curo1305
e443ea4d39
/.cache/pip is owned by root; as UID 1001 pip emits a cache-permission warning. Container is ephemeral so caching has no value — disable it with PIP_NO_CACHE_DIR=1. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
36 lines
972 B
Bash
Executable File
36 lines
972 B
Bash
Executable File
#!/bin/sh
|
|
# Security pre-commit hook — runs checks inside Docker, no host installs required.
|
|
# Install: git config core.hooksPath .githooks
|
|
|
|
REPO_ROOT="$(git rev-parse --show-toplevel)"
|
|
|
|
# Collect staged files on the host and pass them into the container as arguments
|
|
STAGED=$(git diff --cached --name-only --diff-filter=ACM)
|
|
|
|
if [ -z "$STAGED" ]; then
|
|
echo "[pre-commit] no staged files — skipping security check."
|
|
exit 0
|
|
fi
|
|
|
|
echo "[pre-commit] running security checks..."
|
|
|
|
# Pass staged file list via environment variable
|
|
docker run --rm \
|
|
-v "$REPO_ROOT":/repo \
|
|
-w /repo \
|
|
-e STAGED_FILES="$STAGED" \
|
|
-u 1001:1001 \
|
|
-e PIP_DISABLE_PIP_VERSION_CHECK=1 \
|
|
-e PIP_NO_CACHE_DIR=1 \
|
|
python:3.12-slim \
|
|
sh -c "python -m venv /tmp/venv && /tmp/venv/bin/pip install --quiet bandit && /tmp/venv/bin/python scripts/security_check.py"
|
|
|
|
EXIT_CODE=$?
|
|
|
|
if [ $EXIT_CODE -ne 0 ]; then
|
|
echo "[pre-commit] commit blocked by security check."
|
|
exit 1
|
|
fi
|
|
|
|
exit 0
|