fix: ruff issues, modernize CLI, stabilize CI

Author: vazor-code

.secretscoutignore

@@ -9,3 +9,5 @@ build/**
 *.min.js
 *.map
 tests/**
+CONTRIBUTING.md
+README.md

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "secretscout"
-version = "0.2.0"
+version = "0.2.1"
 description = "Defensive secret scanner for git repos and folders (pretty report + JSON/SARIF/HTML + pre-commit helper)."
 readme = "README.md"
 requires-python = ">=3.10"
@@ -23,9 +23,9 @@ dev = [
 ]
 
 [project.urls]
-Homepage = "https://github.com/vazor-code/secretscout"
-Repository = "https://github.com/vazor-code/secretscout"
-Issues = "https://github.com/vazor-code/secretscout/issues"
+Homepage = "https://github.com/vazor-code/SecretScout"
+Repository = "https://github.com/vazor-code/SecretScout"
+Issues = "https://github.com/vazor-code/SecretScout/issues"
 
 [project.scripts]
 secretscout = "secretscout.cli:app"

src/secretscout/__init__.py

@@ -1,2 +1,2 @@
 __all__ = ['__version__']
-__version__ = '0.2.0'
+__version__ = '0.2.1'

src/secretscout/cli.py

@@ -1,31 +1,94 @@
 from __future__ import annotations
 
 from pathlib import Path
-from typing import Optional
+from typing import Annotated
 
 import typer
 
 from .commands import cmd_baseline, cmd_init, cmd_scan, cmd_stats
 from .reporting import Format
 from .rules_cmd import list_rules, show_rule
 
-app = typer.Typer(add_completion=False, help="SecretScout: defensive secret scanner for repos and folders.")
+app = typer.Typer(
+    add_completion=False,
+    help="SecretScout: defensive secret scanner for repos and folders.",
+)
+
+# ---- Reusable annotations (Ruff B008-safe) ----
+
+PathArg = Annotated[
+    Path,
+    typer.Argument(exists=True, file_okay=False, dir_okay=True),
+]
+
+FormatOpt = Annotated[
+    Format,
+    typer.Option("--format", help="table|minimal|json|sarif|html"),
+]
+
+OutputOpt = Annotated[
+    Path | None,
+    typer.Option("--output", "-o", help="Write report to file (else stdout)."),
+]
+
+FailOnOpt = Annotated[
+    str,
+    typer.Option("--fail-on", help="Exit 1 if findings severity >= this."),
+]
+
+BaselineOpt = Annotated[
+    Path | None,
+    typer.Option("--baseline", help="Baseline JSON file to ignore known findings."),
+]
+
+StagedOpt = Annotated[
+    bool,
+    typer.Option("--staged", help="Scan staged changes (git index)."),
+]
+
+TrackedOpt = Annotated[
+    bool,
+    typer.Option("--tracked", help="Scan only git tracked files."),
+]
+
+AllFilesOpt = Annotated[
+    bool,
+    typer.Option("--all", help="Scan all files under PATH (ignores git)."),
+]
+
+ExcludeOpt = Annotated[
+    list[str] | None,
+    typer.Option("--exclude", help="Extra exclude glob patterns (repeatable)."),
+]
+
+NoCacheOpt = Annotated[
+    bool,
+    typer.Option("--no-cache", help="Disable cache."),
+]
+
+MaxFindingsOpt = Annotated[
+    int | None,
+    typer.Option("--max-findings", help="Limit output findings."),
+]
+
+# ---- Commands ----
 
