Merge pull request #18 from uktrade/feature/trufflehog-hook

Add pre-commit and TruffleHog as mandatory requirements

.pre-commit-config.yaml

@@ -1,18 +1,19 @@
 repos:
 - repo: local
   hooks:
-    # Run the formatter.
-    - id: ruff-format
-      name: ruff-format
-      description: "Run 'ruff format' for extremely fast Python formatting"
-      entry: ruff format
-      language: python
-      types_or: [python, pyi]
-    # Run the linter.
+    # Run the ruff linter and formatter using just command
     - id: ruff
       name: ruff
-      description: "Run 'ruff' for extremely fast Python linting"
-      entry: ruff check
-      args: [ --fix ] # Enable lint fixes.
-      language: python
-      types_or: [python, pyi]
+      description: "Format Python code using ruff format via just command"
+      entry: just format
+      language: system
+      types_or: [python, pyi]
+      pass_filenames: false
+
+    # Check for secrets
+    - id: trufflehog
+      name: TruffleHog
+      description: Detect secrets in your data.
+      entry: bash -c "trufflehog git file://. --since-commit HEAD --only-verified --fail"
+      language: system
+      stages: ["commit", "push"]

README.md

@@ -80,6 +80,10 @@ This project is managed by [uv](https://docs.astral.sh/uv/), linted and formated
 uv sync --all-extras
 ```
 
+Secret scanning is done with [trufflehog](https://github.com/trufflesecurity/trufflehog).
+
+For security, use of [pre-commit](https://pre-commit.com) is expected. Ensure your hooks are installed with `pre-commit install`.
+
 Task running is done with [just](https://just.systems/man/en/). To see all available commands:
 
 ```console

justfile

@@ -12,6 +12,10 @@ format:
     uv run ruff format .
     uv run ruff check . --fix
 
+# Scan for secrets
+scan:
+    trufflehog git file://. --only-verified
+
 # Run Python tests
 test:
     docker compose up -d --wait