Update filelock and virtualenv

Add trivy-scan workflow
Merge pull request 'Make pip-audit run inside Poetry' (#7 ) from pip_audit_tweak into main
2026-01-15 17:05:08 +00:00 · 2026-01-15 16:50:25 +00:00 · 2025-12-25 10:30:06 +00:00 · 2025-12-25 10:28:46 +00:00 · 2025-12-21 08:44:09 +00:00 · 2025-12-15 15:45:42 +00:00
9 changed files with 208 additions and 29 deletions
--- a/.filedust.conf.example
+++ b/.filedust.conf.example
@@ -2,9 +2,12 @@
 # Place at: ~/.filedust.conf
 #
 # Use this file to customize cleanup behavior.
 # Only keys matter (no values). Paths are relative to $HOME.
 #
-# Patterns (globs) are allowed.
+# Patterns are matched against paths relative to $HOME
 # Supports:
 #   *   = one path segment
 #   **  = zero or more path segments (recursive)
 # Matching is case-sensitive
 [exclude]
 # Add directories or patterns you want filedust to ignore.
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
--- a/.github/workflows/lint-and-security.yml
+++ b/.github/workflows/lint-and-security.yml
@@ -20,10 +20,17 @@ jobs:
        run: pip install pre-commit
      - name: Run pre-commit hooks
-        uses: pre-commit/action@v3.0.1
+        run: pre-commit run --all-files --color always
      - name: Install Poetry
        run: |
          pip install poetry
          poetry self add poetry-plugin-export
      - name: Install pip-audit
        run: pip install pip-audit
-      - name: Run pip-audit
+      - name: Audit dependencies (Poetry lockfile)
-        run: pip-audit
+        run: |
          poetry export -f requirements.txt --without-hashes \
            | pip-audit -r /dev/stdin
--- a/.gitea/workflows/trivy-scan.yml
+++ b/.gitea/workflows/trivy-scan.yml
@@ -0,0 +1,61 @@
 ---
 name: Trivy Scan
 on:
  schedule:
    - cron: 17 8 * * *
  workflow_dispatch:
 jobs:
  security-scan:
    runs-on: running-man
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Trivy scan via Docker
        id: trivy
        continue-on-error: true
        run: |
          docker run --rm \
            --volumes-from "$HOSTNAME" \
            aquasec/trivy:latest \
            fs /workspace/guardutils/filedust \
              --scanners vuln \
              --pkg-types library \
              --include-dev-deps \
              --severity MEDIUM,HIGH,CRITICAL \
              --ignore-unfixed \
              --format json \
              --output /workspace/guardutils/filedust/trivy.json \
              --exit-code 1
      - name: Notify Node-RED on vulnerabilities
        if: steps.trivy.outcome == 'failure'
        run: |
          jq -r '
          {
            repo: "guardutils/filedust",
            summary: (
              "Total: " +
              ((.Results[].Vulnerabilities | length) | tostring)
            ),
            vulnerabilities: [
              .Results[].Vulnerabilities[] | {
                library: .PkgName,
                cve: .VulnerabilityID,
                severity: .Severity,
                installed: .InstalledVersion,
                fixed: .FixedVersion,
                title: .Title,
                url: .PrimaryURL
              }
            ]
          }
          ' trivy.json \
          | curl -s -X POST https://nodered.sysmd.uk/trivy-alert \
              -H "Content-Type: application/json" \
              --data-binary @-
      - name: Fail workflow if vulnerabilities found
        if: steps.trivy.outcome == 'failure'
        run: exit 1
--- a/README.md
+++ b/README.md
@@ -1,11 +1,13 @@
-[![License](https://img.shields.io/github/license/guardutils/filedust?style=flat)](LICENCE)
+[![Licence](https://img.shields.io/badge/GPL--3.0-orange?label=Licence)](https://git.sysmd.uk/guardutils/filedust/src/branch/main/LICENCE)
-[![Language](https://img.shields.io/github/languages/top/guardutils/filedust.svg)](https://github.com/guardutils/filedust/)
+[![Gitea Release](https://img.shields.io/gitea/v/release/guardutils/filedust?gitea_url=https%3A%2F%2Fgit.sysmd.uk%2F&style=flat&color=orange&logo=gitea)](https://git.sysmd.uk/guardutils/filedust/releases)
-[![GitHub Release](https://img.shields.io/github/v/release/guardutils/filedust?display_name=release&logo=github)](https://github.com/guardutils/filedust/releases)
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-blue?logo=pre-commit&style=flat)](https://git.sysmd.uk/guardutils/filedust/src/branch/main/.pre-commit-config.yaml)
 [![PyPI - Version](https://img.shields.io/pypi/v/filedust?logo=pypi)](https://pypi.org/project/filedust/#history)
 [![PyPI downloads](https://img.shields.io/pypi/dm/filedust.svg)](https://pypi.org/project/filedust/)
 # filedust
 <div align="center">
  <img src="filedust.png" alt="filedust logo" width="256" />
 </div>
 **filedust** is a small, fast, and safe command-line tool that scans your filesystem for obvious junk — things like Python __pycache__ folders, build artifacts, editor backup files, and leftover temporary files — and cleans them up.
