Make uv-secure executable (#3)

* Reset version number and bumped dependencies

* Making package executable

Switched to version defined in code and added --version CLI option. Updated project script to run the Typer app. Made the uv.lock path an option that defaults to the working directory. Added and updated tests.

* Tweaking some of the option help text

* Added Usage section to the README.md

.pre-commit-config.yaml

@@ -39,15 +39,15 @@ repos:
         additional_dependencies:
           - pydantic
   - repo: https://github.com/charliermarsh/ruff-pre-commit
-    rev: v0.8.2
+    rev: v0.8.4
     hooks:
       - id: ruff-format
         types_or: [python, pyi, jupyter]
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]
         types_or: [python, pyi, jupyter]
   - repo: https://github.com/crate-ci/typos
-    rev: v1.28.2
+    rev: v1.28.4
     hooks:
       - id: typos
         args: [

README.md

@@ -2,6 +2,42 @@
 
 Scan your uv.lock file for dependencies with known vulnerabilities
 
+## Usage
+
+After installation you can run uv-secure --help to see the options.
+
+```text
+>> uv-secure --help
+
+ Usage: uv-secure [OPTIONS]
+
+ Parse a uv.lock file, check vulnerabilities, and display summary.
+
+╭─ Options ────────────────────────────────────────────────────────────────────────────╮
+│ --uv-lock-path        -p      PATH  Path to the uv.lock file [default: uv.lock]      │
+│ --ignore              -i      TEXT  Comma-separated list of vulnerability IDs to     │
+│                                     ignore, e.g. VULN-123,VULN-456                   │
+│ --version                           Show the application's version                   │
+│ --install-completion                Install completion for the current shell.        │
+│ --show-completion                   Show completion for the current shell, to copy   │
+│                                     it or customize the installation.                │
+│ --help                              Show this message and exit.                      │
+╰──────────────────────────────────────────────────────────────────────────────────────╯
+```
+
+By default if run with no options uv-secure will look for a uv.lock file in the current
+working directory and scan that for known vulnerabilities. E.g.
+
+```text
+>> uv-secure
+Checking dependencies for vulnerabilities...
+╭──────────────────────────────────╮
+│ No vulnerabilities detected!     │
+│ Checked: 160 dependencies        │
+│ All dependencies appear safe! 🎉 │
+╰──────────────────────────────────╯
+```
+
 ## Related Work and Motivation
 
 I created this package as I wanted a dependency vulnerability scanner but I wasn't

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "uv-secure"
-version = "0.2.0"
+dynamic = ["version"]
 description = "Scan your uv.lock file for dependencies with known vulnerabilities"
 readme = "README.md"
 authors = [
@@ -29,7 +29,7 @@ jupyter = [
 ]
 
 [project.scripts]
-uv-secure = "uv_secure:main"
+uv-secure = "uv_secure.run:app"
 
 [build-system]
 requires = ["hatchling"]
@@ -38,6 +38,9 @@ build-backend = "hatchling.build"
 [tool.bandit]
 exclude_dirs = ["tests"]
 
+[tool.hatch.version]
+path = "src/uv_secure/__version__.py"
+
 [tool.mypy]
 plugins = [
   "pydantic.mypy"

src/uv_secure/__version__.py

@@ -0,0 +1 @@
+__version__ = "0.1.0"

src/uv_secure/run.py

@@ -13,6 +13,8 @@
 from rich.text import Text
 import typer
 
+from uv_secure.__version__ import __version__
+
 
 app = typer.Typer()
 
@@ -115,6 +117,7 @@ def check_dependencies(uv_lock_path: Path, ignore_ids: list[str]) -> int:
             vulnerable_count += 1
             vulnerabilities_found.append((dep, filtered_vulnerabilities))
 
+    inf = inflect.engine()
     total_plural = inf.plural("dependency", total_dependencies)
     vulnerable_plural = inf.plural("dependency", vulnerable_count)
 
@@ -159,16 +162,39 @@ def check_dependencies(uv_lock_path: Path, ignore_ids: list[str]) -> int:
     return 0  # Exit successfully
 
 
+def version_callback(value: bool) -> None:
+    if value:
+        typer.echo(f"uv-secure {__version__}")
+        raise typer.Exit()
+
+
+_uv_lock_path_option = typer.Option(
+    Path("./uv.lock"), "--uv-lock-path", "-p", help="Path to the uv.lock file"
+)
+
+
 _ignore_option = typer.Option(
     "",
     "--ignore",
     "-i",
     help="Comma-separated list of vulnerability IDs to ignore, e.g. VULN-123,VULN-456",
 )
 
+_version_option = typer.Option(
+    None,
+    "--version",
+    callback=version_callback,
+    is_eager=True,
+    help="Show the application's version",
+)
+
 
 @app.command()
-def main(uv_lock_path: Path, ignore: str = _ignore_option) -> int:
+def main(
+    uv_lock_path: Path = _uv_lock_path_option,
+    ignore: str = _ignore_option,
+    version: bool = _version_option,
+) -> int:
     """Parse a uv.lock file, check vulnerabilities, and display summary."""
     ignore_ids = [vuln_id.strip() for vuln_id in ignore.split(",") if vuln_id.strip()]
     return check_dependencies(uv_lock_path, ignore_ids)

tests/uv_secure/test_run.py

@@ -28,11 +28,17 @@ def temp_uv_lock_file(tmp_path: Path) -> Path:
 
 def test_app(mocker: MockFixture) -> None:
     mock_check_dependencies = mocker.patch("uv_secure.run.check_dependencies")
-    result = runner.invoke(app, "uv.lock")
+    result = runner.invoke(app, ("--uv-lock-path", "uv.lock"))
     mock_check_dependencies.assert_called_once_with(Path("uv.lock"), [])
     assert result.exit_code == 0
 
 
+def test_app_version() -> None:
+    result = runner.invoke(app, "--version")
+    assert result.exit_code == 0
+    assert "uv-secure " in result.output
+
+
 def test_check_dependencies_no_vulnerabilities(
     temp_uv_lock_file: Path, httpx_mock: HTTPXMock, capsys: CaptureFixture[str]
 ) -> None: