Skip to content

Enable TruffleHog in pre-commit #439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Enable TruffleHog in pre-commit #439

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8499163
update pre-commit
ParagEkbote Nov 13, 2025
70b0a33
rm redudant filters.
ParagEkbote Nov 13, 2025
b24b469
fix nits and whitespacing issues.
ParagEkbote Nov 26, 2025
6b990ed
Update versions
ParagEkbote Nov 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 32 additions & 14 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
rev: v6.0.0
hooks:
- id: check-added-large-files
- id: check-case-conflict
Expand All @@ -13,21 +13,45 @@ repos:
- id: trailing-whitespace
exclude: \.md$
- id: no-commit-to-branch

- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.11.12
rev: v0.14.6
hooks:
- id: ruff-check
args: [--fix]
files: \.py$
- id: ruff-format
files: \.py$

- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.91.1
hooks:
- id: trufflehog
name: TruffleHog Secrets Scanner
entry: trufflehog
language: golang
Copy link
Member

@davidberenstein1957 davidberenstein1957 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we setting this to golang?

Copy link
Contributor Author

@ParagEkbote ParagEkbote Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since trufflehog is a package written in golang, we have to specify the language for the hook to run.

types_or: [python, yaml, json, text]
Copy link
Member

@davidberenstein1957 davidberenstein1957 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason for this specific config?

Copy link
Contributor Author

@ParagEkbote ParagEkbote Nov 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In types_or we define the types of program files for scanning using trufflehog. Do you think we need to define additional file types?

args:
[
"filesystem",
"src",
"tests",
".github/workflows",
"--results=verified,unknown",
"--exclude-paths=.venv",
"--fail"
]
stages: ["pre-commit", "pre-push"]

- repo: local
hooks:
- id: ty
name: ty check
name: type checking using ty
entry: uvx ty check .
language: system
types: [python]
pass_filenames: false
files: \.py$

- repo: local
hooks:
Expand All @@ -39,19 +63,13 @@ repos:
grep -v "^D" |
cut -f2- |
while IFS= read -r file; do
if [ -f "$file" ] && ["$file" != ".pre-commit-config.yaml"] && grep -q "pruna_pro" "$file"; then
echo "Error: pruna_pro found in staged file $file"
exit 1
fi
if [ -f "$file" ] && [ "$file" != ".pre-commit-config.yaml" ] && grep -q "pruna_pro" "$file"; then
echo "Error: pruna_pro found in staged file $file"
exit 1
fi
done
'
language: system
stages: [pre-commit]
types: [python]
exclude: "^docs/"
- id: trufflehog
name: TruffleHog
description: Detect secrets in your data.
entry: bash -c 'git diff --cached --name-only | xargs -I {} trufflehog filesystem {} --fail --no-update'
language: system
stages: ["pre-commit", "pre-push"]
files: \.py$