032d475fba
Complete lint remediation addressing errcheck, gosec, and staticcheck violations across backend test files. Tighten pre-commit configuration to prevent future blind spots. Key Changes: - Fix 61 Go linting issues (errcheck, gosec G115/G301/G304/G306, bodyclose) - Add proper error handling for json.Unmarshal, os.Setenv, db.Close(), w.Write() - Fix gosec G115 integer overflow with strconv.FormatUint - Add #nosec annotations with justifications for test fixtures - Fix SecurityService goroutine leaks (add Close() calls) - Fix CrowdSec tar.gz non-deterministic ordering with sorted keys Pre-commit Hardening: - Remove test file exclusion from golangci-lint hook - Add gosec to .golangci-fast.yml with critical checks (G101, G110, G305) - Replace broad .golangci.yml exclusions with targeted path-specific rules - Test files now linted on every commit Test Fixes: - Fix emergency route count assertions (1→2 for dual-port setup) - Fix DNS provider service tests with proper mock setup - Fix certificate service tests with deterministic behavior Backend: 27 packages pass, 83.5% coverage Frontend: 0 lint warnings, 0 TypeScript errors Pre-commit: All 14 hooks pass (~37s)
175 lines
6.3 KiB
YAML
175 lines
6.3 KiB
YAML
# NOTE: golangci-lint-fast now includes test files (_test.go) to catch security
|
|
# issues earlier. The fast config uses gosec with critical-only checks (G101,
|
|
# G110, G305, G401, G501, G502, G503) for acceptable performance.
|
|
# Last updated: 2026-02-02
|
|
|
|
repos:
|
|
- repo: https://github.com/pre-commit/pre-commit-hooks
|
|
rev: v6.0.0
|
|
hooks:
|
|
- id: end-of-file-fixer
|
|
exclude: '^(frontend/(coverage|dist|node_modules|\.vite)/|.*\.tsbuildinfo$)'
|
|
- id: trailing-whitespace
|
|
exclude: '^(frontend/(coverage|dist|node_modules|\.vite)/|.*\.tsbuildinfo$)'
|
|
- id: check-yaml
|
|
- id: check-added-large-files
|
|
args: ['--maxkb=2500']
|
|
- repo: local
|
|
hooks:
|
|
- id: dockerfile-check
|
|
name: dockerfile validation
|
|
entry: tools/dockerfile_check.sh
|
|
language: script
|
|
files: "Dockerfile.*"
|
|
pass_filenames: true
|
|
- id: go-test-coverage
|
|
name: Go Test Coverage (Manual)
|
|
entry: scripts/go-test-coverage.sh
|
|
language: script
|
|
files: '\.go$'
|
|
pass_filenames: false
|
|
verbose: true
|
|
stages: [manual] # Only runs when explicitly called
|
|
- id: go-vet
|
|
name: Go Vet
|
|
entry: bash -c 'cd backend && go vet ./...'
|
|
language: system
|
|
files: '\.go$'
|
|
pass_filenames: false
|
|
- id: golangci-lint-fast
|
|
name: golangci-lint (Fast Linters - BLOCKING)
|
|
entry: scripts/pre-commit-hooks/golangci-lint-fast.sh
|
|
language: script
|
|
files: '\.go$'
|
|
# Test files are now included to catch security issues (gosec critical checks)
|
|
pass_filenames: false
|
|
description: "Runs fast, essential linters (staticcheck, govet, errcheck, ineffassign, unused, gosec critical) - BLOCKS commits on failure"
|
|
- id: check-version-match
|
|
name: Check .version matches latest Git tag
|
|
entry: bash -c 'scripts/check-version-match-tag.sh'
|
|
language: system
|
|
files: '\.version$'
|
|
pass_filenames: false
|
|
- id: check-lfs-large-files
|
|
name: Prevent large files that are not tracked by LFS
|
|
entry: bash scripts/pre-commit-hooks/check-lfs-for-large-files.sh
|
|
language: system
|
|
pass_filenames: false
|
|
verbose: true
|
|
always_run: true
|
|
- id: block-codeql-db-commits
|
|
name: Prevent committing CodeQL DB artifacts
|
|
entry: bash scripts/pre-commit-hooks/block-codeql-db-commits.sh
|
|
language: system
|
|
pass_filenames: false
|
|
verbose: true
|
|
always_run: true
|
|
- id: block-data-backups-commit
|
|
name: Prevent committing data/backups files
|
|
entry: bash scripts/pre-commit-hooks/block-data-backups-commit.sh
|
|
language: system
|
|
pass_filenames: false
|
|
verbose: true
|
|
always_run: true
|
|
|
|
# === MANUAL/CI-ONLY HOOKS ===
|
|
# These are slow and should only run on-demand or in CI
|
|
# Run manually with: pre-commit run golangci-lint-full --all-files
|
|
- id: go-test-race
|
|
name: Go Test Race (Manual)
|
|
entry: bash -c 'cd backend && go test -race ./...'
