adding security tool stack, pre-commit steps, and gitignore additions

2026-05-12 22:35:49 -05:00
parent e6464dfdf8
commit 9e78e4ab66
4 changed files with 125 additions and 1 deletions
@@ -0,0 +1,29 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.24.2
+    hooks:
+      - id: gitleaks
+
+  - repo: local
+    hooks:
+      - id: semgrep
+        name: semgrep
+        entry: bash -c 'docker run --rm -v "$(realpath .)":/src:Z docker.io/semgrep/semgrep semgrep scan --config auto /src'
+        language: system
+        pass_filenames: false
+
+  - repo: local
+    hooks:
+      - id: trivy
+        name: trivy filesystem scan
+        entry: bash -c 'docker run --rm -v "$(pwd)":/workspace docker.io/aquasec/trivy fs --scanners vuln,secret,misconfig --severity HIGH,CRITICAL /workspace'
+        language: system
+        pass_filenames: false
+
+  - repo: local
+    hooks:
+      - id: psscriptanalyzer
+        name: powershell static analysis
+        entry: pwsh -NoProfile -Command "Import-Module PSScriptAnalyzer; Invoke-ScriptAnalyzer -Path . -Recurse -Severity Error"
+        language: system
+        pass_filenames: false