Generate Pre-commit Config
Create optimized .pre-commit-config.yaml for Python projects.
Tool Selection Rationale
Ruff replaces: black, autopep8, autoflake, isort, flake8, flake8-bandit
Still needed:
- •gitleaks - Secrets detection (not Python-specific)
- •pip-audit - Dependency vulnerabilities (not covered by ruff)
- •pre-commit-hooks - File validation, merge conflicts
Dropped:
- •bandit → ruff S rules cover security checks
- •black → ruff format is identical, faster
- •isort → ruff I rules
- •flake8 → ruff check
Workflow
1. Check Existing Config
text
Glob: .pre-commit-config.yaml
If exists, ask via AskUserQuestion:
- •"Merge hooks" - Keep custom hooks, update versions
- •"Overwrite" - Replace entirely
- •"Skip" - Don't modify
1b. Detect Redundant Tools
If existing config contains black, isort, flake8, autopep8, autoflake, or bandit, ask:
text
question: "Detected tools that ruff replaces. Migrate to ruff?"
header: "Migration"
options:
- label: "Yes, replace with ruff"
description: "Remove black/isort/flake8/bandit, use ruff instead"
- label: "No, keep existing"
description: "Keep current setup unchanged"
Tools ruff replaces:
- •black → ruff format
- •isort → ruff I rules
- •flake8 → ruff check
- •bandit → ruff S rules
- •autopep8 → ruff format
- •autoflake → ruff check
2. Generate .pre-commit-config.yaml
Read the base config from references/pre-commit-base.yaml and use it as the starting template.
Customizations to apply based on project context:
- •If no
chart/directory, remove theexclude: '^chart/templates/'from check-yaml - •If project uses markdown files, uncomment the markdownlint section
- •If project uses Makefiles, uncomment the mbake section
- •If project uses Docker, uncomment the hadolint section
- •If project has strict typing, uncomment the mypy section
Copy the base config to .pre-commit-config.yaml with applicable sections uncommented.
4. Report
text
Created .pre-commit-config.yaml Hooks installed: Security: gitleaks, pip-audit, detect-private-key Validation: check-ast, check-yaml/json/toml, debug-statements Git hygiene: no-commit-to-branch, check-merge-conflict Formatting: ruff (lint+fix), ruff-format, whitespace fixes Ruff replaces: black, isort, flake8, bandit, autopep8 Install: pre-commit install Run all: pre-commit run --all-files Update: pre-commit autoupdate
Why No Bandit?
Ruff's S rules (flake8-bandit) cover the same security checks:
- •S101: assert_used
- •S102: exec_used
- •S103: bad_file_permissions
- •S104: hardcoded_bind_all_interfaces
- •S105-S108: hardcoded passwords/secrets
- •S301-S303: pickle, marshal, insecure hash
- •S311: pseudo-random generators
- •S501-S509: SSL/TLS issues
- •S601-S612: shell injection, SQL injection
Enable in pyproject.toml:
toml
[tool.ruff.lint] select = ["S"] # Security rules
Version Updates
Check latest versions: