Merge pull request #473 from kube-tarian/pre-commit

Pre-commit implemetation
kube-tarian · Apr 30, 2024 · e739bdb · e739bdb
2 parents 72a1847 + 36b899a
commit e739bdb
Show file tree

Hide file tree

Showing 26 changed files with 245 additions and 120 deletions.
diff --git a/.github/workflows/agent-docker-image-pr.yml b/.github/workflows/agent-docker-image-pr.yml
@@ -21,11 +21,11 @@ jobs:
         uses: actions/checkout@v3
         with:
             fetch-depth: 0
-          
+
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
-        
+
       - uses: docker/setup-buildx-action@v1
         name: Set up Docker Buildx
 
@@ -36,7 +36,7 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-    
+
       -
         name: Build and push on PR
         uses: docker/build-push-action@v4
@@ -49,4 +49,4 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
-  
+
diff --git a/.github/workflows/agent-docker-image.yml b/.github/workflows/agent-docker-image.yml
@@ -26,7 +26,7 @@ jobs:
     steps:
       - name: Checkout GitHub Action
         uses: actions/checkout@v3
-        
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2
@@ -60,7 +60,7 @@ jobs:
             ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }},
             ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest
           labels: ${{ steps.metadata.outputs.labels }}
-        
+
           push: true
 
       - name: Install cosign
@@ -71,12 +71,12 @@ jobs:
           cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }}
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Verify the pushed tags
         run: cosign verify ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/agent-docker-image.yml@refs/heads/main  --certificate-oidc-issuer https://token.actions.githubusercontent.com
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -48,11 +48,11 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        
+
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
@@ -61,7 +61,7 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     # - run: |

diff --git a/.github/workflows/config-worker-docker-image-pr.yml b/.github/workflows/config-worker-docker-image-pr.yml
@@ -51,4 +51,4 @@ jobs:
             "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
 
 
-  
+
diff --git a/.github/workflows/config-worker-docker-image.yml b/.github/workflows/config-worker-docker-image.yml
@@ -26,7 +26,7 @@ jobs:
     steps:
       - name: Checkout GitHub Action
         uses: actions/checkout@v3
-        
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2
@@ -59,7 +59,7 @@ jobs:
             ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }},
             ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest
           labels: ${{ steps.metadata.outputs.labels }}
-        
+
           push: true
 
       - name: Install cosign
@@ -70,12 +70,12 @@ jobs:
           cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }}
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Verify the pushed tags
         run: cosign verify ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/config-worker-docker-image.yml@refs/heads/main  --certificate-oidc-issuer https://token.actions.githubusercontent.com
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:

diff --git a/.github/workflows/deployment-worker-docker-image-pr.yml b/.github/workflows/deployment-worker-docker-image-pr.yml
@@ -36,7 +36,7 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-          
+
       -
         name: Build and push on PR
         uses: docker/build-push-action@v4
@@ -51,4 +51,4 @@ jobs:
             "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
 
 
-  
+
diff --git a/.github/workflows/deployment-worker-docker-image.yml b/.github/workflows/deployment-worker-docker-image.yml
@@ -26,7 +26,7 @@ jobs:
     steps:
       - name: Checkout GitHub Action
         uses: actions/checkout@v3
-        
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2
@@ -59,7 +59,7 @@ jobs:
             ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }},
             ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest
           labels: ${{ steps.metadata.outputs.labels }}
-        
+
           push: true
 
       - name: Install cosign
@@ -70,12 +70,12 @@ jobs:
           cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }}
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Verify the pushed tags
         run: cosign verify ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/deployment-worker-docker-image.yml@refs/heads/main  --certificate-oidc-issuer https://token.actions.githubusercontent.com
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:

diff --git a/.github/workflows/server-docker-image-pr.yml b/.github/workflows/server-docker-image-pr.yml
@@ -4,7 +4,7 @@ on:
   pull_request:
     branches:
       - 'main'
-      
+
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
@@ -21,11 +21,11 @@ jobs:
         uses: actions/checkout@v3
         with:
             fetch-depth: 0
-          
+
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
-        
+
       - uses: docker/setup-buildx-action@v1
         name: Set up Docker Buildx
 
@@ -36,7 +36,7 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-    
+
       -
         name: Build and push on PR
         uses: docker/build-push-action@v4
@@ -51,4 +51,4 @@ jobs:
             "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
 
 
-  
+
diff --git a/.github/workflows/server-docker-image.yml b/.github/workflows/server-docker-image.yml
@@ -26,7 +26,7 @@ jobs:
     steps:
       - name: Checkout GitHub Action
         uses: actions/checkout@v3
-        
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2
@@ -59,7 +59,7 @@ jobs:
             ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }},
             ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest
           labels: ${{ steps.metadata.outputs.labels }}
-        
+
           push: true
 
       - name: Install cosign
@@ -70,12 +70,12 @@ jobs:
           cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }}
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Verify the pushed tags
         run: cosign verify ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/server-docker-image.yml@refs/heads/main  --certificate-oidc-issuer https://token.actions.githubusercontent.com
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,123 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.5.0
+  hooks:
+  # Checks for files that contain merge conflict strings.
+  - id: check-merge-conflict
+  # Detects aws credentials from the aws cli credentials file.
+  - id: detect-aws-credentials
+    args: [--allow-missing-credentials]
+  # detects the presence of private keys.
+  - id: detect-private-key
+  # Trims trailing whitespace in codebase.
+  - id: trailing-whitespace
+  # Protect commit to main branch
+  - id: no-commit-to-branch
+    args: [--branch,main]
+
+
+# Check is the Commit is Signed off using `--signoff/-s`
+- repo: https://github.com/KAUTH/pre-commit-git-checks
+  rev: v0.0.1 # Use the SHA or tag you want to point to
+  hooks:
+    - id: git-signoff
+      stages: [commit-msg]
+
+# Checks your git commit messages for style.
+- repo: https://github.com/jorisroovers/gitlint
+  rev:  v0.19.1
+  hooks:
+  - id: gitlint
+    name: Scan Commit messages
+
+# Detects hardcoded secrets, security vulnerabilities and policy breaks using GGShield
+- repo: https://github.com/zricethezav/gitleaks
+  rev: v8.18.1
+  hooks:
+  - id: gitleaks
+    name: Detect hardcoded secrets
+    description: Detect hardcoded secrets using Gitleaks
+    entry: gitleaks protect --verbose --redact --staged
+    language: golang
+    pass_filenames: false
+
+- repo: https://github.com/Bahjat/pre-commit-golang
+  rev: v1.0.3
+  hooks:
+  # Formats Go code
+  # - id: gofumpt # requires gofumpt to be installed from github.com/mvdan/gofumpt
+  #   name: Go formatter
+  #   description: Runs a strict Go formatter
+  - id: go-fmt-import
+    name: Go formatter
+    description: Go formatter with fmt and imports
+  # Runs Unit tests
+  - id: go-unit-tests
+    name: Run Unit tests
+    desription: Runs all the unit tests in the repo
+    # Runs static analysis of the Go code
+  - id: go-static-check
+    name: Go Static Check
+    description: Finds bugs and performance issues
+
+# Local hooks
+
+- repo: https://github.com/intelops/gitrepos-templates-policies
+  rev: v0.0.1
+  hooks:
+  - id: check-devcontainer
+    name: Check devcontainer
+    description: Checks for existance of .devcontainer.json in the project
+  - id: check-gitsign
+    name: Check gitsign
+    description: Check if the last commit is signed with Sigstore gitsign
+  # - id: check-multistage-dockerfile
+  #   name: Check multi-stage Dockerfile
+  #   description: Check the existance of Dockerfile in the project and verify that its a multi-stage Dockerfile
+
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.5.0
+  hooks:
+  - id: check-yaml
+    name: Verify YAML syntax
+    args:
+    - --allow-multiple-documents
+- repo: https://github.com/hadolint/hadolint
+  rev: v2.12.0
+  hooks:
+  - id: hadolint
+  # Rules you want to ignore may be found here: https://github.com/hadolint/hadolint?tab=readme-ov-file#rules
+    name: Dockerfile linter
+    description: Dockerfile linter following best-practices
+    args: [--ignore, DL3051]
+
+- repo: local
+  hooks:
+  - name: Check Dockerfile
+    id: check-dockerfile-sh
+    entry: bash
+    args:
+    - -c
+    - |
+        check_dockerfile() {
+        if [[ $1 == *"Dockerfile"* ]]; then
+              base_image=$(grep '^FROM' "$1" | awk '{print $2}')
+            if [[ $base_image != golang:* ]]; then
+                echo "Error: Base image in $1 is not from cgr.dev/chianguard"
+                return 1
+            fi
+        fi
+        return 0
+        }
+
+        export -f check_dockerfile
+
+        if find . -type f -exec bash -c 'check_dockerfile "$0"' {} \; | grep -q 'Error'; then
+          echo "Commit failed due to non-compliant Dockerfile(s)."
+          exit 1
+        fi
+
+        echo "All Dockerfiles are compliant."
+        exit 0
+    language: system
+    pass_filenames: false
diff --git a/Makefile b/Makefile
@@ -24,7 +24,7 @@ gen-protoc:
 	cd proto && protoc --go_out=../server/pkg/pb/agentpb --go_opt=paths=source_relative \
     		--go-grpc_out=../server/pkg/pb/agentpb --go-grpc_opt=paths=source_relative \
     		./agent.proto
-	
+
 	cd proto && protoc --go_out=../capten/common-pkg/agentpb --go_opt=paths=source_relative \
     		--go-grpc_out=../capten/common-pkg/agentpb --go-grpc_opt=paths=source_relative \
     		./agent.proto
Original file line number	Diff line number	Diff line change
Expand Up		@@ -51,4 +51,4 @@ jobs:
		"GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"