Skip to content

feat: Trivy Pre-Commit Hook with Security Scanning #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cebidhem merged 4 commits into from
Oct 23, 2025
Merged

feat: Trivy Pre-Commit Hook with Security Scanning #2

cebidhem merged 4 commits into from
Oct 23, 2025

Conversation

@cebidhem
Copy link
Owner

@cebidhem cebidhem commented Oct 23, 2025

Summary

This PR implements a comprehensive Python-based pre-commit hook that integrates Trivy security scanning to detect vulnerabilities in codebases before commits are finalized.

Key Features

  • 🔒 Automatic security scanning before every commit
  • 🎯 Highly configurable with support for severity levels, multiple scanners, and output formats
  • Performance optimized with optional database update skipping
  • 🧪 Well-tested with 93% code coverage and 26 passing tests
  • 🐍 Modern Python implementation (3.9+) with type hints
  • 📝 Comprehensive documentation with usage examples

Implementation Details

Core Components:

  • pre_commit_hooks/trivy_scan.py - Main hook implementation with full Trivy integration
  • .pre-commit-hooks.yaml - Pre-commit framework configuration
  • Comprehensive test suite with mocked subprocess calls

Configuration Options:

  • Severity filtering (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL)
  • Multiple scanners (vuln, misconfig, secret, license)
  • Output formats (table, json, sarif, template, cyclonedx, spdx, github)
  • Custom trivy.yaml configuration support
  • .trivyignore file support for exception handling

Development Tools:

  • Black formatter for code consistency
  • Pylint for code quality (10.00/10 score)
  • Pytest with coverage reporting (93% coverage)
  • GitHub Actions CI/CD for automated testing across Python 3.9-3.12

Files Changed

  • 12 files created/modified
  • 1,099 lines added
  • Full project structure with tests, docs, and CI/CD

Testing

All validation checks passed:

✓ black --check pre_commit_hooks tests
✓ pylint pre_commit_hooks (10.00/10)
✓ pytest with 93% coverage (26/26 tests passing)
✓ CLI entry points verified
✓ GitHub Actions workflow validated

Documentation

  • Complete README with installation instructions
  • Configuration examples for common use cases
  • Example files (.trivyignore.example, trivy.yaml.example)
  • Development setup guide with uv

Test Plan

  • Unit tests pass with >90% coverage
  • Black formatter check passes
  • Pylint quality check passes (10.00/10)
  • CLI entry point works (trivy-scan --help)
  • Module execution works (python -m pre_commit_hooks.trivy_scan --help)
  • GitHub Actions workflow syntax validated
  • All validation commands from issue feat: Trivy Pre-Commit Hook with Security Scanning #1 executed successfully

Closes

Closes #1

@cebidhem
feat: implement Trivy pre-commit hook with security scanning
51a9e05 
Implement a comprehensive Python-based pre-commit hook that integrates
Trivy security scanning to detect vulnerabilities in codebases before
commits are finalized.

Features:
- Core Trivy scanning hook with configurable severity levels
- Support for multiple scanners (vuln, misconfig, secret, license)
- Flexible output formats (table, json, sarif, etc.)
- Custom configuration via trivy.yaml and .trivyignore
- Comprehensive test suite with 93% coverage
- GitHub Actions CI/CD workflow for automated testing and linting
- Complete documentation with usage examples

Technical implementation:
- Python 3.9+ with type hints and modern practices
- Command-line argument parsing with argparse
- Subprocess-based Trivy execution with error handling
- Hatchling-based build system
- Black formatter and Pylint for code quality
- Pytest with coverage reporting

Closes #1
Copilot AI review requested due to automatic review settings October 23, 2025 10:16
Copilot AI reviewed Oct 23, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements a comprehensive Python-based pre-commit hook that integrates Trivy security scanning into the development workflow, enabling automatic vulnerability detection before commits are finalized.

Key Changes:

  • Complete Trivy pre-commit hook implementation with configurable security scanning options
  • Comprehensive test suite achieving 93% code coverage with 26 passing tests
  • Full project infrastructure including CI/CD, documentation, and configuration examples

Reviewed Changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
pre_commit_hooks/trivy_scan.py Core hook implementation with Trivy integration, argument parsing, and scan execution
pre_commit_hooks/__init__.py Package initialization with version metadata
tests/test_trivy_scan.py Comprehensive test suite covering installation checks, argument parsing, scan execution, and main function
tests/conftest.py Pytest fixtures for mocking Trivy installation and subprocess calls
tests/__init__.py Test package initialization
pyproject.toml Project configuration with dependencies, build system, and tool settings
.pre-commit-hooks.yaml Pre-commit framework hook configuration
.github/workflows/ci.yml GitHub Actions CI/CD workflow for testing across Python 3.9-3.12
README.md Comprehensive documentation with installation, usage, and configuration examples
trivy.yaml.example Example Trivy configuration file with common settings
.trivyignore.example Example file for ignoring specific CVEs
.pylintrc Pylint configuration for code quality checks

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@cebidhem
update author
f470b56 
Signed-off-by: Mehdi Bechiri <cebidhem@pm.me>
@cebidhem
update ci
fe38d23 
Signed-off-by: Mehdi Bechiri <cebidhem@pm.me>
Copilot AI review requested due to automatic review settings October 23, 2025 10:25
Copilot AI reviewed Oct 23, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@cebidhem cebidhem merged commit 4370d90 into main Oct 23, 2025
4 checks passed
@cebidhem cebidhem deleted the feat/trivy-pre-commit-hook-1 branch October 23, 2025 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Trivy Pre-Commit Hook with Security Scanning

2 participants

@cebidhem