#!/usr/bin/env python3 """Pre-commit hook for security scanning. Scans staged files for security vulnerabilities before commit. Fails if HIGH severity issues are found. """ import sys from pathlib import Path from security_scanner import SecurityScanner def main(): """Run security scan on staged files.""" scanner = SecurityScanner() # Get files from command line (pre-commit passes them) files = sys.argv[1:] if not files: print("No files to scan") return 0 has_high_severity = False total_findings = 0 for filepath in files: try: with open(filepath, "r", encoding="utf-8") as f: content = f.read() except Exception as e: print(f"Warning: Could not read {filepath}: {e}") continue findings = list(scanner.scan_content(content, filepath)) if not findings: continue total_findings += len(findings) # Print findings print(f"\n{'=' * 60}") print(f"Security findings in: {filepath}") print("=" * 60) for finding in findings: severity_symbol = { "HIGH": "🔴", "MEDIUM": "🟡", "LOW": "🔵", }.get(finding.severity, "⚪") print(f"\n{severity_symbol} [{finding.severity}] {finding.name}") print(f" Category: {finding.category}") print(f" CWE: {finding.cwe}") print(f" Line: {finding.line}") print(f" Description: {finding.description}") print(f" Recommendation: {finding.recommendation}") if finding.severity == "HIGH": has_high_severity = True if total_findings > 0: print(f"\n{'=' * 60}") print(f"Total findings: {total_findings}") print("=" * 60) if has_high_severity: print("\n❌ COMMIT BLOCKED: HIGH severity security issues found") print("Please fix the issues above before committing.") print("\nTo bypass (not recommended): git commit --no-verify") return 1 if total_findings > 0: print("\n⚠️ Medium/Low severity issues found - review recommended") return 0 if __name__ == "__main__": sys.exit(main())