New check: uses frozen pre-commit hooks in pre-commit configuration file

[agriyakhetarpal]

It would be great to have a check for hooks that are not pinned to their SHAs, as that is a potential attack vector, just like GitHub Actions.

I would be willing to contribute such a hook (though, unsure how soon).

[henryiii]

It's also possible to attack via fake SHAs to a fork repository. I'd actually argue that's easier, as you don't need access to the parent repository, just an innocent looking update that lies in the (unchecked) comment about what tag it's associated to. The recent prek PR j178/prek#1896 would help, but you'd have to have some sort of tool checking it (like a potential addition to zizmor?). See zizmorcore/zizmor#1799.

I'm not sure we should check this here, I'm thinking we possibly should instead try to get this into zizmor, then add a zizmor check here. See #761.