Merge pull request #60 from ansible-lockdown/devel

uk-bolly · web-flow · commit f23cb347f450 · 2023-08-10T21:40:41.000+01:00
workflow run devel -&gt; main
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,67 @@
+---
+##### CI for use by github no need for action to be added
+##### Inherited
+ci:
+    autofix_prs: false
+    skip: [detect-aws-credentials, ansible-lint ]
+
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v3.2.0
+  hooks:
+  # Safety
+  - id: detect-aws-credentials
+  - id: detect-private-key
+
+  # git checks
+  - id: check-merge-conflict
+  - id: check-added-large-files
+  - id: check-case-conflict
+
+  # General checks
+  - id: trailing-whitespace
+    name: Trim Trailing Whitespace
+    description: This hook trims trailing whitespace.
+    entry: trailing-whitespace-fixer
+    language: python
+    types: [text]
+    args: [--markdown-linebreak-ext=md]
+  - id: end-of-file-fixer
+
+# Scan for passwords
+- repo: https://github.com/Yelp/detect-secrets
+  rev: v1.4.0
+  hooks:
+  - id: detect-secrets
+    args: [ '--baseline', '.config/.secrets.baseline' ]
+    exclude: .config/.gitleaks-report.json
+
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.17.0
+  hooks:
+  - id: gitleaks
+    args: ['--baseline-path', '.config/.gitleaks-report.json']
+
+- repo: https://github.com/ansible-community/ansible-lint
+  rev: v6.17.2
+  hooks:
+  - id: ansible-lint
+    name: Ansible-lint
+    description: This hook runs ansible-lint.
+    entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint
+    language: python
+    # do not pass files to ansible-lint, see:
+    # https://github.com/ansible/ansible-lint/issues/611
+    pass_filenames: false
+    always_run: true
+    additional_dependencies:
+    # https://github.com/pre-commit/pre-commit/issues/1526
+    # If you want to use specific version of ansible-core or ansible, feel
+    # free to override `additional_dependencies` in your own hook config
+    # file.
+    - ansible-core>=2.10.1
+
+- repo: https://github.com/adrienverge/yamllint.git
+  rev: v1.32.0  # or higher tag
+  hooks:
+  - id: yamllint
diff --git a/README.md b/README.md
@@ -113,3 +113,11 @@ uses:
 - ansible collections - pulls in the latest version based on requirements file
 - runs the audit using the devel branch
 - This is an automated test that occurs on pull requests into devel
+
+## Added Extras
+
+- [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory
+
+```sh
+pre-commit run
+```
diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml
@@ -4,9 +4,9 @@
   ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
   changed_when: true
   environment:
-    AUDIT_BIN: "{{ audit_bin }}"
-    AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
-    AUDIT_FILE: "goss.yml"
+      AUDIT_BIN: "{{ audit_bin }}"
+      AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
+      AUDIT_FILE: "goss.yml"
 
 - name: Post Audit | ensure audit files readable by users
   ansible.builtin.file:
