repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.24.2
    hooks:
      - id: gitleaks

  - repo: local
    hooks:
      - id: semgrep
        name: semgrep
        entry: bash -c 'docker run --rm -v "$(realpath .)":/src:Z docker.io/semgrep/semgrep semgrep scan --config auto /src'
        language: system
        pass_filenames: false

  - repo: local
    hooks:
      - id: trivy
        name: trivy filesystem scan
        entry: bash -c 'docker run --rm -v "$(pwd)":/workspace docker.io/aquasec/trivy fs --scanners vuln,secret,misconfig --severity HIGH,CRITICAL /workspace'
        language: system
        pass_filenames: false

  - repo: local
    hooks:
      - id: psscriptanalyzer
        name: powershell static analysis
        entry: pwsh -NoProfile -Command "Import-Module PSScriptAnalyzer; Invoke-ScriptAnalyzer -Path . -Recurse -Severity Error"
        language: system
        pass_filenames: false