Add pre-commit hooks to catch linting issues and prevent credential leaks

[varunsh-coder]

https://github.com/pre-commit/pre-commit is a framework for managing and maintaining multi-language pre-commit hooks.

It is very popular, and one of the important use cases is to detect and prevent credentials from being pushed. This is important because the cost of dealing with a cred leak is much higher once it is already pushed.

Using a PR, we should add a pre-commit configuration .pre-commit-config.yaml as a best practice. If the file already exists, then we should suggest adding specific hooks related to security.

Here is an example of such a file
https://github.com/aws-samples/aws-deployment-pipeline-reference-architecture/blob/1329e3cb20f3ef782fca907ddce39d94a8b4c813/examples/cdk-application-pipeline/.pre-commit-config.yaml

[varunsh-coder]

@Devils-Knight please take this up

[varunsh-coder]

What hooks should we be recommending for linting and for credential scanning?

For credential scanning, the options are gitleaks, trufflehog, and we should try to find more.

For linting, there are some basic non-language-specific options like trailing-whitespace, and then there might be others specific to programming languages like check-yaml.

[WikiRik]

Would it be possible to use other libraries as well that do similar things with commit hooks? Mainly https://github.com/typicode/husky

[varunsh-coder]

Would it be possible to use other libraries as well that do similar things with commit hooks? Mainly https://github.com/typicode/husky

Thanks a lot for sharing @WikiRik! I did not know about husky and will read more about it.

[varunsh-coder]

This is done and released. https://app.stepsecurity.io/securerepo now shows an option to add pre-commit hooks.