feat: removed warnings and add --dependency-tree option (#4)

cebidhem · web-flow · commit d348054fa0f7 · 2025-10-23T04:07:14.000-07:00
* fix: update pre-commit stage name from deprecated 'commit' to 'pre-commit'

The pre-commit framework deprecated the 'commit' stage name in version 3.2.0,
replacing it with 'pre-commit' to better align with actual git hook names.

This change eliminates the deprecation warning and ensures compatibility with
future versions of the pre-commit framework. No functional changes - the hook
runs at the exact same point in the git workflow.

* feat: add --dependency-tree flag to display vulnerability dependency tree

Add optional --dependency-tree argument that allows users to visualize
the dependency tree showing how vulnerabilities are introduced through
the dependency chain. This flag is disabled by default and can be enabled
when users need more detailed context about vulnerability sources.

Changes:
- Add --dependency-tree argument to parse_arguments() in trivy_scan.py
- Pass --dependency-tree flag to Trivy command when enabled
- Add comprehensive tests for the new flag
- Update README.md with configuration documentation and usage example
- All tests pass (28/28) with 94% code coverage

* add to .gitignore

Signed-off-by: Mehdi Bechiri &lt;cebidhem@pm.me&gt;

---------

Signed-off-by: Mehdi Bechiri &lt;cebidhem@pm.me&gt;
diff --git a/.gitignore b/.gitignore
@@ -205,3 +205,6 @@ cython_debug/
 marimo/_static/
 marimo/_lsp/
 __marimo__/
+
+.channels_cache_v2.json
+.users_cache.json
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
@@ -5,4 +5,4 @@
   language: python
   pass_filenames: false
   always_run: true
-  stages: [commit]
+  stages: [pre-commit]
diff --git a/README.md b/README.md
@@ -105,6 +105,7 @@ The hook supports extensive configuration through command-line arguments:
 | `--timeout` | - | Timeout for the scan (e.g., 5m0s) |
 | `--ignore-unfixed` | `false` | Ignore unfixed vulnerabilities |
 | `--trivyignore` | - | Path to .trivyignore file |
+| `--dependency-tree` | `false` | Show dependency tree with vulnerabilities |
 
 ### Examples
 
@@ -144,6 +145,12 @@ The hook supports extensive configuration through command-line arguments:
   args: ['--trivyignore', '.trivyignore']
 ```
 
+**Show dependency tree:**
+```yaml
+- id: trivy-scan
+  args: ['--dependency-tree']
+```
+
 **Comprehensive configuration:**
 ```yaml
 - id: trivy-scan
diff --git a/pre_commit_hooks/trivy_scan.py b/pre_commit_hooks/trivy_scan.py
@@ -92,6 +92,12 @@ def parse_arguments(argv: Optional[Sequence[str]] = None) -> argparse.Namespace:
         help="Path to .trivyignore file",
     )
 
+    parser.add_argument(
+        "--dependency-tree",
+        action="store_true",
+        help="Show dependency tree with vulnerabilities",
+    )
+
     parser.add_argument(
         "trivy_args",
         nargs="*",
@@ -143,6 +149,9 @@ def run_trivy_scan(args: argparse.Namespace, scan_path: str = ".") -> int:
     if args.trivyignore:
         cmd.extend(["--ignorefile", args.trivyignore])
 
+    if args.dependency_tree:
+        cmd.append("--dependency-tree")
+
     # Add any additional arguments
     if args.trivy_args:
         cmd.extend(args.trivy_args)
diff --git a/tests/test_trivy_scan.py b/tests/test_trivy_scan.py
@@ -37,6 +37,7 @@ def test_parse_arguments_defaults(self):
         assert args.scanners == "vuln"
         assert args.skip_db_update is False
         assert args.ignore_unfixed is False
+        assert args.dependency_tree is False
         assert args.config is None
         assert args.timeout is None
         assert args.trivyignore is None
@@ -87,6 +88,11 @@ def test_parse_arguments_with_trivyignore(self):
         args = parse_arguments(["--trivyignore", ".trivyignore"])
         assert args.trivyignore == ".trivyignore"
 
+    def test_parse_arguments_dependency_tree(self):
+        """Test parsing with dependency-tree flag."""
+        args = parse_arguments(["--dependency-tree"])
+        assert args.dependency_tree is True
+
     def test_parse_arguments_with_additional_args(self):
         """Test parsing with additional Trivy arguments."""
         args = parse_arguments(["--", "--debug", "--quiet"])
@@ -181,6 +187,19 @@ def test_run_trivy_scan_with_scanners(self, monkeypatch):
         scanners_index = call_args.index("--scanners")
         assert call_args[scanners_index + 1] == "vuln,misconfig"
 
+    def test_run_trivy_scan_with_dependency_tree(self, monkeypatch):
+        """Test Trivy scan with dependency-tree flag."""
+        mock_run = MagicMock()
+        mock_run.return_value.returncode = 0
+        monkeypatch.setattr("subprocess.run", mock_run)
+
+        args = parse_arguments(["--dependency-tree"])
+        run_trivy_scan(args)
+
+        # Verify that subprocess.run was called with dependency-tree flag
+        call_args = mock_run.call_args[0][0]
+        assert "--dependency-tree" in call_args
+
     def test_run_trivy_scan_subprocess_error(self, mock_subprocess_error):
         """Test Trivy scan with subprocess error."""
         args = parse_arguments([])
