From 092e4e0dc54eb441afc9342e6a7e28e022951fb2 Mon Sep 17 00:00:00 2001
From: Eric Buehl <eric.buehl@gmail.com>
Date: Mon, 18 Sep 2023 16:13:05 -0700
Subject: [PATCH] add python-check-blanket-nosec

---
 .pre-commit-hooks.yaml |  6 ++++++
 README.md              |  1 +
 tests/hooks_test.py    | 28 ++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+)

diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
index dc9dc20..da1ee88 100644
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -4,6 +4,12 @@
     entry: '(?i)# noqa(?!: )'
     language: pygrep
     types: [python]
+-   id: python-check-blanket-nosec
+    name: check blanket nosec
+    description: 'Enforce that `nosec` annotations always occur with specific codes. Sample annotations: `# nosec assert_used`, `# nosec B602, B607`'
+    entry: '(?i)#\s*nosec:?\s*(?![^#])'
+    language: pygrep
+    types: [python]
 -   id: python-check-blanket-type-ignore
     name: check blanket type ignore
     description: 'Enforce that `# type: ignore` annotations always occur with specific codes. Sample annotations: `# type: ignore[attr-defined]`, `# type: ignore[attr-defined, name-defined]`'
diff --git a/README.md b/README.md
index 022e3dc..185baaf 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,7 @@ For example, a hook which targets python will be called `python-...`.
 
 [generated]: # (generated)
 - **`python-check-blanket-noqa`**: Enforce that `noqa` annotations always occur with specific codes. Sample annotations: `# noqa: F401`, `# noqa: F401,W203`
+- **`python-check-blanket-nosec`**: Enforce that `nosec` annotations always occur with specific codes. Sample annotations: `# nosec assert_used`, `# nosec B602, B607`
 - **`python-check-blanket-type-ignore`**: Enforce that `# type: ignore` annotations always occur with specific codes. Sample annotations: `# type: ignore[attr-defined]`, `# type: ignore[attr-defined, name-defined]`
 - **`python-check-mock-methods`**: Prevent common mistakes of `assert mck.not_called()`, `assert mck.called_once_with(...)` and `mck.assert_called`.
 - **`python-no-eval`**: A quick check for the `eval()` built-in function
diff --git a/tests/hooks_test.py b/tests/hooks_test.py
index 6cee816..bc9d847 100644
--- a/tests/hooks_test.py
+++ b/tests/hooks_test.py
@@ -39,6 +39,34 @@ def test_python_use_type_annotations_negative(s):
     assert not HOOKS['python-use-type-annotations'].search(s)
 
 
+@pytest.mark.parametrize(
+    's',
+    (
+        '# nosec',
+        '# NOSEC',
+        '# nosec: ',
+        '# nosec ',
+    ),
+)
+def test_python_check_blanket_nosec_positive(s):
+    assert HOOKS['python-check-blanket-nosec'].search(s)
+
+
+@pytest.mark.parametrize(
+    's',
+    (
+        'x = 1',
+        '# nosec:B401',
+        '# nosec:B401',
+        '# nosec:B401,B203',
+        '# nosec: B401',
+        '# nosec: B401, B203',
+    ),
+)
+def test_python_check_blanket_nosec_negative(s):
+    assert not HOOKS['python-check-blanket-nosec'].search(s)
+
+
 @pytest.mark.parametrize(
     's',
     (