add python-check-blanket-nosec

pre-commit · Sep 18, 2023 · 092e4e0 · 092e4e0
1 parent 9fa701e
commit 092e4e0
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 0 deletions.
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
@@ -4,6 +4,12 @@
     entry: '(?i)# noqa(?!: )'
     language: pygrep
     types: [python]
+-   id: python-check-blanket-nosec
+    name: check blanket nosec
+    description: 'Enforce that `nosec` annotations always occur with specific codes. Sample annotations: `# nosec assert_used`, `# nosec B602, B607`'
+    entry: '(?i)#\s*nosec:?\s*(?![^#])'
+    language: pygrep
+    types: [python]
 -   id: python-check-blanket-type-ignore
     name: check blanket type ignore
     description: 'Enforce that `# type: ignore` annotations always occur with specific codes. Sample annotations: `# type: ignore[attr-defined]`, `# type: ignore[attr-defined, name-defined]`'

diff --git a/README.md b/README.md
@@ -25,6 +25,7 @@ For example, a hook which targets python will be called `python-...`.
 
 [generated]: # (generated)
 - **`python-check-blanket-noqa`**: Enforce that `noqa` annotations always occur with specific codes. Sample annotations: `# noqa: F401`, `# noqa: F401,W203`
+- **`python-check-blanket-nosec`**: Enforce that `nosec` annotations always occur with specific codes. Sample annotations: `# nosec assert_used`, `# nosec B602, B607`
 - **`python-check-blanket-type-ignore`**: Enforce that `# type: ignore` annotations always occur with specific codes. Sample annotations: `# type: ignore[attr-defined]`, `# type: ignore[attr-defined, name-defined]`
 - **`python-check-mock-methods`**: Prevent common mistakes of `assert mck.not_called()`, `assert mck.called_once_with(...)` and `mck.assert_called`.
 - **`python-no-eval`**: A quick check for the `eval()` built-in function

diff --git a/tests/hooks_test.py b/tests/hooks_test.py
@@ -39,6 +39,34 @@ def test_python_use_type_annotations_negative(s):
     assert not HOOKS['python-use-type-annotations'].search(s)
 
 
+@pytest.mark.parametrize(
+    's',
+    (
+        '# nosec',
+        '# NOSEC',
+        '# nosec: ',
+        '# nosec ',
+    ),
+)
+def test_python_check_blanket_nosec_positive(s):
+    assert HOOKS['python-check-blanket-nosec'].search(s)
+
+
+@pytest.mark.parametrize(
+    's',
+    (
+        'x = 1',
+        '# nosec:B401',
+        '# nosec:B401',
+        '# nosec:B401,B203',
+        '# nosec: B401',
+        '# nosec: B401, B203',
+    ),
+)
+def test_python_check_blanket_nosec_negative(s):
+    assert not HOOKS['python-check-blanket-nosec'].search(s)
+
+
 @pytest.mark.parametrize(
     's',
     (