From 8a4ab8ba38ebe43631c2c9d19a3c08a2fa7c1b3d Mon Sep 17 00:00:00 2001 From: Mehdi Bechiri Date: Thu, 23 Oct 2025 12:48:49 +0200 Subject: [PATCH 1/3] fix: update pre-commit stage name from deprecated 'commit' to 'pre-commit' The pre-commit framework deprecated the 'commit' stage name in version 3.2.0, replacing it with 'pre-commit' to better align with actual git hook names. This change eliminates the deprecation warning and ensures compatibility with future versions of the pre-commit framework. No functional changes - the hook runs at the exact same point in the git workflow. --- .pre-commit-hooks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index a94f4a9..5f4de4d 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -5,4 +5,4 @@ language: python pass_filenames: false always_run: true - stages: [commit] + stages: [pre-commit] From e3091e50687287e03f6a498538effee08025a653 Mon Sep 17 00:00:00 2001 From: Mehdi Bechiri Date: Thu, 23 Oct 2025 12:55:34 +0200 Subject: [PATCH 2/3] feat: add --dependency-tree flag to display vulnerability dependency tree Add optional --dependency-tree argument that allows users to visualize the dependency tree showing how vulnerabilities are introduced through the dependency chain. This flag is disabled by default and can be enabled when users need more detailed context about vulnerability sources. Changes: - Add --dependency-tree argument to parse_arguments() in trivy_scan.py - Pass --dependency-tree flag to Trivy command when enabled - Add comprehensive tests for the new flag - Update README.md with configuration documentation and usage example - All tests pass (28/28) with 94% code coverage --- README.md | 7 +++++++ pre_commit_hooks/trivy_scan.py | 9 +++++++++ tests/test_trivy_scan.py | 19 +++++++++++++++++++ 3 files changed, 35 insertions(+) diff --git a/README.md b/README.md index dbea39f..70eb57d 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,7 @@ The hook supports extensive configuration through command-line arguments: | `--timeout` | - | Timeout for the scan (e.g., 5m0s) | | `--ignore-unfixed` | `false` | Ignore unfixed vulnerabilities | | `--trivyignore` | - | Path to .trivyignore file | +| `--dependency-tree` | `false` | Show dependency tree with vulnerabilities | ### Examples @@ -144,6 +145,12 @@ The hook supports extensive configuration through command-line arguments: args: ['--trivyignore', '.trivyignore'] ``` +**Show dependency tree:** +```yaml +- id: trivy-scan + args: ['--dependency-tree'] +``` + **Comprehensive configuration:** ```yaml - id: trivy-scan diff --git a/pre_commit_hooks/trivy_scan.py b/pre_commit_hooks/trivy_scan.py index 1fc6f4f..fa9838c 100644 --- a/pre_commit_hooks/trivy_scan.py +++ b/pre_commit_hooks/trivy_scan.py @@ -92,6 +92,12 @@ def parse_arguments(argv: Optional[Sequence[str]] = None) -> argparse.Namespace: help="Path to .trivyignore file", ) + parser.add_argument( + "--dependency-tree", + action="store_true", + help="Show dependency tree with vulnerabilities", + ) + parser.add_argument( "trivy_args", nargs="*", @@ -143,6 +149,9 @@ def run_trivy_scan(args: argparse.Namespace, scan_path: str = ".") -> int: if args.trivyignore: cmd.extend(["--ignorefile", args.trivyignore]) + if args.dependency_tree: + cmd.append("--dependency-tree") + # Add any additional arguments if args.trivy_args: cmd.extend(args.trivy_args) diff --git a/tests/test_trivy_scan.py b/tests/test_trivy_scan.py index cabb0ec..2556dab 100644 --- a/tests/test_trivy_scan.py +++ b/tests/test_trivy_scan.py @@ -37,6 +37,7 @@ def test_parse_arguments_defaults(self): assert args.scanners == "vuln" assert args.skip_db_update is False assert args.ignore_unfixed is False + assert args.dependency_tree is False assert args.config is None assert args.timeout is None assert args.trivyignore is None @@ -87,6 +88,11 @@ def test_parse_arguments_with_trivyignore(self): args = parse_arguments(["--trivyignore", ".trivyignore"]) assert args.trivyignore == ".trivyignore" + def test_parse_arguments_dependency_tree(self): + """Test parsing with dependency-tree flag.""" + args = parse_arguments(["--dependency-tree"]) + assert args.dependency_tree is True + def test_parse_arguments_with_additional_args(self): """Test parsing with additional Trivy arguments.""" args = parse_arguments(["--", "--debug", "--quiet"]) @@ -181,6 +187,19 @@ def test_run_trivy_scan_with_scanners(self, monkeypatch): scanners_index = call_args.index("--scanners") assert call_args[scanners_index + 1] == "vuln,misconfig" + def test_run_trivy_scan_with_dependency_tree(self, monkeypatch): + """Test Trivy scan with dependency-tree flag.""" + mock_run = MagicMock() + mock_run.return_value.returncode = 0 + monkeypatch.setattr("subprocess.run", mock_run) + + args = parse_arguments(["--dependency-tree"]) + run_trivy_scan(args) + + # Verify that subprocess.run was called with dependency-tree flag + call_args = mock_run.call_args[0][0] + assert "--dependency-tree" in call_args + def test_run_trivy_scan_subprocess_error(self, mock_subprocess_error): """Test Trivy scan with subprocess error.""" args = parse_arguments([]) From 0305052bb66d56c5efc5caaa583cdb619eaf2a53 Mon Sep 17 00:00:00 2001 From: Mehdi Bechiri Date: Thu, 23 Oct 2025 12:57:01 +0200 Subject: [PATCH 3/3] add to .gitignore Signed-off-by: Mehdi Bechiri --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index b7faf40..1a17c43 100644 --- a/.gitignore +++ b/.gitignore @@ -205,3 +205,6 @@ cython_debug/ marimo/_static/ marimo/_lsp/ __marimo__/ + +.channels_cache_v2.json +.users_cache.json