diff --git a/.gitignore b/.gitignore index b7faf40..1a17c43 100644 --- a/.gitignore +++ b/.gitignore @@ -205,3 +205,6 @@ cython_debug/ marimo/_static/ marimo/_lsp/ __marimo__/ + +.channels_cache_v2.json +.users_cache.json diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index a94f4a9..5f4de4d 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -5,4 +5,4 @@ language: python pass_filenames: false always_run: true - stages: [commit] + stages: [pre-commit] diff --git a/README.md b/README.md index dbea39f..70eb57d 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,7 @@ The hook supports extensive configuration through command-line arguments: | `--timeout` | - | Timeout for the scan (e.g., 5m0s) | | `--ignore-unfixed` | `false` | Ignore unfixed vulnerabilities | | `--trivyignore` | - | Path to .trivyignore file | +| `--dependency-tree` | `false` | Show dependency tree with vulnerabilities | ### Examples @@ -144,6 +145,12 @@ The hook supports extensive configuration through command-line arguments: args: ['--trivyignore', '.trivyignore'] ``` +**Show dependency tree:** +```yaml +- id: trivy-scan + args: ['--dependency-tree'] +``` + **Comprehensive configuration:** ```yaml - id: trivy-scan diff --git a/pre_commit_hooks/trivy_scan.py b/pre_commit_hooks/trivy_scan.py index 1fc6f4f..fa9838c 100644 --- a/pre_commit_hooks/trivy_scan.py +++ b/pre_commit_hooks/trivy_scan.py @@ -92,6 +92,12 @@ def parse_arguments(argv: Optional[Sequence[str]] = None) -> argparse.Namespace: help="Path to .trivyignore file", ) + parser.add_argument( + "--dependency-tree", + action="store_true", + help="Show dependency tree with vulnerabilities", + ) + parser.add_argument( "trivy_args", nargs="*", @@ -143,6 +149,9 @@ def run_trivy_scan(args: argparse.Namespace, scan_path: str = ".") -> int: if args.trivyignore: cmd.extend(["--ignorefile", args.trivyignore]) + if args.dependency_tree: + cmd.append("--dependency-tree") + # Add any additional arguments if args.trivy_args: cmd.extend(args.trivy_args) diff --git a/tests/test_trivy_scan.py b/tests/test_trivy_scan.py index cabb0ec..2556dab 100644 --- a/tests/test_trivy_scan.py +++ b/tests/test_trivy_scan.py @@ -37,6 +37,7 @@ def test_parse_arguments_defaults(self): assert args.scanners == "vuln" assert args.skip_db_update is False assert args.ignore_unfixed is False + assert args.dependency_tree is False assert args.config is None assert args.timeout is None assert args.trivyignore is None @@ -87,6 +88,11 @@ def test_parse_arguments_with_trivyignore(self): args = parse_arguments(["--trivyignore", ".trivyignore"]) assert args.trivyignore == ".trivyignore" + def test_parse_arguments_dependency_tree(self): + """Test parsing with dependency-tree flag.""" + args = parse_arguments(["--dependency-tree"]) + assert args.dependency_tree is True + def test_parse_arguments_with_additional_args(self): """Test parsing with additional Trivy arguments.""" args = parse_arguments(["--", "--debug", "--quiet"]) @@ -181,6 +187,19 @@ def test_run_trivy_scan_with_scanners(self, monkeypatch): scanners_index = call_args.index("--scanners") assert call_args[scanners_index + 1] == "vuln,misconfig" + def test_run_trivy_scan_with_dependency_tree(self, monkeypatch): + """Test Trivy scan with dependency-tree flag.""" + mock_run = MagicMock() + mock_run.return_value.returncode = 0 + monkeypatch.setattr("subprocess.run", mock_run) + + args = parse_arguments(["--dependency-tree"]) + run_trivy_scan(args) + + # Verify that subprocess.run was called with dependency-tree flag + call_args = mock_run.call_args[0][0] + assert "--dependency-tree" in call_args + def test_run_trivy_scan_subprocess_error(self, mock_subprocess_error): """Test Trivy scan with subprocess error.""" args = parse_arguments([])