aws-credentials
args: [--allow-missing-credentials]
- id: check-merge-conflict # leftover <<<<<<< markers
- id: check-yaml # .yaml syntax sanity
- id: check-json # .json syntax sanity
- id: end-of-file-fixer
- id: trailing-whitespace
- id: check-added-large-files # warn on >500KB files
args: [--maxkb=500]
# Project-specific guards. `pygrep` fails the commit if its regex
# matches anywhere in any staged text file.
- repo: local
hooks:
- id: block-canvas-tokens
name: Block Canvas/Instructure API tokens
description: >
Canvas personal access tokens look like `15183~<30+ chars>`.
GitHub's secret scanning doesn't know about them, so we catch
them locally before they reach the remote.
language: pygrep
entry: '1[0-9]{4}~[A-Za-z0-9]{30,}'
types: [text]
- id: block-bearer-tokens
name: Block hardcoded Authorization bearer tokens
description: >
Catches copy-pasted curl snippets like
`Authorization: Bearer <long string>` in any tracked text file.
language: pygrep
entry: 'Authorization:\s*Bearer\s+[A-Za-z0-9._~+/-]{20,}'
types: [text]
- id: block-generic-api-keys
name: Block generic API key / token assignments
description: >
Catches things like `api_key = "abc123..."`, `API_KEY=abc...`,
`token: abc...` where the value looks long enough to be a real
secret (20+ chars). Produces false positives on genuinely long
example strings — use `# pragma: allowlist secret` on that
specific line to suppress, or tighten the rule.
language: pygrep
entry: '(?i)(api[_-]?key|secret|token|password)\s*[:=]\s*["'']?[A-Za-z0-9_\-~+/.]{20,}'
types: [text]
exclude: |
(?x)^(
\.pre-commit-config\.yaml # this file literally documents the patterns
|docs/.*\.md # docs may contain placeholder examples
|templates/.*\.md # template frontmatter uses fake values
|examples/.*\.yaml # example config uses short placeholder codes
)$