Three git disasters AI shipped — and what got rotated — step 7 of 8
Build your pre-commit checklist as a function. Write
audit_repo(repo) that takes a dict describing a repo's defenses
and returns a dict with two fields:
score: integer 0-100, higher is saferrisks: a list of specific risk strings for every protection that is missing
The repo dict has five boolean fields. Each TRUE field adds 20 to
the score (so a fully-protected repo scores 100). Each FALSE field
appends a specific risk string to risks, in the order the fields
are listed below:
| Field | Risk string when False |
|---|---|
has_gitignore_for_env | "no .gitignore for .env — Uber-style leak possible" |
has_secret_scanning_hook | "no pre-commit secret scanner — credentials can ship" |
reviewer_required_for_main | "no required reviewer on main — agent pushes land unchecked" |
agent_can_auto_commit (False is SAFE) | inverted: this field being TRUE means risky; risk = "agent can auto-commit without diff review" |
secrets_in_env_vars_only | "secrets not enforced env-only — inline creds are still possible" |
Note the inversion on agent_can_auto_commit: it's the only field
where True is the unsafe value. Score 20 when it's False; add the
risk when it's True.
Two repos run. Expected output:
ai-startup-repo: {'score': 60, 'risks': ['no pre-commit secret scanner — credentials can ship', 'agent can auto-commit without diff review']}
legacy-monorepo: {'score': 0, 'risks': ['no .gitignore for .env — Uber-style leak possible', 'no pre-commit secret scanner — credentials can ship', 'no required reviewer on main — agent pushes land unchecked', 'agent can auto-commit without diff review', 'secrets not enforced env-only — inline creds are still possible']}
Build your pre-commit checklist as a function. Write
audit_repo(repo) that takes a dict describing a repo's defenses
and returns a dict with two fields:
score: integer 0-100, higher is saferrisks: a list of specific risk strings for every protection that is missing
The repo dict has five boolean fields. Each TRUE field adds 20 to
the score (so a fully-protected repo scores 100). Each FALSE field
appends a specific risk string to risks, in the order the fields
are listed below:
| Field | Risk string when False |
|---|---|
has_gitignore_for_env | "no .gitignore for .env — Uber-style leak possible" |
has_secret_scanning_hook | "no pre-commit secret scanner — credentials can ship" |
reviewer_required_for_main | "no required reviewer on main — agent pushes land unchecked" |
agent_can_auto_commit (False is SAFE) | inverted: this field being TRUE means risky; risk = "agent can auto-commit without diff review" |
secrets_in_env_vars_only | "secrets not enforced env-only — inline creds are still possible" |
Note the inversion on agent_can_auto_commit: it's the only field
where True is the unsafe value. Score 20 when it's False; add the
risk when it's True.
Two repos run. Expected output:
ai-startup-repo: {'score': 60, 'risks': ['no pre-commit secret scanner — credentials can ship', 'agent can auto-commit without diff review']}
legacy-monorepo: {'score': 0, 'risks': ['no .gitignore for .env — Uber-style leak possible', 'no pre-commit secret scanner — credentials can ship', 'no required reviewer on main — agent pushes land unchecked', 'agent can auto-commit without diff review', 'secrets not enforced env-only — inline creds are still possible']}
this step needs the editor
on desktop today; in the app (coming soon). save your spot and we'll bring you back here when you're ready.