openrabbit/tools/ai-review/security/pre_commit_scan.py

#!/usr/bin/env python3
"""Pre-commit hook for security scanning.

Scans staged files for security vulnerabilities before commit.
Fails if HIGH severity issues are found.
"""

import sys
from pathlib import Path

from security_scanner import SecurityScanner


def main():
    """Run security scan on staged files."""
    scanner = SecurityScanner()

    # Get files from command line (pre-commit passes them)
    files = sys.argv[1:]

    if not files:
        print("No files to scan")
        return 0

    has_high_severity = False
    total_findings = 0

    for filepath in files:
        try:
            with open(filepath, "r", encoding="utf-8") as f:
                content = f.read()
        except Exception as e:
            print(f"Warning: Could not read {filepath}: {e}")
            continue

        findings = list(scanner.scan_content(content, filepath))

        if not findings:
            continue

        total_findings += len(findings)

        # Print findings
        print(f"\n{'=' * 60}")
        print(f"Security findings in: {filepath}")
        print("=" * 60)

        for finding in findings:
            severity_symbol = {
                "HIGH": "🔴",
                "MEDIUM": "🟡",
                "LOW": "🔵",
            }.get(finding.severity, "⚪")

            print(f"\n{severity_symbol} [{finding.severity}] {finding.name}")
            print(f"   Category: {finding.category}")
            print(f"   CWE: {finding.cwe}")
            print(f"   Line: {finding.line}")
            print(f"   Description: {finding.description}")
            print(f"   Recommendation: {finding.recommendation}")

            if finding.severity == "HIGH":
                has_high_severity = True

    if total_findings > 0:
        print(f"\n{'=' * 60}")
        print(f"Total findings: {total_findings}")
        print("=" * 60)

    if has_high_severity:
        print("\n❌ COMMIT BLOCKED: HIGH severity security issues found")
        print("Please fix the issues above before committing.")
        print("\nTo bypass (not recommended): git commit --no-verify")
        return 1

    if total_findings > 0:
        print("\n⚠️  Medium/Low severity issues found - review recommended")

    return 0


if __name__ == "__main__":
    sys.exit(main())