 Think of it as “`autoremove` for files.”
@@ -42,6 +44,63 @@ Shows how much disk space can be freed.
 ## Installation
 ### From GuardUtils package repo
 This is the preferred method of installation.
 ### Debian/Ubuntu
 #### 1) Import the GPG key
 ```bash
 sudo mkdir -p /usr/share/keyrings
 curl -fsSL https://repo.sysmd.uk/guardutils/guardutils.gpg | sudo gpg --dearmor -o /usr/share/keyrings/guardutils.gpg
 ```
 The GPG fingerprint is `0032C71FA6A11EF9567D4434C5C06BD4603C28B1`.
 #### 2) Add the APT source
 ```bash
 echo "deb [arch=amd64 signed-by=/usr/share/keyrings/guardutils.gpg] https://repo.sysmd.uk/guardutils/debian stable main" | sudo tee /etc/apt/sources.list.d/guardutils.list
 ```
 #### 3) Update and install
 ```
 sudo apt update
 sudo apt install filedust
 ```
 ### Fedora/RHEL
 #### 1) Import the GPG key
 ```
 sudo rpm --import https://repo.sysmd.uk/guardutils/guardutils.gpg
 ```
 #### 2) Add the repository configuration
 ```
 sudo tee /etc/yum.repos.d/guardutils.repo > /dev/null << 'EOF'
 [guardutils]
 name=GuardUtils Repository
 baseurl=https://repo.sysmd.uk/guardutils/rpm/$basearch
 enabled=1
 gpgcheck=1
 repo_gpgcheck=1
 gpgkey=https://repo.sysmd.uk/guardutils/guardutils.gpg
 EOF
 ```
 #### 4) Update and install
 ```
 sudo dnf upgrade --refresh
 sudo dnf install filedust
 ```
 ### From PyPI
 ```
 pip install filedust
@@ -49,7 +108,7 @@ pip install filedust
 ### From this repository
 ```
-git clone https://github.com/guardutils/filedust.git
+git clone https://git.sysmd.uk/guardutils/filedust.git
 cd filedust/
 poetry install
 ```
@@ -57,7 +116,7 @@ poetry install
 ### Custom config
 You can download the example and add your custom rule
 ```
-wget -O ~/.filedust.conf https://raw.githubusercontent.com/guardutils/filedust/main/.filedust.conf.example
+wget -O ~/.filedust.conf https://git.sysmd.uk/guardutils/filedust/raw/branch/main/.filedust.conf.example
 ```
 ### TAB completion
@@ -69,3 +128,13 @@ And then
 ```
 source ~/.bashrc
 ```
 ## pre-commit
 This project uses [**pre-commit**](https://pre-commit.com/) to run automatic formatting and security checks before each commit (Black, Bandit, and various safety checks).
 To enable it:
 ```
 poetry install
 poetry run pre-commit install
 ```
 This ensures consistent formatting, catches common issues early, and keeps the codebase clean.
