Pre-commit Hooks Library for GenAI Code Validation

A comprehensive collection of pre-commit hooks designed to validate and secure code generated by AI tools like GitHub Copilot, ChatGPT, and other GenAI assistants.

🎯 Purpose

This library provides pre-commit hooks specifically designed to:

• Validate GenAI-generated code for security vulnerabilities
• Detect hardcoded credentials and sensitive information
• Scan for secrets that might be accidentally included
• Lint and format code across multiple languages
• Check for compliance with security best practices
• Prevent vulnerable patterns common in AI-generated code

🛡️ Security Features

GenAI-Specific Validations

• Hardcoded URL detection - Finds URLs that shouldn't be committed
• Credential scanning - Detects passwords, API keys, tokens
• GenAI security patterns - Identifies common AI code vulnerabilities
• Secret scanning with TruffleHog and detect_secrets
• SAST scanning with Semgrep for security vulnerabilities

Language Support

• Python - Black, Flake8, isort, MyPy, Bandit, Safety
• JavaScript/TypeScript - ESLint, Prettier, TSC
• Node.js - npm/yarn audit for vulnerabilities
• Angular - Angular CLI linting
• Java - Checkstyle, SpotBugs
• .NET - dotnet format, dotnet test, security scanning (C#, VB.NET, F#)
• Go - gofmt, golangci-lint, gosec security scanning
• Ansible - ansible_lint, syntax checking, security validation
• Terraform - Format, validate, TFLint
• CloudFormation - Template validation
• Docker - Dockerfile linting with hadolint

🚀 Quick Start

For Real-World Projects (Recommended)

If you're implementing this in a production codebase and want to minimize false positives, start with our practical configuration:

# Copy the practical configuration
curl -o .pre-commit-config.yaml https://raw.githubusercontent.com/TriaFed/pre-commit-library/main/examples/practical-security.yaml

# Install pre-commit
pip install pre-commit

# Install the hooks
pre-commit install

# Create a secrets baseline to exclude known false positives
detect-secrets scan --baseline .secrets.baseline

See CONFIGURATION_GUIDE.md for detailed guidance on handling false positives.

1. Install dependencies

Quick setup for macOS:

curl -fsSL https://raw.githubusercontent.com/TriaFed/pre-commit-library/main/install-macos.sh | bash

Quick setup for Windows:

irm https://raw.githubusercontent.com/TriaFed/pre-commit-library/main/install-windows.ps1 | iex

Manual installation:

# Install pre-commit
pip install pre-commit

# See DEPENDENCIES.md for complete installation guide

2. Add to your project

Create a .pre-commit-config.yaml file in your project root:

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      # Security hooks (recommended for all projects)
      - id: detect_secrets
      - id: hardcoded_urls
      - id: hardcoded_credentials
      - id: genai_security_check
      - id: detect_verbose_flags

      # Language-specific hooks
      - id: python_black
      - id: python_flake8
      - id: eslint
      - id: prettier

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # Standard file validation
      - id: check-yaml
      - id: check-json
      - id: trailing-whitespace
      - id: end-of-file-fixer

3. Install the hooks

pre-commit install

4. Run on all files (optional)

pre-commit run --all-files

📋 Available Hooks

🔒 Security Hooks

Hook ID	Description	Languages
detect_secrets	Detect secrets using Yelp's detect_secrets	All
truffhog	Secret scanning with TruffleHog	All
hardcoded_urls	Detect hardcoded URLs	All
hardcoded_credentials	Detect hardcoded passwords/keys	All
genai_security_check	GenAI-specific security validation	All
bandit	Python security linter	Python
safety_python	Python dependency vulnerability scanner	Python
npm_audit	Node.js vulnerability scanner	Node.js
yarn_audit	Yarn vulnerability scanner	Node.js
semgrep	Multi-language SAST scanner	All
dotnet_security_scan	.NET security scanner	C#/VB.NET/F#
go_security_scan	Go security scanner	Go
ansible_security_scan	Ansible security scanner	Ansible
detect_verbose_flags	Detect verbose flags and debug logging	All

🎨 Code Quality Hooks

Hook ID	Description	Languages
python_black	Python code formatter	Python
python_flake8	Python linter	Python
python_isort	Python import sorter	Python
python_mypy	Python type checker	Python
eslint	JavaScript/TypeScript linter	JS/TS
prettier	Code formatter	JS/TS/JSON/CSS/MD
typescript_check	TypeScript compiler check	TypeScript
angular_lint	Angular linting	Angular
java_checkstyle	Java style checker	Java
java_spotbugs	Java bug detector	Java
dotnet_format	.NET code formatter	C#/VB.NET/F#
dotnet_test	.NET test runner	C#/VB.NET/F#
go_fmt	Go code formatter	Go
go_lint	Go linter with security checks	Go
ansible_lint	Ansible linting	Ansible
ansible_syntax_check	Ansible syntax validation	Ansible

