.pre-commit-hooks.yaml

# This hook does not use 'docker_image' like the one below, and so is
# significantly faster (especially on macOS).
- id: semgrep
  name: semgrep
  entry: semgrep
  # language: python here provides pip as a dep for the hook, as pre-commit
  # installs tools in local environments.
  #
  # If you use `language: python`, then pre-commit expects a toplevel setup.py.
  # Here, setup.py essentially is just `pip install semgrep==0.xxx.yyy`.
  language: python
  args: ["--disable-version-check", "--quiet", "--skip-unknown-extensions"]

- id: semgrep-ci
  name: semgrep
  entry: semgrep
  # See above about why we need this
  language: python
  # Needed as ci command does not accept filenames as parameters
  pass_filenames: false
  args: ["ci", "--dry-run", "--baseline-commit", "HEAD"]

# docker-based hooks, to use the bleeding edge Semgrep!
- id: semgrep-docker-develop
  name: semgrep
  description: This hook runs semgrep:develop
  # See https://pre-commit.com/#docker_image for more information
  language: docker_image
  # Need to set SEMGREP_LOG_FILE and SEMGREP_VERSION_CACHE_PATH since
  # pre-commit runs docker images with -u set to non-root uid which doesnt have
  # permissions to default path /.semgrep
  # alt: we could also fallback to use /tmp/ if we can't write to /.semgrep in
  # the Python code.
  entry: -e SEMGREP_LOG_FILE=/tmp/out.log -e SEMGREP_VERSION_CACHE_PATH=/tmp/cache semgrep/semgrep:develop semgrep

# using latest instead
- id: semgrep-docker
  name: semgrep
  description: This hook runs semgrep (a.k.a. semgrep:latest)
  language: docker_image
  # See the comment above for why we set those SEMGREP_XXX variables
  entry: -e SEMGREP_LOG_FILE=/tmp/out.log -e SEMGREP_VERSION_CACHE_PATH=/tmp/cache semgrep/semgrep:latest semgrep