From 8ac1d8223b70211115ec847eecc61e2a04aa349a Mon Sep 17 00:00:00 2001
From: curo1305 <curo1305@proton.me>
Date: Mon, 13 Apr 2026 23:08:02 +0200
Subject: [PATCH] Use venv inside pre-commit container instead of pip --user

Creates /tmp/venv inside the ephemeral container, installs bandit there,
and runs the security check via the venv's Python. No --user installs,
no script-location warnings, no writes outside the container's /tmp.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .githooks/pre-commit | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.githooks/pre-commit b/.githooks/pre-commit
index 4159402..3f49670 100755
--- a/.githooks/pre-commit
+++ b/.githooks/pre-commit
@@ -20,10 +20,9 @@ docker run --rm \
   -w /repo \
   -e STAGED_FILES="$STAGED" \
   -u 1001:1001 \
-  -e HOME=/tmp \
   -e PIP_DISABLE_PIP_VERSION_CHECK=1 \
   python:3.12-slim \
-  sh -c "pip install --quiet --user --no-warn-script-location bandit && python scripts/security_check.py"
+  sh -c "python -m venv /tmp/venv && /tmp/venv/bin/pip install --quiet bandit && /tmp/venv/bin/python scripts/security_check.py"
 
 EXIT_CODE=$?