🏗️ Infrastructure Hooks

Hook ID	Description	Languages
terraform_fmt	Terraform formatter	Terraform
terraform_validate	Terraform validation	Terraform
terraform_tflint	Terraform linter	Terraform
cloudformation_validate	CloudFormation validation	CloudFormation
dockerfile_lint	Dockerfile linting	Docker

📁 File Validation Hooks

Hook ID	Description	File Types
check_xml	XML syntax validation	.xml
check_license	Check for license headers	Source files

Note: For standard file validation hooks like check_yaml, check_json, trailing_whitespace, end_of_file_fixer, check_merge_conflict, check_added_large_files, and check_toml, use the official pre-commit-hooks repository alongside our security-focused hooks.

🔧 Configuration Examples

Minimal Security Setup

For projects using GenAI tools, start with these essential security hooks:

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      - id: detect_secrets
      - id: hardcoded_credentials
      - id: genai_security_check

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      - id: check_added_large_files

Python Project

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      # Security
      - id: detect_secrets
      - id: hardcoded_credentials
      - id: genai_security_check
      - id: bandit
      - id: safety_python

      # Code Quality
      - id: python_black
      - id: python_flake8
      - id: python_isort
      - id: python_mypy

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # File Validation
      - id: check-yaml
      - id: check-json
      - id: trailing-whitespace
      - id: end-of-file-fixer

Node.js/React Project

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      # Security
      - id: detect_secrets
      - id: hardcoded_credentials
      - id: genai_security_check
      - id: npm_audit

      # Code Quality
      - id: eslint
      - id: prettier
      - id: typescript_check

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # File Validation
      - id: check-json
      - id: check-yaml
      - id: trailing-whitespace
      - id: end-of-file-fixer

Java Project

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      # Security
      - id: detect_secrets
      - id: hardcoded_credentials
      - id: genai_security_check
      - id: semgrep

      # Code Quality
      - id: java_checkstyle
      - id: java_spotbugs

      # Custom File Validation
      - id: check_xml

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # Standard File Validation
      - id: check-yaml
      - id: trailing-whitespace
      - id: end-of-file-fixer

.NET Project

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      # Security
      - id: detect_secrets
      - id: hardcoded_credentials
      - id: genai_security_check
      - id: dotnet_security_scan

      # Code Quality
      - id: dotnet_format
      - id: dotnet_test

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # File Validation
      - id: check-yaml
      - id: check-json
      - id: trailing-whitespace
      - id: end-of-file-fixer

Go Project

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      # Security
      - id: detect_secrets
      - id: hardcoded_credentials
      - id: genai_security_check
      - id: go_security_scan

      # Code Quality
      - id: go_fmt
      - id: go_lint

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # File Validation
      - id: check-yaml
      - id: check-json
      - id: trailing-whitespace
      - id: end-of-file-fixer

Ansible Project

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      # Security
      - id: detect_secrets
      - id: hardcoded_credentials
      - id: genai_security_check
      - id: ansible_security_scan

      # Ansible Validation
      - id: ansible_lint
      - id: ansible_syntax_check

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # File Validation
      - id: check-yaml
      - id: trailing-whitespace
      - id: end-of-file-fixer

Infrastructure as Code

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      # Security
      - id: detect_secrets
      - id: hardcoded_credentials
      - id: genai_security_check

      # Infrastructure
      - id: terraform_fmt
      - id: terraform_validate
      - id: terraform_tflint
      - id: cloudformation_validate
      - id: dockerfile_lint

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # File Validation
      - id: check-yaml
      - id: check-json
      - id: trailing-whitespace

Full Stack Project

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      # Security (essential for GenAI projects)
      - id: detect_secrets
      - id: truffhog
      - id: hardcoded_urls
      - id: hardcoded_credentials
      - id: genai_security_check
      - id: detect_verbose_flags
      - id: semgrep

      # Python
      - id: python_black
      - id: python_flake8
      - id: bandit
      - id: safety_python

      # JavaScript/TypeScript
      - id: eslint
      - id: prettier
      - id: npm_audit

      # .NET
      - id: dotnet_format
      - id: dotnet_test
      - id: dotnet_security_scan

      # Go
      - id: go_fmt
      - id: go_lint
      - id: go_security_scan

      # Java
      - id: java_checkstyle
      - id: java_spotbugs

      # Ansible
      - id: ansible_lint
      - id: ansible_syntax_check
      - id: ansible_security_scan

      # Infrastructure
      - id: terraform_validate
      - id: dockerfile_lint

      # Custom File Validation
      - id: check_xml
      - id: check_license

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # Standard File Validation
      - id: check-yaml
      - id: check-json
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-added-large-files

