add pre-commit and replace black with ruff-format

.github/workflows/bump-version.yml

@@ -7,7 +7,7 @@ jobs:
   bump-version:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
         with:
           ref: master
 
@@ -20,11 +20,11 @@ jobs:
           git config --local user.name "GitHub Action"
           git fetch --tags
           git pull origin master
-          latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`)
+          latest_tag=$(git describe --tags "$(git rev-list --tags --max-count=1)")
           echo "latest tag: $latest_tag"
-          new_tag=$(echo $latest_tag | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b , $3+1)}')
+          new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b , $3+1)}')
           echo "new tag: $new_tag"
 
-          printf "# pylint: disable=missing-module-docstring\n__version__ = '$new_tag'\n""" > $version_file
+          printf "# pylint: disable=missing-module-docstring\n__version__ = \"%s\"\n""" "$new_tag" > $version_file
           git commit -m "Bump to ${new_tag}"  $version_file || echo "No changes to commit"
           git push origin

.github/workflows/nodejs-test.yml

@@ -18,7 +18,7 @@ jobs:
         node-version: ['16.x']
 
     steps:
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
     - name: Use Node.js ${{ matrix.node-version }}
       uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #  v3.8.1
       with:

.github/workflows/publish.yml

@@ -11,10 +11,10 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
 
       - name: Setup Python
-        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v5.1.1
         with:
           python-version: '3.8'
 
@@ -41,9 +41,9 @@ jobs:
     needs: test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: Set up Python
-        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v5.1.1
         with:
           python-version: '3.8'
 
@@ -68,9 +68,9 @@ jobs:
     needs: publish-package
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: Set up Python
-        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v5.1.1
         with:
           python-version: '3.8'
       - name: publish brew
@@ -82,9 +82,9 @@ jobs:
           pip install cloudsplaining -U
           git fetch origin
           git checkout --track origin/master
-          latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`)
+          latest_tag=$(git describe --tags "$(git rev-list --tags --max-count=1)")
           echo "latest tag: $latest_tag"
-          git pull origin $latest_tag
+          git pull origin "$latest_tag"
           poet -f cloudsplaining > HomebrewFormula/cloudsplaining.rb
           git add .
           git commit -m "update brew formula" cloudsplaining/bin/version.py HomebrewFormula/cloudsplaining.rb || echo "No brew changes to commit"
@@ -94,7 +94,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: update-brew
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
         with:
           ref: master
 
@@ -107,11 +107,11 @@ jobs:
           git config --local user.name "GitHub Action"
           git fetch --tags
           git pull origin master
-          latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`)
+          latest_tag=$(git describe --tags "$(git rev-list --tags --max-count=1)")
           echo "latest tag: $latest_tag"
-          new_tag=$(echo $latest_tag | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b , $3+1)}')
+          new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b , $3+1)}')
           echo "new tag: $new_tag"
 
-          printf "# pylint: disable=missing-module-docstring\n__version__ = '$new_tag'""" > $version_file
+          printf "# pylint: disable=missing-module-docstring\n__version__ = \"%s\"\n""" "$new_tag" > $version_file
           git commit -m "Bump to ${new_tag}"  $version_file || echo "No changes to commit"
           git push origin

.github/workflows/python-dependency-updater.yml

@@ -10,16 +10,16 @@ jobs:
   python-dependency-updater:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
 
       - name: Setup Python
-        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v5.1.1
         with:
           python-version: '3.8'
 
       - name: Run Pyup.io Dependency updater
         run: |
           pip install pyupio
           pip install -r requirements.txt
-          default_branch=`git remote show origin | grep 'HEAD branch' | cut -d' ' -f5`
-          pyup --provider github --provider_url https://api.github.com --repo=$GITHUB_REPOSITORY --user-token=${{ secrets.PYUP_GITHUB_ACCESS_TOKEN }} --branch $default_branch --initial
+          default_branch=$(git remote show origin | grep 'HEAD branch' | cut -d' ' -f5)
+          pyup --provider github --provider_url https://api.github.com --repo="$GITHUB_REPOSITORY" --user-token=${{ secrets.PYUP_GITHUB_ACCESS_TOKEN }} --branch "$default_branch" --initial

.github/workflows/security.yml

@@ -11,7 +11,7 @@ jobs:
   detect-secrets:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: detect secrets
         uses: edplato/trufflehog-actions-scan@c36ff9abf0af8290ef23b1b45a36e75c742dd1d8 # v0.9l-beta
         with:

.github/workflows/test.yml

@@ -9,14 +9,24 @@ on:
   pull_request:
 
 jobs:
-  test:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v5.1.1
+        with:
+          python-version: '3.8' # needed for 'pyupgrade'
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1
+
+  ci:
+    needs: pre-commit
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
 
       - name: Setup Python
-        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v5.1.1
         with:
           python-version: '3.8'
 
@@ -38,6 +48,7 @@ jobs:
           make type-check
 
   python-version:
+    needs: pre-commit
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -46,8 +57,8 @@ jobs:
       matrix:
         python: ['3.9', '3.10', '3.11', '3.12', '3.13']
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v5.1.1
         with:
           python-version: ${{ matrix.python }}
           allow-prereleases: true

.github/workflows/update-bundle-report.yml

@@ -10,10 +10,10 @@ jobs:
   update:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
 
       - name: Setup python
-        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v5.1.1
         with:
           python-version: '3.8'
 

.pre-commit-config.yaml

@@ -0,0 +1,9 @@
+repos:
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.1
+    hooks:
+      - id: actionlint-docker
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.5.3
+    hooks:
+      - id: ruff-format