--- a/filedust.png
+++ b/filedust.png
--- a/poetry.lock
+++ b/poetry.lock
@@ -173,13 +173,13 @@ test = ["pytest (>=6)"]
 [[package]]
 name = "filelock"
-version = "3.20.0"
+version = "3.20.3"
 description = "A platform independent file lock."
 optional = false
 python-versions = ">=3.10"
 files = [
-    {file = "filelock-3.20.0-py3-none-any.whl", hash = "sha256:339b4732ffda5cd79b13f4e2711a31b0365ce445d95d243bb996273d072546a2"},
+    {file = "filelock-3.20.3-py3-none-any.whl", hash = "sha256:4b0dda527ee31078689fc205ec4f1c1bf7d56cf88b6dc9426c4f230e46c2dce1"},
-    {file = "filelock-3.20.0.tar.gz", hash = "sha256:711e943b4ec6be42e1d4e6690b48dc175c822967466bb31c0c293f34334c13f4"},
+    {file = "filelock-3.20.3.tar.gz", hash = "sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1"},
 ]
 [[package]]
@@ -533,18 +533,18 @@ files = [
 [[package]]
 name = "virtualenv"
-version = "20.35.4"
+version = "20.36.1"
 description = "Virtual Python Environment builder"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "virtualenv-20.35.4-py3-none-any.whl", hash = "sha256:c21c9cede36c9753eeade68ba7d523529f228a403463376cf821eaae2b650f1b"},
+    {file = "virtualenv-20.36.1-py3-none-any.whl", hash = "sha256:575a8d6b124ef88f6f51d56d656132389f961062a9177016a50e4f507bbcc19f"},
-    {file = "virtualenv-20.35.4.tar.gz", hash = "sha256:643d3914d73d3eeb0c552cbb12d7e82adf0e504dbf86a3182f8771a153a1971c"},
+    {file = "virtualenv-20.36.1.tar.gz", hash = "sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba"},
 ]
 [package.dependencies]
 distlib = ">=0.3.7,<1"
-filelock = ">=3.12.2,<4"
+filelock = {version = ">=3.20.1,<4", markers = "python_version >= \"3.10\""}
 platformdirs = ">=3.9.1,<5"
 typing-extensions = {version = ">=4.13.2", markers = "python_version < \"3.11\""}
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,12 +1,12 @@
 [tool.poetry]
 name = "filedust"
-version = "0.3.1"
+version = "0.4.1"
 description = "Opinionated junk cleaner for dev machines (caches, build artifacts, editor backups)."
 authors = ["Marco D'Aleo <marco@marcodaleo.com>"]
 license = "GPL-3.0-or-later"
 readme = "README.md"
-homepage = "https://github.com/guardutils/filedust"
+homepage = "https://git.sysmd.uk/guardutils/filedust"
-repository = "https://github.com/guardutils/filedust"
+repository = "https://git.sysmd.uk/guardutils/filedust"
 packages = [{ include = "filedust", from = "src" }]
 [tool.poetry.dependencies]
--- a/src/filedust/junk.py
+++ b/src/filedust/junk.py
@@ -20,6 +20,7 @@ def load_user_rules() -> UserRules:
    if cfg_path.exists():
        parser = configparser.ConfigParser(allow_no_value=True)
        parser.optionxform = str
        parser.read(cfg_path)
        if parser.has_section("include"):
@@ -32,8 +33,46 @@ def load_user_rules() -> UserRules:
 def matches_any(patterns: list[str], relpath: Path) -> bool:
-    posix = relpath.as_posix()
+    """
-    return any(fnmatch(posix, p) for p in patterns)
+    True globstar matcher.
