Add Pre-commit, gitleaks,codeql

[rahuldevikar761]

No description provided.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	🟢 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 7 3 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/dependency-review-action	4.*.*	🟢 7.6	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 6 4 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/dependency-review.yml

[Copilot]

Pull request overview

Adds repository-level developer/CI security tooling to help catch secrets and vulnerabilities earlier in the PR workflow.

Changes:

• Introduces a .pre-commit-config.yaml with gitleaks + formatting/lint hooks.
• Adds a GitHub Actions Dependency Review workflow to block risky dependency changes.
• Adds a GitHub Actions CodeQL workflow for Python static analysis.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
.pre-commit-config.yaml	Adds pre-commit hooks (gitleaks + whitespace + Python formatting/linting).
.github/workflows/dependency-review.yml	Adds Dependency Review action to gate PR dependency changes.
.github/workflows/codeql.yml	Adds scheduled + PR/push CodeQL analysis for Python.

[Copilot]

The repo’s CI standardizes on Ruff for both linting and formatting (including line-length 100). Adding Black/Isort/Flake8 hooks here will likely produce different results locally (e.g., Black’s default line length 88 and Flake8 set to 120) than what CI enforces, causing noisy diffs and inconsistent failures. Consider replacing these Python hooks with Ruff + Ruff-format pre-commit hooks (or configure them to exactly match the existing Ruff settings).

[Copilot]

deny-licenses expects SPDX license identifiers; GPL-3.0 and AGPL-3.0 are not valid SPDX IDs (e.g., use GPL-3.0-only / AGPL-3.0-only or the -or-later variants). With the current values the dependency review may not block the intended licenses.

Suggested change

	deny-licenses: GPL-3.0, AGPL-3.0
	deny-licenses: GPL-3.0-only, AGPL-3.0-only

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

[Copilot]

The ruff-pre-commit hook is pinned to v0.4.4, but the workspace’s locked Ruff version is 0.15.0 (see uv.lock). This large version mismatch can cause pre-commit to format/lint differently than CI (uv run ... ruff). Please bump the hook rev to match the locked Ruff version (or otherwise align the versions) so developers see the same results locally and in CI.

[Copilot]

This workflow only runs for PRs targeting main, but the repo’s CI also targets release/* branches. If release PRs are expected, dependency review won’t run there, which weakens the intended security gate. Consider including release/* in the on.pull_request.branches list (or removing the branch filter).

Suggested change

	branches: [main]
	branches: [main, release/*]

[Copilot]

The PR title mentions adding CodeQL, but this change set only adds pre-commit configuration and a dependency-review workflow—no CodeQL workflow/config is included. Please either add the intended CodeQL setup or adjust the PR title/description to match what’s actually being introduced.