Makefile

@@ -57,10 +57,6 @@ test: setup-dev
 security-test: setup-dev
 	bandit -r ./${PROJECT_UNDERSCORE}/
 
-# Auto format your python files
-fmt: setup-dev
-	black ${PROJECT_UNDERSCORE}/
-
 # Run Pylint to lint your code
 lint: setup-dev
 	pylint ${PROJECT_UNDERSCORE}/

cloudsplaining/bin/cli.py

@@ -5,8 +5,9 @@
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
 """
-    Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
+Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.
 """
+
 import click
 from cloudsplaining import command
 from cloudsplaining.bin.version import __version__
@@ -21,9 +22,7 @@ def cloudsplaining() -> None:
 
 
 cloudsplaining.add_command(command.create_exclusions_file.create_exclusions_file)
-cloudsplaining.add_command(
-    command.create_multi_account_config_file.create_multi_account_config_file
-)
+cloudsplaining.add_command(command.create_multi_account_config_file.create_multi_account_config_file)
 cloudsplaining.add_command(command.expand_policy.expand_policy)
 cloudsplaining.add_command(command.scan.scan)
 cloudsplaining.add_command(command.scan_multi_account.scan_multi_account)

cloudsplaining/command/create_exclusions_file.py

@@ -48,6 +48,4 @@ def create_exclusions_file(output_file: str, verbosity: int) -> None:
     )
     print("\tcloudsplaining download")
     print("You can use this with the scan command as shown below: ")
-    print(
-        "\tcloudsplaining scan --exclusions-file exclusions.yml --input-file default.json"
-    )
+    print("\tcloudsplaining scan --exclusions-file exclusions.yml --input-file default.json")

cloudsplaining/command/create_multi_account_config_file.py

@@ -41,17 +41,13 @@ def create_multi_account_config_file(output_file: str, verbosity: int) -> None:
     set_log_level(verbosity)
 
     if os.path.exists(output_file):
-        logger.debug(
-            "%s exists. Removing the file and replacing its contents.", output_file
-        )
+        logger.debug("%s exists. Removing the file and replacing its contents.", output_file)
         os.remove(output_file)
 
     with open(output_file, "a") as file_obj:
         for line in MULTI_ACCOUNT_CONFIG_TEMPLATE:
             file_obj.write(line)
-    utils.print_green(
-        f"Success! Multi-account config file written to: {os.path.relpath(output_file)}"
-    )
+    utils.print_green(f"Success! Multi-account config file written to: {os.path.relpath(output_file)}")
     print(
         f"\nMake sure you edit the {os.path.relpath(output_file)} file and then run the scan-multi-account command, as shown below."
     )

cloudsplaining/command/download.py

@@ -1,5 +1,5 @@
 """Runs aws iam get-authorization-details on all accounts specified in the aws credentials file, and stores them in
-account-alias.json """
+account-alias.json"""
 
 # Copyright (c) 2020, salesforce.com, inc.
 # All rights reserved.
@@ -51,9 +51,7 @@
     help="When downloading AWS managed policy documents, also include the non-default policy versions. Note that this will dramatically increase the size of the downloaded file.",
 )
 @click.option("-v", "--verbose", "verbosity", help="Log verbosity level.", count=True)
-def download(
-    profile: str, output: str, include_non_default_policy_versions: bool, verbosity: int
-) -> int:
+def download(profile: str, output: str, include_non_default_policy_versions: bool, verbosity: int) -> int:
     """
     Runs aws iam get-authorization-details on all accounts specified in the aws credentials file, and stores them in
     account-alias.json
@@ -69,9 +67,7 @@ def download(
     else:
         output_filename = os.path.join(output, "default.json")
 
-    results = get_account_authorization_details(
-        session_data, include_non_default_policy_versions
-    )
+    results = get_account_authorization_details(session_data, include_non_default_policy_versions)
     with open(output_filename, "w") as f:
         json.dump(results, f, indent=4, default=str)
     # output_filename.write_text(json.dumps(results, indent=4, default=str))
@@ -119,9 +115,7 @@ def get_account_authorization_details(
                 else:
                     policy_version_list = []
                     for policy_version in policy.get("PolicyVersionList") or []:
-                        if policy_version.get("VersionId") == policy.get(
-                            "DefaultVersionId"
-                        ):
+                        if policy_version.get("VersionId") == policy.get("DefaultVersionId"):
                             policy_version_list.append(policy_version)
                             break
                     entry = {
@@ -131,9 +125,7 @@ def get_account_authorization_details(
                         "Path": policy.get("Path"),
                         "DefaultVersionId": policy.get("DefaultVersionId"),
                         "AttachmentCount": policy.get("AttachmentCount"),
-                        "PermissionsBoundaryUsageCount": policy.get(
-                            "PermissionsBoundaryUsageCount"
-                        ),
+                        "PermissionsBoundaryUsageCount": policy.get("PermissionsBoundaryUsageCount"),
                         "IsAttachable": policy.get("IsAttachable"),
                         "CreateDate": policy.get("CreateDate"),
                         "UpdateDate": policy.get("UpdateDate"),

cloudsplaining/command/expand_policy.py

@@ -16,9 +16,7 @@
 logger = logging.getLogger(__name__)
 
 
-@click.command(
-    short_help="Expand the * Actions in IAM policy files to improve readability"
-)
+@click.command(short_help="Expand the * Actions in IAM policy files to improve readability")
 @click.option(
     "-i",
     "--input-file",