Add test user seed, password validation, and pre-commit security hook

- backend/scripts/seed.py: creates test@example.com on dev startup - backend/scripts/start_dev.sh: runs migrations + seed + uvicorn --reload - backend/app/schemas/user.py: password validator (length, case, digit, special char, forbidden words) - scripts/security_check.py: Docker-based scanner for secrets, dangerous patterns, weak crypto, bandit - .githooks/pre-commit: runs security_check.py in python:3.12-slim on every commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 15:54:23 +02:00
parent 2351b489fe
commit 61cef2eacd
9 changed files with 323 additions and 2 deletions
@@ -0,0 +1,32 @@
+#!/bin/sh
+# Security pre-commit hook — runs checks inside Docker, no host installs required.
+# Install: git config core.hooksPath .githooks
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+
+# Collect staged files on the host and pass them into the container as arguments
+STAGED=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$STAGED" ]; then
+  echo "[pre-commit] no staged files — skipping security check."
+  exit 0
+fi
+
+echo "[pre-commit] running security checks..."
+
+# Pass staged file list via environment variable
+docker run --rm \
+  -v "$REPO_ROOT":/repo \
+  -w /repo \
+  -e STAGED_FILES="$STAGED" \
+  python:3.12-slim \
+  sh -c "pip install --quiet bandit && python scripts/security_check.py"
+
+EXIT_CODE=$?
+
+if [ $EXIT_CODE -ne 0 ]; then
+  echo "[pre-commit] commit blocked by security check."
+  exit 1
+fi
+
+exit 0