 
 @app.command()
 def scan(
-    path: Path = typer.Argument(Path("."), exists=True, file_okay=False, dir_okay=True),
-    format: Format = typer.Option("table", "--format", help="table|minimal|json|sarif|html"),
-    output: Optional[Path] = typer.Option(None, "--output", "-o", help="Write report to file (else stdout)."),
-    fail_on: str = typer.Option("high", "--fail-on", help="Exit 1 if findings severity >= this."),
-    baseline: Optional[Path] = typer.Option(None, "--baseline", help="Baseline JSON file to ignore known findings."),
-    staged: bool = typer.Option(False, "--staged", help="Scan staged changes (git index)."),
-    tracked: bool = typer.Option(False, "--tracked", help="Scan only git tracked files."),
-    all_files: bool = typer.Option(False, "--all", help="Scan all files under PATH (ignores git)."),
-    exclude: list[str] = typer.Option(None, "--exclude", help="Extra exclude glob patterns (repeatable)."),
-    no_cache: bool = typer.Option(False, "--no-cache", help="Disable cache."),
-    max_findings: Optional[int] = typer.Option(None, "--max-findings", help="Limit output findings."),
+    path: PathArg = Path("."),
+    format: FormatOpt = "table",
+    output: OutputOpt = None,
+    fail_on: FailOnOpt = "high",
+    baseline: BaselineOpt = None,
+    staged: StagedOpt = False,
+    tracked: TrackedOpt = False,
+    all_files: AllFilesOpt = False,
+    exclude: ExcludeOpt = None,
+    no_cache: NoCacheOpt = False,
+    max_findings: MaxFindingsOpt = None,
 ) -> None:
+    """Scan a path for potential secrets."""
     code = cmd_scan(
         path=path,
         fmt=format,
@@ -43,44 +106,68 @@ def scan(
 
 
 @app.command()
-def init(path: Path = typer.Argument(Path("."), exists=True, file_okay=False, dir_okay=True)) -> None:
+def init(path: PathArg = Path(".")) -> None:
+    """Generate default config and ignore files."""
     raise typer.Exit(code=cmd_init(path))
 
 
 @app.command()
-def fix(path: Path = typer.Argument(Path("."), exists=True, file_okay=False, dir_okay=True)) -> None:
+def fix(path: PathArg = Path(".")) -> None:
+    """Alias for init (kept for convenience)."""
     raise typer.Exit(code=cmd_init(path))
 
 
 @app.command()
 def baseline(
-    path: Path = typer.Argument(Path("."), exists=True, file_okay=False, dir_okay=True),
-    output: Path = typer.Option(Path(".secretscout.baseline.json"), "--output", "-o", help="Baseline output file."),
-    tracked: bool = typer.Option(True, "--tracked/--all", help="By default, baseline git-tracked files."),
+    path: PathArg = Path("."),
+    output: Annotated[
+        Path,
+        typer.Option("--output", "-o", help="Baseline output file."),
+    ] = Path(".secretscout.baseline.json"),
+    tracked: Annotated[
+        bool,
+        typer.Option("--tracked/--all", help="By default, baseline git-tracked files."),
+    ] = True,
 ) -> None:
+    """Create a baseline file to ignore known findings."""
     raise typer.Exit(code=cmd_baseline(path, output, tracked))
 
 
 @app.command()
 def stats(
-    path: Path = typer.Argument(Path("."), exists=True, file_okay=False, dir_okay=True),
-    staged: bool = typer.Option(False, "--staged"),
-    tracked: bool = typer.Option(False, "--tracked"),
-    all_files: bool = typer.Option(False, "--all"),
-    baseline: Optional[Path] = typer.Option(None, "--baseline"),
+    path: PathArg = Path("."),
+    staged: StagedOpt = False,
+    tracked: TrackedOpt = False,
+    all_files: AllFilesOpt = False,
+    baseline: BaselineOpt = None,
 ) -> None:
-    raise typer.Exit(code=cmd_stats(path, staged=staged, tracked=tracked, all_files=all_files, baseline=baseline))
+    """Show a summary of findings."""
+    raise typer.Exit(
+        code=cmd_stats(
+            path,
+            staged=staged,
+            tracked=tracked,
+            all_files=all_files,
+            baseline=baseline,
+        )
+    )
 