|
|
language: system
|
|
files: '\.go$'
|
|
pass_filenames: false
|
|
stages: [manual] # Only runs when explicitly called
|
|
|
|
- id: golangci-lint-full
|
|
name: golangci-lint (Full - Manual)
|
|
entry: scripts/pre-commit-hooks/golangci-lint-full.sh
|
|
language: script
|
|
files: '\.go$'
|
|
pass_filenames: false
|
|
stages: [manual] # Only runs when explicitly called
|
|
|
|
- id: hadolint
|
|
name: Hadolint Dockerfile Check (Manual)
|
|
entry: bash -c 'docker run --rm -i hadolint/hadolint < Dockerfile'
|
|
language: system
|
|
files: 'Dockerfile'
|
|
pass_filenames: false
|
|
stages: [manual] # Only runs when explicitly called
|
|
- id: frontend-type-check
|
|
name: Frontend TypeScript Check
|
|
entry: bash -c 'cd frontend && npm run type-check'
|
|
language: system
|
|
files: '^frontend/.*\.(ts|tsx)$'
|
|
pass_filenames: false
|
|
- id: frontend-lint
|
|
name: Frontend Lint (Fix)
|
|
entry: bash -c 'cd frontend && npm run lint -- --fix'
|
|
language: system
|
|
files: '^frontend/.*\.(ts|tsx|js|jsx)$'
|
|
pass_filenames: false
|
|
|
|
- id: frontend-test-coverage
|
|
name: Frontend Test Coverage (Manual)
|
|
entry: scripts/frontend-test-coverage.sh
|
|
language: script
|
|
files: '^frontend/.*\\.(ts|tsx|js|jsx)$'
|
|
pass_filenames: false
|
|
verbose: true
|
|
stages: [manual]
|
|
|
|
- id: security-scan
|
|
name: Security Vulnerability Scan (Manual)
|
|
entry: scripts/security-scan.sh
|
|
language: script
|
|
files: '(\.go$|go\.mod$|go\.sum$)'
|
|
pass_filenames: false
|
|
verbose: true
|
|
stages: [manual] # Only runs when explicitly called
|
|
|
|
- id: codeql-go-scan
|
|
name: CodeQL Go Security Scan (Manual - Slow)
|
|
entry: scripts/pre-commit-hooks/codeql-go-scan.sh
|
|
language: script
|
|
files: '\.go$'
|
|
pass_filenames: false
|
|
verbose: true
|
|
stages: [manual] # Performance: 30-60s, only run on-demand
|
|
|
|
- id: codeql-js-scan
|
|
name: CodeQL JavaScript/TypeScript Security Scan (Manual - Slow)
|
|
entry: scripts/pre-commit-hooks/codeql-js-scan.sh
|
|
language: script
|
|
files: '^frontend/.*\.(ts|tsx|js|jsx)$'
|
|
pass_filenames: false
|
|
verbose: true
|
|
stages: [manual] # Performance: 30-60s, only run on-demand
|
|
|
|
- id: codeql-check-findings
|
|
name: Block HIGH/CRITICAL CodeQL Findings
|
|
entry: scripts/pre-commit-hooks/codeql-check-findings.sh
|
|
language: script
|
|
pass_filenames: false
|
|
verbose: true
|
|
stages: [manual] # Only runs after CodeQL scans
|
|
|
|
- id: gorm-security-scan
|
|
name: GORM Security Scanner (Manual)
|
|
entry: scripts/pre-commit-hooks/gorm-security-check.sh
|
|
language: script
|
|
files: '\.go$'
|
|
pass_filenames: false
|
|
stages: [manual] # Manual stage initially (soft launch)
|
|
verbose: true
|
|
description: "Detects GORM ID leaks and common GORM security mistakes"
|
|
|
|
- repo: https://github.com/igorshubovych/markdownlint-cli
|
|
rev: v0.47.0
|
|
hooks:
|
|
- id: markdownlint
|
|
args: ["--fix"]
|
|
exclude: '^(node_modules|\.venv|test-results|codeql-db|codeql-agent-results)/'
|
|
stages: [manual]
|