fix; CVE-2025-68156 remediation

- Changed report title to reflect security audit focus - Updated date and status to indicate approval for commit - Enhanced executive summary with detailed validation results - Included comprehensive test coverage results for backend and frontend - Documented pre-commit hooks validation and known issues - Added detailed security scan results, confirming absence of CVE-2025-68156 - Verified binary inspection for expr-lang dependency - Provided risk assessment and recommendations for post-merge actions - Updated compliance matrix and final assessment sections - Improved overall report structure and clarity
2026-01-11 19:33:25 +00:00
parent db7490d763
commit e06eb4177b
43 changed files with 4230 additions and 2661 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v6.0.0
    hooks:
      - id: end-of-file-fixer
        exclude: '^(frontend/(coverage|dist|node_modules|\.vite)/|.*\.tsbuildinfo$)'
@@ -33,8 +33,8 @@ repos:
        pass_filenames: false
      - id: golangci-lint-fast
        name: golangci-lint (Fast Linters - BLOCKING)
-        entry: bash -c 'command -v golangci-lint >/dev/null 2>&1 || (echo "ERROR golangci-lint not found. Install at https://golangci-lint.run/usage/install/" && exit 1); cd backend && golangci-lint run --config .golangci-fast.yml ./...'
-        language: system
+        entry: scripts/pre-commit-hooks/golangci-lint-fast.sh
+        language: script
        files: '\.go$'
        exclude: '_test\.go$'
        pass_filenames: false
@@ -69,7 +69,7 @@ repos:

      # === MANUAL/CI-ONLY HOOKS ===
      # These are slow and should only run on-demand or in CI
-      # Run manually with: pre-commit run golangci-lint --all-files
+      # Run manually with: pre-commit run golangci-lint-full --all-files
      - id: go-test-race
        name: Go Test Race (Manual)
        entry: bash -c 'cd backend && go test -race ./...'
@@ -78,10 +78,10 @@ repos:
        pass_filenames: false
        stages: [manual]  # Only runs when explicitly called

-      - id: golangci-lint
-        name: GolangCI-Lint (Manual)
-        entry: bash -c 'cd backend && docker run --rm -v $(pwd):/app:ro -w /app golangci/golangci-lint:latest golangci-lint run -v'
-        language: system
+      - id: golangci-lint-full
+        name: golangci-lint (Full - Manual)
+        entry: scripts/pre-commit-hooks/golangci-lint-full.sh
+        language: script
        files: '\.go$'
        pass_filenames: false
        stages: [manual]  # Only runs when explicitly called
@@ -151,7 +151,7 @@ repos:
        stages: [manual]  # Only runs after CodeQL scans

  - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.43.0
+    rev: v0.47.0
    hooks:
      - id: markdownlint
        args: ["--fix"]