security fixes
All checks were successful
Enterprise AI Code Review / ai-review (pull_request) Successful in 26s
All checks were successful
Enterprise AI Code Review / ai-review (pull_request) Successful in 26s
This commit is contained in:
83
tools/ai-review/security/pre_commit_scan.py
Executable file
83
tools/ai-review/security/pre_commit_scan.py
Executable file
@@ -0,0 +1,83 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Pre-commit hook for security scanning.
|
||||
|
||||
Scans staged files for security vulnerabilities before commit.
|
||||
Fails if HIGH severity issues are found.
|
||||
"""
|
||||
|
||||
import sys
|
||||
from pathlib import Path
|
||||
|
||||
from security_scanner import SecurityScanner
|
||||
|
||||
|
||||
def main():
|
||||
"""Run security scan on staged files."""
|
||||
scanner = SecurityScanner()
|
||||
|
||||
# Get files from command line (pre-commit passes them)
|
||||
files = sys.argv[1:]
|
||||
|
||||
if not files:
|
||||
print("No files to scan")
|
||||
return 0
|
||||
|
||||
has_high_severity = False
|
||||
total_findings = 0
|
||||
|
||||
for filepath in files:
|
||||
try:
|
||||
with open(filepath, "r", encoding="utf-8") as f:
|
||||
content = f.read()
|
||||
except Exception as e:
|
||||
print(f"Warning: Could not read {filepath}: {e}")
|
||||
continue
|
||||
|
||||
findings = list(scanner.scan_content(content, filepath))
|
||||
|
||||
if not findings:
|
||||
continue
|
||||
|
||||
total_findings += len(findings)
|
||||
|
||||
# Print findings
|
||||
print(f"\n{'=' * 60}")
|
||||
print(f"Security findings in: {filepath}")
|
||||
print("=" * 60)
|
||||
|
||||
for finding in findings:
|
||||
severity_symbol = {
|
||||
"HIGH": "🔴",
|
||||
"MEDIUM": "🟡",
|
||||
"LOW": "🔵",
|
||||
}.get(finding.severity, "⚪")
|
||||
|
||||
print(f"\n{severity_symbol} [{finding.severity}] {finding.name}")
|
||||
print(f" Category: {finding.category}")
|
||||
print(f" CWE: {finding.cwe}")
|
||||
print(f" Line: {finding.line}")
|
||||
print(f" Description: {finding.description}")
|
||||
print(f" Recommendation: {finding.recommendation}")
|
||||
|
||||
if finding.severity == "HIGH":
|
||||
has_high_severity = True
|
||||
|
||||
if total_findings > 0:
|
||||
print(f"\n{'=' * 60}")
|
||||
print(f"Total findings: {total_findings}")
|
||||
print("=" * 60)
|
||||
|
||||
if has_high_severity:
|
||||
print("\n❌ COMMIT BLOCKED: HIGH severity security issues found")
|
||||
print("Please fix the issues above before committing.")
|
||||
print("\nTo bypass (not recommended): git commit --no-verify")
|
||||
return 1
|
||||
|
||||
if total_findings > 0:
|
||||
print("\n⚠️ Medium/Low severity issues found - review recommended")
|
||||
|
||||
return 0
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main())
|
||||
Reference in New Issue
Block a user