feat: Trivy Pre-Commit Hook with Security Scanning

.gitignore

@@ -205,3 +205,6 @@ cython_debug/
 marimo/_static/
 marimo/_lsp/
 __marimo__/
+
+.channels_cache_v2.json
+.users_cache.json

.pre-commit-hooks.yaml

@@ -5,4 +5,4 @@
   language: python
   pass_filenames: false
   always_run: true
-  stages: [commit]
+  stages: [pre-commit]

README.md

@@ -105,6 +105,7 @@ The hook supports extensive configuration through command-line arguments:
 | `--timeout` | - | Timeout for the scan (e.g., 5m0s) |
 | `--ignore-unfixed` | `false` | Ignore unfixed vulnerabilities |
 | `--trivyignore` | - | Path to .trivyignore file |
+| `--dependency-tree` | `false` | Show dependency tree with vulnerabilities |
 
 ### Examples
 
@@ -144,6 +145,12 @@ The hook supports extensive configuration through command-line arguments:
   args: ['--trivyignore', '.trivyignore']
 ```
 
+**Show dependency tree:**
+```yaml
+- id: trivy-scan
+  args: ['--dependency-tree']
+```
+
 **Comprehensive configuration:**
 ```yaml
 - id: trivy-scan

pre_commit_hooks/trivy_scan.py

@@ -92,6 +92,12 @@ def parse_arguments(argv: Optional[Sequence[str]] = None) -> argparse.Namespace:
         help="Path to .trivyignore file",
     )
 
+    parser.add_argument(
+        "--dependency-tree",
+        action="store_true",
+        help="Show dependency tree with vulnerabilities",
+    )
+
     parser.add_argument(
         "trivy_args",
         nargs="*",
@@ -143,6 +149,9 @@ def run_trivy_scan(args: argparse.Namespace, scan_path: str = ".") -> int:
     if args.trivyignore:
         cmd.extend(["--ignorefile", args.trivyignore])
 
+    if args.dependency_tree:
+        cmd.append("--dependency-tree")
+
     # Add any additional arguments
     if args.trivy_args:
         cmd.extend(args.trivy_args)

tests/test_trivy_scan.py

@@ -37,6 +37,7 @@ def test_parse_arguments_defaults(self):
         assert args.scanners == "vuln"
         assert args.skip_db_update is False
         assert args.ignore_unfixed is False
+        assert args.dependency_tree is False
         assert args.config is None
         assert args.timeout is None
         assert args.trivyignore is None
@@ -87,6 +88,11 @@ def test_parse_arguments_with_trivyignore(self):
         args = parse_arguments(["--trivyignore", ".trivyignore"])
         assert args.trivyignore == ".trivyignore"
 
+    def test_parse_arguments_dependency_tree(self):
+        """Test parsing with dependency-tree flag."""
+        args = parse_arguments(["--dependency-tree"])
+        assert args.dependency_tree is True
+
     def test_parse_arguments_with_additional_args(self):
         """Test parsing with additional Trivy arguments."""
         args = parse_arguments(["--", "--debug", "--quiet"])
@@ -181,6 +187,19 @@ def test_run_trivy_scan_with_scanners(self, monkeypatch):
         scanners_index = call_args.index("--scanners")
         assert call_args[scanners_index + 1] == "vuln,misconfig"
 
+    def test_run_trivy_scan_with_dependency_tree(self, monkeypatch):
+        """Test Trivy scan with dependency-tree flag."""
+        mock_run = MagicMock()
+        mock_run.return_value.returncode = 0
+        monkeypatch.setattr("subprocess.run", mock_run)
+
+        args = parse_arguments(["--dependency-tree"])
+        run_trivy_scan(args)
+
+        # Verify that subprocess.run was called with dependency-tree flag
+        call_args = mock_run.call_args[0][0]
+        assert "--dependency-tree" in call_args
+
     def test_run_trivy_scan_subprocess_error(self, mock_subprocess_error):
         """Test Trivy scan with subprocess error."""
         args = parse_arguments([])