Enhancements and Migrations

.gitlab-ci.yml

@@ -2,6 +2,6 @@ variables:
   CURRENT_BRANCH_NAME: "${INFRA_BRANCH}"
 
 include:
-  - file: "/.gitlab/ci/demisto-py/.gitlab-ci.yml"
+  - file: .gitlab/ci/demisto-py/.gitlab-ci.yml
     ref: "${INFRA_BRANCH}"
     project: "${CI_PROJECT_NAMESPACE}/infra"

.pre-commit-config.yaml

@@ -0,0 +1,138 @@
+repos:
+  # --- 1. Formatters first ---
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.12.8
+    hooks:
+      - id: ruff-format
+      - id: ruff
+        args:
+          - --fix
+          - --exit-non-zero-on-fix
+          - --show-fixes
+
+  - repo: https://github.com/scop/pre-commit-shfmt
+    rev: v3.12.0-2
+    hooks:
+      - id: shfmt
+        name: format shell script
+        args: ["-i", "2", "-w"]
+
+  - repo: https://github.com/pappasam/toml-sort
+    rev: v0.24.2
+    hooks:
+      - id: toml-sort-fix
+        exclude: poetry.lock
+
+  - repo: https://github.com/hadialqattan/pycln
+    rev: v2.5.0
+    hooks:
+      - id: pycln
+        args: ["--all"]
+
+  # --- 2. Static analysis & security ---
+  - repo: https://github.com/pycqa/bandit
+    rev: 1.8.6
+    hooks:
+      - id: bandit
+        args: ["-lll"]  # , "--skip", "B101"]
+        exclude: tests/
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.17.1
+    hooks:
+      - id: mypy
+        entry: mypy
+        args:
+          [
+            "--show-error-codes",
+            "--package-root",
+            "./src"
+          ]
+        types: [python]
+        additional_dependencies:
+          - mypy==1.17.1
+          - types-requests
+          - types-PyYAML
+          - types-setuptools
+          - types-tabulate
+        exclude: .*_test|test_.*|.venv
+
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      # Manual hook to generate/update baseline
+      - id: detect-secrets
+        name: detect-secrets-scan
+        entry: detect-secrets scan
+        language_version: python3
+        pass_filenames: false
+        args: ["--baseline", ".secrets.baseline"]
+        stages: [manual]
+      # Automatic check for every commit
+      - id: detect-secrets
+        name: detect-secrets-check
+        args: ["--baseline", ".secrets.baseline"]
+
+  # --- 3. Generic validations ---
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-json
+      - id: check-yaml
+        exclude: .gitlab
+      - id: check-ast
+      - id: check-merge-conflict
+      - id: debug-statements
+        language_version: python3
+      - id: name-tests-test
+        files: .+_test.py$
+      - id: check-added-large-files
+        args: ["--maxkb=5120", "--enforce-all"]
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-docstring-first
+      - id: check-toml
+      - id: check-xml
+      - id: check-case-conflict
+      - id: check-symlinks
+      - id: destroyed-symlinks
+      - id: check-executables-have-shebangs
+      - id: check-shebang-scripts-are-executable
+      - id: detect-aws-credentials
+        args:
+          - '--allow-missing-credentials'
+      - id: detect-private-key
+      - id: check-illegal-windows-names
+      - id: forbid-submodules
+      - id: mixed-line-ending
+      - id: requirements-txt-fixer
+      - id: pretty-format-json
+        args:
+          - '--autofix'
+      - id: sort-simple-yaml
+
+  # --- 4. Dependency & project checks ---
+  - repo: https://github.com/python-poetry/poetry
+    rev: 1.8.2
+    hooks:
+    - id: poetry-check
+      args:
+      - --lock
+
+
+  # --- 5. Shell linting ---
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.11.0
+    hooks:
+      - id: shellcheck
+        args: ["--severity=error"]
+
+
+  # --- 6. Extra shell style check ---
+  - repo: https://github.com/openstack/bashate
+    rev: 2.1.1
+    hooks:
+      - id: bashate
+        args:
+          - "--max-line-length=130"
+          - "--ignore=E003"  # ignore indent warnings

.secrets.baseline

@@ -0,0 +1,127 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {},
+  "generated_at": "2025-08-13T19:57:49Z"
+}