🎛️ Hook Configuration

Environment Variables

You can customize hook behavior using environment variables:

# npm audit severity level
export NPM_AUDIT_LEVEL=moderate  # low, moderate, high, critical

# Semgrep configuration
export SEMGREP_RULES=p/security-audit,p/secrets

# TruffleHog configuration
export TRUFFLEHOG_EXTRA_ARGS="--no-verification"

Configuration Files

Many hooks support configuration files:

• ESLint: .eslintrc.js, .eslintrc.json
• Prettier: .prettierrc, .prettierrc.json
• Checkstyle: checkstyle.xml
• detect_secrets: .secrets.baseline
• Semgrep: .semgrep.yml

🔍 GenAI Security Features

Hardcoded URL Detection

Detects potentially sensitive URLs that shouldn't be committed:

# ❌ Will be flagged
api_url = "https://internal-api.company.com/v1"
database_url = "https://prod-db.company.com:5432"

# ✅ Safe alternatives
api_url = os.getenv("API_URL")
database_url = config.get("DATABASE_URL")

Credential Detection

Finds hardcoded passwords, API keys, and tokens:

// ❌ Will be flagged
const apiKey = 'sk-1234567890abcdef';
const password = 'mySecretPassword123';

// ✅ Safe alternatives
const apiKey = process.env.API_KEY;
const password = process.env.PASSWORD;

// ✅ For false positives, use inline comments to suppress
persistState(store, {
  key: 'AppPreferences', // pragma: allowlist secret
  storage: sessionStorage,
});

Suppressing False Positives:

The hardcoded_credentials hook supports inline comments to mark false positives:

# Python example
config = {
    "key": "LocalStorageKey"  # pragma: allowlist secret
}

// JavaScript example
const settings = {
  key: 'PreferenceKey', // pragma: allowlist secret
};

Supported suppression comments:

• // pragma: allowlist secret

GenAI Security Patterns

Detects common security anti-patterns in AI-generated code:

# ❌ Insecure patterns flagged
import random
key = random.random()  # Weak randomness

query = "SELECT * FROM users WHERE id = " + user_id  # SQL injection

eval(user_input)  # Code injection

# ✅ Secure alternatives
import secrets
key = secrets.token_hex(16)  # Cryptographically secure

cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))  # Parameterized query

# Don't use eval() with user input

🛠️ Installation Requirements

Quick Setup (Recommended)

macOS:

curl -fsSL https://raw.githubusercontent.com/TriaFed/pre-commit-library/main/install-macos.sh | bash

Windows:

irm https://raw.githubusercontent.com/TriaFed/pre-commit-library/main/install-windows.ps1 | iex

Selective, profile-aware installation (recommended)

Install only what your .pre-commit-config.yaml actually uses.

macOS:

# Auto-detect profiles from your .pre-commit-config.yaml by default (in current directory)
bash install-macos.sh

# Specify an explicit config path if not using the default name/location
bash install-macos.sh --config /abs/path/to/.pre-commit-config.yaml

# Force specific profiles (comma-separated), optionally exclude others
bash install-macos.sh --profiles python,node,infrastructure --exclude java

# Preview plan without installing
bash install-macos.sh --auto --config /abs/path/to/.pre-commit-config.yaml --dry-run

Windows (PowerShell):

# Auto-detect profiles from your .pre-commit-config.yaml by default (in current directory)
./install-windows.ps1

# Specify an explicit config path if not using the default name/location
./install-windows.ps1 -Config "C:\path\to\.pre-commit-config.yaml"

# Force specific profiles (comma-separated), optionally exclude others
./install-windows.ps1 -Profiles python,node,infrastructure -Exclude java

# Preview plan without installing
./install-windows.ps1 -Auto -Config "C:\path\to\.pre-commit-config.yaml" -DryRun

Profiles supported: core, python, node, dotnet, go, java, ansible, infrastructure. The installer uses scripts/resolve_deps.py to parse your .pre-commit-config.yaml, map hook IDs to profiles, and install only required tools. Optional tools (e.g., trufflehog) are installed only if the corresponding hook is present.

Manual Installation by Language

Python:

pip install black flake8 isort mypy bandit safety detect_secrets

JavaScript/TypeScript/Node.js:

npm install -g eslint prettier typescript @angular/cli

.NET:

# Download from: https://dotnet.microsoft.com/download
# macOS: brew install --cask dotnet
# Windows: winget install Microsoft.DotNet.SDK.8

Go:

# Install Go: https://golang.org/dl/
# macOS: brew install go
# Windows: winget install GoLang.Go

# Install Go tools:
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latest

Java:

# Install JDK 17+
# macOS: brew install openjdk@17
# Windows: winget install Microsoft.OpenJDK.17

# Build tools:
# Maven: brew install maven / winget install Apache.Maven
# Gradle: brew install gradle / winget install Gradle.Gradle

Ansible:

pip install ansible ansible_lint

Infrastructure Tools:

# Terraform: brew install terraform / winget install Hashicorp.Terraform
# TFLint: brew install tflint / choco install tflint
# Hadolint: brew install hadolint / winget install Hadolint.Hadolint

Security Tools:

pip install semgrep
# TruffleHog: brew install trufflehog / winget install trufflesecurity.trufflehog

📋 Complete installation guide: DEPENDENCIES.md

Optional Tools

Some tools provide enhanced functionality:

• TruffleHog: Advanced secret scanning
• Semgrep: Multi-language SAST
• hadolint: Dockerfile linting
• cfn-lint: CloudFormation linting

🚨 Troubleshooting

Common Issues

1. Hook not found: Ensure the repository URL and revision are correct
2. Tool not installed: Install the required tool using provided instructions
3. False positives: Use ignore patterns or configuration files
4. Performance: Use --no-verify for emergency commits (not recommended)

Ignoring False Positives

detect_secrets

# Generate baseline
detect-secrets scan --baseline .secrets.baseline

# Update baseline
detect-secrets scan --baseline .secrets.baseline --force-use-all-plugins

ESLint

// eslint-disable-next-line rule-name
const problematicCode = 'value';

Semgrep

# nosemgrep: rule-id
potentially_flagged_code()

Verbose Flags Detection

# ❌ Will be flagged
logging.basicConfig(level=logging.DEBUG)
debug = True
console.log("DEBUG: " + data)

# ✅ Better alternatives
logging.basicConfig(level=os.getenv("LOG_LEVEL", "INFO"))
debug = os.getenv("DEBUG", "false").lower() == "true"
logger.debug("Processing data: %s", data)

Performance Optimization

For large repositories:

repos:
  - repo: https://github.com/TriaFed/pre-commit-library
    rev: v1.2.0
    hooks:
      - id: detect_secrets
        exclude: ^(docs/|tests/fixtures/)
      - id: eslint
        files: \.(js|jsx|ts|tsx)$
        exclude: node_modules/

🤝 Contributing

1. Fork the repository
2. Create a feature branch
3. Add new hooks or improve existing ones
4. Test your changes
5. Submit a pull request

Adding New Hooks

1. Create the hook script in hooks/
2. Add entry to .pre-commit-hooks.yaml
3. Update documentation
4. Add example configuration

📝 License

This project is licensed under the MIT License - see the LICENSE file for details.

🔗 Related Tools

• pre-commit - The pre-commit framework
• detect_secrets - Secret detection
• TruffleHog - Secret scanning
• Semgrep - Static analysis
• Bandit - Python security linting

📊 Compliance

This library helps ensure compliance with:

• OWASP Top 10 security standards
• CWE (Common Weakness Enumeration) guidelines
• SANS secure coding practices
• Enterprise security policies
• GenAI governance requirements

🎯 Best Practices

For GenAI Development

1. Always run security hooks on AI-generated code
2. Review flagged issues carefully - AI tools can include sensitive data
3. Use environment variables for configuration
4. Validate all external inputs in AI-generated code
5. Regular dependency updates to address vulnerabilities
6. Code review AI-generated code before merging

Hook Configuration

1. Start minimal and add hooks gradually
2. Configure tool-specific settings using their config files
3. Use excludes for generated files and vendor directories
4. Test hooks locally before pushing
5. Document team conventions in your project README

---

Made with ❤️ for safer GenAI development

🧪 Testing and Coverage

Quick run (macOS/Linux):

bash scripts/run-tests.sh

Quick run (Windows PowerShell):

./scripts/run-tests.ps1

Manually with pytest-cov:

python3 -m pip install -U pytest pytest-cov pyyaml
python3 -m pytest scripts/tests --cov=scripts --cov-report=term-missing -q

HTML coverage report:

python3 -m pytest scripts/tests --cov=scripts --cov-report=html -q
# Then open htmlcov/index.html