Add pre-commit hooks for code quality and security checks

.gitignore

@@ -160,3 +160,7 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+# Pre-commit and security tools
+bandit-report.json
+.secrets.baseline

.pre-commit-config.yaml

@@ -0,0 +1,51 @@
+repos:
+  # Code formatting
+  - repo: https://github.com/psf/black
+    rev: 25.1.0
+    hooks:
+      - id: black
+        language_version: python3
+        args: [--line-length=88]
+
+  # Import sorting
+  - repo: https://github.com/pycqa/isort
+    rev: 6.0.1
+    hooks:
+      - id: isort
+        args: [--profile=black, --line-length=88]
+
+  # Linting
+  - repo: https://github.com/pycqa/flake8
+    rev: 7.3.0
+    hooks:
+      - id: flake8
+
+  # Security checks
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.8.5
+    hooks:
+      - id: bandit
+        args: [-f, json, -o, bandit-report.json]
+        exclude: ^tests/
+
+  # Check for merge conflicts
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-merge-conflict
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: check-ast
+      - id: check-json
+      - id: debug-statements
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-docstring-first
+      - id: check-case-conflict
+
+  # Check for secrets in code
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: [--baseline, .secrets.baseline]

Makefile

@@ -9,6 +9,10 @@ help:
 	@echo "  all                      - run requirements, lint, test, and build"
 	@echo "  requirements             - install runtime dependencies"
 	@echo "  development-requirements - install development dependencies"
+	@echo "  pre-commit-install       - install pre-commit hooks"
+	@echo "  pre-commit-update        - update pre-commit hooks"
+	@echo "  pre-commit-run           - run pre-commit on all files"
+	@echo "  pre-commit-clean         - remove pre-commit hooks"
 	@echo "  lint                     - run flake8, pylint, black, and isort checks"
 	@echo "  black                    - format code with black"
 	@echo "  isort                    - sort imports with isort"
@@ -21,9 +25,18 @@ all: requirements lint test build
 development-requirements: requirements
 	pip install --quiet --upgrade --requirement development-requirements.txt
 
-requirements:
-	pip install --upgrade pip
-	pip install --quiet --upgrade --requirement requirements.txt
+pre-commit-install: development-requirements
+	pre-commit install
+
+pre-commit-update: development-requirements
+	pre-commit autoupdate
+	$(MAKE) pre-commit-run
+
+pre-commit-run: development-requirements
+	pre-commit run --all-files
+
+x_pre-commit-clean:
+	pre-commit uninstall
 
 lint:
 	flake8 --ignore=E501,E231 *.py
@@ -51,4 +64,4 @@ clean:
 	@rm -rf ./__pycache__ ./tests/__pycache__
 	@rm -f .*~ *.pyc
 
-.PHONY: help requirements lint black isort test build clean development-requirements
+.PHONY: help requirements lint black isort test build clean development-requirements pre-commit-install pre-commit-run pre-commit-clean

README.md

@@ -1,2 +1,50 @@
 # python-container-template
+
 A template repo for container-ized Python applications.
+
+## Development Setup
+
+This template includes pre-commit hooks for code quality and security checks. To set up the development environment:
+
+1. Install development dependencies:
+
+   ```bash
+   make development-requirements
+   ```
+
+2. Install pre-commit hooks:
+
+   ```bash
+   make pre-commit-install
+   ```
+
+3. Run pre-commit on all files (optional):
+
+   ```bash
+   make pre-commit-run
+   ```
+
+## Pre-commit Hooks
+
+The following hooks are configured to run automatically on commit:
+
+- **Black**: Code formatting with consistent style
+- **isort**: Import sorting and organization
+- **flake8**: Linting for code quality
+- **bandit**: Security vulnerability scanning
+- **detect-secrets**: Secret detection in code
+- **pre-commit-hooks**: Various checks including:
+  - Merge conflict detection
+  - YAML/JSON validation
+  - Large file detection
+  - Trailing whitespace removal
+  - End-of-file fixes
+
+## Available Make Targets
+
+- `make development-requirements` - Install development dependencies
+- `make pre-commit-install` - Install pre-commit hooks
+- `make pre-commit-run` - Run pre-commit on all files
+- `make pre-commit-clean` - Remove pre-commit hooks
+- `make lint` - Run linting tools manually
+- `make fmt` - Format code with black and isort

development-requirements.txt

@@ -3,3 +3,5 @@ flake8
 pylint
 black
 isort
+pre-commit
+bandit