 
+# ---- Rules subcommands ----
+
 rules_app = typer.Typer(help="Manage and inspect rules.")
 app.add_typer(rules_app, name="rules")
 
 
 @rules_app.command("list")
 def rules_list() -> None:
+    """List available rules."""
     list_rules()
 
 
 @rules_app.command("show")
-def rules_show(rule_id: str) -> None:
+def rules_show(
+    rule_id: Annotated[str, typer.Argument(help="Rule id (e.g. github-token).")],
+) -> None:
+    """Show details for a single rule."""
     show_rule(rule_id)

src/secretscout/commands.py

@@ -2,7 +2,6 @@
 
 import json
 from pathlib import Path
-from typing import Optional
 
 import typer
 from rich.console import Console
@@ -17,22 +16,25 @@
 def to_severity(value: str) -> Severity:
     try:
         return Severity(value.lower())
-    except Exception:
-        raise typer.BadParameter("Severity must be one of: low, medium, high, critical")
+    except Exception as err:
+        raise typer.BadParameter(
+            "Severity must be one of: low, medium, high, critical"
+        ) from err
+
 
 
 def cmd_scan(
     path: Path,
     fmt: Format,
-    output: Optional[Path],
+    output: Path | None,
     fail_on: str,
-    baseline: Optional[Path],
+    baseline: Path | None,
     staged: bool,
     tracked: bool,
     all_files: bool,
     exclude: list[str],
     no_cache: bool,
-    max_findings: Optional[int],
+    max_findings: int | None,
 ) -> int:
     root = path.resolve()
 
@@ -86,7 +88,7 @@ def cmd_init(path: Path) -> int:
     return 0
 
 
-def cmd_stats(path: Path, staged: bool, tracked: bool, all_files: bool, baseline: Optional[Path]) -> int:
+def cmd_stats(path: Path, staged: bool, tracked: bool, all_files: bool, baseline: Path | None) -> int:
     root = path.resolve()
     mode = "tracked"
     if staged:

src/secretscout/git.py

@@ -8,13 +8,13 @@ def _run_git(args: list[str], cwd: Path) -> subprocess.CompletedProcess:
     return subprocess.run(
         ["git", *args],
         cwd=str(cwd),
-        stdout=subprocess.PIPE,
-        stderr=subprocess.PIPE,
+        capture_output=True,
         text=False,
         check=False,
     )
 
 
+
 def is_git_repo(root: Path) -> bool:
     p = _run_git(["rev-parse", "--is-inside-work-tree"], cwd=root)
     return p.returncode == 0 and p.stdout.strip() == b"true"

src/secretscout/models.py

@@ -12,10 +12,10 @@ class Severity(str, Enum):
     critical = "critical"
 
     @classmethod
-    def order(cls) -> dict["Severity", int]:
+    def order(cls) -> dict[Severity, int]:
         return {cls.low: 0, cls.medium: 1, cls.high: 2, cls.critical: 3}
 
-    def ge(self, other: "Severity") -> bool:
+    def ge(self, other: Severity) -> bool:
         return self.order()[self] >= self.order()[other]
 
 

src/secretscout/reporting.py

@@ -3,8 +3,9 @@
 import html
 import json
 from collections import Counter
+from collections.abc import Iterable
 from datetime import datetime
-from typing import Iterable, Literal
+from typing import Literal
 
 from rich.console import Console
 from rich.table import Table

src/secretscout/scanner.py

@@ -2,9 +2,9 @@
 
 import json
 import re
+from collections.abc import Iterable
 from concurrent.futures import ThreadPoolExecutor, as_completed
 from pathlib import Path
-from typing import Iterable
 
 from .cache import Cache
 from .config import is_excluded, load_config, load_ignore_file

src/secretscout/util.py

@@ -3,7 +3,7 @@
 import hashlib
 import math
 import re
-from typing import Iterable
+from collections.abc import Iterable
 
 
 def shannon_entropy(s: str) -> float: