.pre-commit-hooks.yaml

# We set `pass_filenames` to `false` because ggshield gets filenames from commit IDs.
- id: ggshield
  name: ggshield (pre-commit)
  entry: ggshield
  description: Runs ggshield to detect hardcoded secrets, security vulnerabilities and policy breaks.
  stages: [commit]
  args: ['secret', 'scan', 'pre-commit']
  language: python
  pass_filenames: false

- id: docker-ggshield
  name: ggshield (pre-commit,docker)
  language: docker_image
  entry: -e GITGUARDIAN_API_KEY gitguardian/ggshield:latest ggshield secret scan pre-commit
  description: Runs ggshield to detect hardcoded secrets, security vulnerabilities and policy breaks in docker images.
  pass_filenames: false

- id: ggshield-push
  name: ggshield (pre-push)
  entry: ggshield
  description: Runs ggshield to detect hardcoded secrets, security vulnerabilities and policy breaks.
  args: ['secret', 'scan', 'pre-push']
  stages: [push]
  language: python
  pass_filenames: false

- id: docker-ggshield-push
  name: ggshield (pre-push,docker)
  language: docker_image
  entry: -e GITGUARDIAN_API_KEY gitguardian/ggshield:latest ggshield secret scan pre-push
  description: Runs ggshield to detect hardcoded secrets, security vulnerabilities and policy breaks in docker images.
  pass_filenames: false