    Rules:
    - *  matches exactly one path segment
    - ** matches zero or more segments
    - Patterns are relative to $HOME
    """
    path_parts = relpath.parts
    for pat in patterns:
        pat = pat.strip("/")
        pat_parts = tuple(pat.split("/"))
        if _match_parts(pat_parts, path_parts):
            return True
    return False
 def _match_parts(pat: tuple[str, ...], path: tuple[str, ...]) -> bool:
    """Recursive glob matcher with ** support."""
    if not pat:
        return not path
    if pat[0] == "**":
        # ** matches zero or more segments
        return _match_parts(pat[1:], path) or (
            bool(path) and _match_parts(pat, path[1:])
        )
    if not path:
        return False
    if fnmatch(path[0], pat[0]):
        return _match_parts(pat[1:], path[1:])
    return False
@dataclass
@@ -148,11 +187,11 @@ def iter_junk(root: Path, rules: UserRules | None = None) -> Iterable[Finding]:
    for dirpath, dirnames, filenames in os.walk(root, followlinks=False):
        dirpath_p = Path(dirpath)
-        # Fast relative path computation
+        try:
-        if dirpath == root_str:
+            rel_dir = dirpath_p.resolve().relative_to(HOME)
-            rel_dir = Path(".")
+        except ValueError:
-        else:
+            # Should never happen due to earlier checks
-            rel_dir = Path(dirpath[len(root_str) :].lstrip("/"))
+            continue
        # USER EXCLUDE → skip entire subtree
        if matches_any(rules.exclude, rel_dir):
Author	SHA1	Message	Date
Marco D'Aleo	c090320e47	Update filelock and virtualenv All checks were successful Trivy Scan / security-scan (push) Successful in 27s Details	2026-01-15 17:05:08 +00:00
Marco D'Aleo	c7a07f8327	Add trivy-scan workflow	2026-01-15 16:50:25 +00:00
Marco D'Aleo	31f91fcd28	Merge pull request 'Make pip-audit run inside Poetry' (#7 ) from pip_audit_tweak into main Reviewed-on: #7	2025-12-25 10:30:06 +00:00
Marco D'Aleo	5268e5834b	Make pip-audit run inside Poetry All checks were successful Lint & Security / precommit-and-security (pull_request) Successful in 59s Details	2025-12-25 10:28:46 +00:00
Marco D'Aleo	532cc68fb3	Add logo file, update README	2025-12-21 08:44:09 +00:00
Marco D'Aleo	e36228c308	Merge remote-tracking branch 'refs/remotes/origin/main'	2025-12-15 15:45:42 +00:00
Marco D'Aleo	c016a45b82	Version bump 0.4.0	2025-12-15 15:43:48 +00:00
Marco D'Aleo	860e8a668f	Merge pull request 'Add globstar filtering' (#6 ) from add_globstar into main Reviewed-on: #6	2025-12-15 15:42:15 +00:00
Marco D'Aleo	5e9a55dcc6	Add globstar filtering All checks were successful Lint & Security / precommit-and-security (pull_request) Successful in 1m28s Details	2025-12-15 15:39:14 +00:00
Marco D'Aleo	7daa2175e8	Fix repository's URL to point ad Gitea	2025-12-14 16:42:43 +00:00
Marco D'Aleo	67a6af2ddb	Fix installation instructions	2025-12-09 16:11:49 +00:00
Marco D'Aleo	25ea1fec63	Merge pull request 'Update README and pyproject.toml' (#5 ) from update_filedust_20251209 into main Reviewed-on: #5	2025-12-09 15:27:51 +00:00
Marco D'Aleo	dc66700f1e	Edit badges, update installation instructions, swap github.com entries to git.sysmd.uk All checks were successful Lint & Security / precommit-and-security (pull_request) Successful in 48s Details	2025-12-09 15:26:16 +00:00
Marco D'Aleo	1eb082fc52	Merge pull request 'Rename .github folder to .gitea' (#4 ) from rename_github_folder into main Reviewed-on: #4	2025-12-09 13:10:37 +00:00
Marco D'Aleo	c2f52b8049	Use pre-commit directly instead of action All checks were successful Lint & Security / precommit-and-security (pull_request) Successful in 1m3s Details	2025-12-09 13:08:10 +00:00
Marco D'Aleo	6ebef8e058	Rename .github folder to .gitea Some checks failed Lint & Security / precommit-and-security (pull_request) Has been cancelled Details	2025-12-09 12:56:06 +00:00