Skip to content

chore: SHA-pin pre-commit hook revisions #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
27Bslash6 merged 3 commits into from
Apr 11, 2026
Merged

chore: SHA-pin pre-commit hook revisions #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4d11b59
chore: SHA-pin pre-commit hook revisions for supply chain security
27Bslash6 Apr 6, 2026
d1808cc
ci: commit Cargo.lock and add secrets baseline
27Bslash6 Apr 10, 2026
4ed86e2
chore: use inline pragmas for test secret allowlisting
27Bslash6 Apr 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
target/
Cargo.lock
4 changes: 2 additions & 2 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ repos:

# General file checks
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # v5.0.0 # pragma: allowlist secret
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that the commit SHAs in .pre-commit-config.yaml correspond to the claimed version tags

echo "Checking pre-commit-hooks SHA..."
curl -s https://api.github.com/repos/pre-commit/pre-commit-hooks/git/refs/tags/v5.0.0 | jq -r '.object.sha' | head -c 40
echo " (expected: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b)"

echo -e "\n\nChecking detect-secrets SHA..."
curl -s https://api.github.com/repos/Yelp/detect-secrets/git/refs/tags/v1.5.0 | jq -r '.object.sha' | head -c 40
echo " (expected: 01886c8a910c64595c47f186ca1ffc0b77fa5458)"

Repository: cachekit-io/cachekit-rs

Length of output: 320

Fix the detect-secrets SHA: it does not correspond to v1.5.0.

The pre-commit-hooks SHA (line 33) is correct for v5.0.0. However, the detect-secrets SHA on line 45 is incorrect: the config specifies 01886c8a910c64595c47f186ca1ffc0b77fa5458, but the actual v1.5.0 tag in the Yelp/detect-secrets repository points to 68e8b45440415753fff70a312ece8da92ba85b4a. Update the SHA to match the claimed version or correct the version comment.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.pre-commit-config.yaml at line 33, Update the detect-secrets rev to match
the claimed v1.5.0 tag: replace the current detect-secrets SHA value
(01886c8a910c64595c47f186ca1ffc0b77fa5458) with the correct commit for v1.5.0
(68e8b45440415753fff70a312ece8da92ba85b4a) or alternatively update the version
comment to reflect the SHA currently used; ensure the pre-commit entry for
detect-secrets uses a consistent rev value that corresponds to its annotated
version.

hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
Expand All @@ -42,7 +42,7 @@ repos:

# Secret scanning - prevent credential leaks
- repo: https://github.com/Yelp/detect-secrets
rev: v1.5.0
rev: 01886c8a910c64595c47f186ca1ffc0b77fa5458 # v1.5.0 # pragma: allowlist secret
hooks:
- id: detect-secrets
args:
Expand Down
135 changes: 135 additions & 0 deletions .secrets.baseline
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
{
"version": "1.5.0",
"plugins_used": [
{
"name": "ArtifactoryDetector"
},
{
"name": "AWSKeyDetector"
},
{
"name": "AzureStorageKeyDetector"
},
{
"name": "Base64HighEntropyString",
"limit": 4.5
},
{
"name": "BasicAuthDetector"
},
{
"name": "CloudantDetector"
},
{
"name": "DiscordBotTokenDetector"
},
{
"name": "GitHubTokenDetector"
},
{
"name": "GitLabTokenDetector"
},
{
"name": "HexHighEntropyString",
"limit": 3.0
},
{
"name": "IbmCloudIamDetector"
},
{
"name": "IbmCosHmacDetector"
},
{
"name": "IPPublicDetector"
},
{
"name": "JwtTokenDetector"
},
{
"name": "KeywordDetector",
"keyword_exclude": ""
},
{
"name": "MailchimpDetector"
},
{
"name": "NpmDetector"
},
{
"name": "OpenAIDetector"
},
{
"name": "PrivateKeyDetector"
},
{
"name": "PypiTokenDetector"
},
{
"name": "SendGridDetector"
},
{
"name": "SlackDetector"
},
{
"name": "SoftlayerDetector"
},
{
"name": "SquareOAuthDetector"
},
{
"name": "StripeDetector"
},
{
"name": "TelegramBotTokenDetector"
},
{
"name": "TwilioKeyDetector"
}
],
"filters_used": [
{
"path": "detect_secrets.filters.allowlist.is_line_allowlisted"
},
{
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
"min_level": 2
},
{
"path": "detect_secrets.filters.heuristic.is_indirect_reference"
},
{
"path": "detect_secrets.filters.heuristic.is_likely_id_string"
},
{
"path": "detect_secrets.filters.heuristic.is_lock_file"
},
{
"path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
},
{
"path": "detect_secrets.filters.heuristic.is_potential_uuid"
},
{
"path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
},
{
"path": "detect_secrets.filters.heuristic.is_sequential_string"
},
{
"path": "detect_secrets.filters.heuristic.is_swagger_file"
},
{
"path": "detect_secrets.filters.heuristic.is_templated_secret"
},
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
"\\.lock$",
"target/",
"tests/fixtures/"
]
}
],
"results": {},
"generated_at": "2026-04-11T21:42:32Z"
}
Loading