Pre-commit Hooks Setup Guide
This repository uses pre-commit hooks to ensure code quality, security, and compliance with GitOps, Terraform, Kubernetes, and IDP standards.
Quick Start
Install Pre-commit Hooks
make pre-commit-setup
This will:
- Install the
pre-commitpackage - Install all configured hooks
- Set up Git hooks to run automatically on commit
Manual Installation
If you prefer to install manually:
pip install pre-commit
pre-commit install
What Gets Validated?
Our pre-commit hooks validate the following areas:
π§ General Code Quality
- β Trailing whitespace removal
- β End-of-file fixing
- β YAML/JSON syntax validation
- β Large file detection
- β Merge conflict detection
- β Mixed line ending fixes
- β Private key detection
π Documentation
- β
Markdown linting (
.markdownlint.json) - β MkDocs build validation
- β Documentation link checking
ποΈ Terraform (IaC)
- β
terraform fmt(auto-formatting) - β
terraform validate(syntax validation) - β TFLint (static analysis)
- β Terraform docs generation
- β tfsec (security scanning)
βΈοΈ Kubernetes Manifests
- β kubeval (manifest validation)
- β kustomize build validation
- β Hardcoded secret detection
- β Helm chart linting
π GitOps
- β ArgoCD application validation
- β Kustomization file validation
- β GitOps best practices
π― IDP Components
- β Backstage catalog validation
- β Helm values validation
- β Platform component configuration
π Security
- β Gitleaks (comprehensive secret detection)
- Detects 100+ types of secrets (API keys, passwords, tokens)
- Configurable via
.gitleaks.toml - Fast and accurate scanning
- β detect-secrets (baseline-based detection)
- Manages known false positives via
.secrets.baseline - Complementary to Gitleaks
- β Private key detection (SSH keys, certificates)
- Prevents accidental commit of private keys
- β tfsec (Terraform security scanning)
- Infrastructure security best practices
β οΈ Pipeline Integration: Secrets scanning also runs in Jenkins CI/CD pipelines. If secrets are detected, the pipeline fails immediately to prevent deployment of vulnerable code.
π Learn More: See Secrets Management Guide for detailed information on handling secrets securely.
π Python
- β Black formatting
- β Flake8 linting
- β Type checking readiness
π Shell Scripts
- β ShellCheck validation
Running Pre-commit Hooks
Automatic (on commit)
Once installed, hooks run automatically when you commit:
git add .
git commit -m "Your commit message"
# Hooks run automatically
Manual (all files)
Run hooks on all files in the repository:
pre-commit run --all-files
Manual (specific files)
Run hooks on specific files:
pre-commit run --files infra/aws/main.tf
Manual (specific hook)
Run a specific hook:
pre-commit run terraform_fmt --all-files
pre-commit run kubeval --all-files
Skip Hooks (emergency only)
If you need to skip hooks temporarily (not recommended):
git commit --no-verify -m "Emergency fix"
Tool Installation
Some hooks require external tools. Here's how to install them:
Terraform Tools
# Terraform
brew install terraform # macOS
# or download from https://terraform.io
# TFLint
brew install tflint # macOS
# or download from https://github.com/terraform-linters/tflint
# terraform-docs
brew install terraform-docs # macOS
# tfsec
brew install tfsec # macOS
Kubernetes Tools
# kubectl
brew install kubectl # macOS
# kubeval
brew install kubeval # macOS
# kustomize
brew install kustomize # macOS
# helm
brew install helm # macOS
# yq (YAML processor)
brew install yq # macOS
ArgoCD Tools
# ArgoCD CLI
brew install argocd # macOS
# or download from https://argo-cd.readthedocs.io/
MkDocs (Documentation)
pip install -r requirements.txt
Notes
- β οΈ Hooks that require unavailable tools will show warnings but won't fail
- β GitHub Actions runs all hooks with all tools installed
- π‘ For the best experience, install all tools locally
Configuration Files
| File | Purpose |
|---|---|
.pre-commit-config.yaml |
Main pre-commit configuration |
.tflint.hcl |
TFLint rules and plugin configuration |
.terraform-docs.yml |
Terraform documentation generation |
.secrets.baseline |
detect-secrets baseline (known false positives) |
.yamllint |
YAML linting rules |
.markdownlint.json |
Markdown linting rules |
Updating Hooks
Pre-commit hooks are versioned. To update to the latest versions:
pre-commit autoupdate
This updates .pre-commit-config.yaml with the latest hook versions.
Troubleshooting
Hook fails with "command not found"
Install the required tool (see Tool Installation section).
Hook fails on valid file
- Check if the file should be excluded in
.pre-commit-config.yaml - Add to baseline if it's a false positive (e.g.,
.secrets.baseline)
Hooks are too slow
- Use
--hook-stage manualfor expensive hooks - Run specific hooks instead of all:
pre-commit run hook-name
Reset hooks
pre-commit clean
pre-commit install --install-hooks
Disable a specific hook
Edit .pre-commit-config.yaml and add stages: [manual] to the hook.
GitHub Actions Integration
Pre-commit hooks run automatically in CI/CD via .github/workflows/pre-commit.yml:
- β Runs on every pull request
- β Runs on push to main/develop
- β Comments on PR if validation fails
- β All tools pre-installed in CI environment
Best Practices
- Run hooks locally before pushing - Catch issues early
- Install all tools - Get the full validation experience
- Keep hooks updated - Run
pre-commit autoupdatemonthly - Don't skip hooks - They exist for good reasons
- Fix root causes - Don't just work around hook failures
Contributing
When adding new hooks:
- Add to
.pre-commit-config.yaml - Test with
pre-commit run --all-files - Update this README
- Ensure CI job installs required tools
Support
- π Pre-commit documentation
- π Report issues
- π¬ Community discussions
Remember: Pre-commit hooks help maintain code quality and security. They're here to help, not hinder! π