Add dev dependency tracking and --exclude-dev flag

Dev dependencies from uv.lock are now tracked separately. Findings
in dev-only dependency chains are labeled with (dev) in the report.
New --exclude-dev CLI flag and action input to skip dev deps entirely.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: nevoodoo

action.yml

@@ -29,6 +29,10 @@ inputs:
     description: "Comma-separated package names to skip"
     required: false
     default: ""
+  exclude-dev:
+    description: "Exclude dev dependencies from the scan"
+    required: false
+    default: "false"
 
 outputs:
   vuln-count:
@@ -54,6 +58,7 @@ runs:
         INPUT_PATH: ${{ inputs.path }}
         INPUT_IGNORE_IDS: ${{ inputs.ignore-ids }}
         INPUT_IGNORE_PACKAGES: ${{ inputs.ignore-packages }}
+        INPUT_EXCLUDE_DEV: ${{ inputs.exclude-dev }}
       run: |
         SCANNER_DIR="${{ github.action_path }}"
         export PYTHONPATH="$SCANNER_DIR:${PYTHONPATH:-}"
@@ -65,6 +70,9 @@ runs:
         if [ -n "$INPUT_IGNORE_PACKAGES" ]; then
           ARGS+=(--ignore-packages "$INPUT_IGNORE_PACKAGES")
         fi
+        if [ "$INPUT_EXCLUDE_DEV" = "true" ]; then
+          ARGS+=(--exclude-dev)
+        fi
 
         set +e
         REPORT=$(python -m scanner.cli "${ARGS[@]}" 2>"$RUNNER_TEMP/scanner_stderr.txt")

scanner/cli.py

@@ -46,6 +46,12 @@ def main(argv: list[str] | None = None) -> int:
         dest="output_format",
         help="Output format (default: markdown)",
     )
+    parser.add_argument(
+        "--exclude-dev",
+        action="store_true",
+        default=False,
+        help="Exclude dev dependencies from the scan",
+    )
 
     args = parser.parse_args(argv)
     project_path = Path(args.path)
@@ -82,6 +88,7 @@ def main(argv: list[str] | None = None) -> int:
     packages_to_query = {
         name: (info.name, info.version)
         for name, info in graph.packages.items()
+        if not (args.exclude_dev and graph.is_dev_only(name))
     }
     osv_results = query_osv(
         packages_to_query,

scanner/graph.py

@@ -16,6 +16,7 @@ class PackageInfo:
     version: str
     dependencies: list[str] = field(default_factory=list)
     is_direct: bool = False
+    is_dev: bool = False
 
 
 @dataclass
@@ -24,16 +25,19 @@ class DependencyGraph:
 
     packages: dict[str, PackageInfo]  # normalized name -> PackageInfo
     reverse_map: dict[str, list[str]]  # package -> list of parents
-    direct_deps: set[str]  # normalized names of direct dependencies
+    direct_deps: set[str]  # normalized names of direct runtime dependencies
+    dev_deps: set[str] = field(default_factory=set)  # direct dev dependencies
 
     def trace_chain(self, package: str) -> list[str]:
         """Find shortest path from a direct dependency to the given package.
 
-        Returns a list like ["flask", "werkzeug", "markupsafe"] meaning
-        flask -> werkzeug -> markupsafe.
+        Searches runtime deps first, then dev deps. Returns a list like
+        ["flask", "werkzeug", "markupsafe"] meaning flask -> werkzeug -> markupsafe.
         """
         package = normalize(package)
-        if package in self.direct_deps:
+        all_direct = self.direct_deps | self.dev_deps
+
+        if package in all_direct:
             return [package]
 
         # BFS from package upward through reverse_map to find a direct dep
@@ -49,15 +53,28 @@ def trace_chain(self, package: str) -> list[str]:
                     continue
                 visited.add(parent)
                 new_path = path + [parent]
-                if parent in self.direct_deps:
-                    # Return in top-down order: direct dep -> ... -> target
+                if parent in all_direct:
                     new_path.reverse()
                     return new_path
                 queue.append(new_path)
 
         # No path found to a direct dep — return just the package
         return [package]
 
+    def is_dev_only(self, package: str) -> bool:
+        """Check if a package is only reachable through dev dependencies."""
+        package = normalize(package)
+        if package in self.direct_deps:
+            return False
+        if package in self.dev_deps:
+            return True
+
+        chain = self.trace_chain(package)
+        if not chain:
+            return False
+        root = chain[0]
+        return root in self.dev_deps and root not in self.direct_deps
+
 
 def normalize(name: str) -> str:
     """Normalize a Python package name per PEP 503."""
@@ -98,16 +115,32 @@ def parse_uv_lock(lock_path: Path | str) -> DependencyGraph:
             dependencies=deps,
         )
 
-    # Direct deps are the runtime dependencies of root packages
+    # Direct runtime deps from root packages
     direct_deps: set[str] = set()
     for root in root_names:
         if root in packages:
             direct_deps.update(packages[root].dependencies)
 
-    # Mark direct deps
+    # Dev deps from root packages
+    dev_deps: set[str] = set()
+    for pkg in data.get("package", []):
+        name = normalize(pkg["name"])
+        if name not in root_names:
+            continue
+        for _group, deps in pkg.get("dev-dependencies", {}).items():
+            for d in deps:
+                dev_deps.add(normalize(d["name"]))
+
+    # Remove overlap — if a package is both runtime and dev, treat as runtime
+    dev_deps -= direct_deps
+
+    # Mark flags
     for dep_name in direct_deps:
         if dep_name in packages:
             packages[dep_name].is_direct = True
+    for dep_name in dev_deps:
+        if dep_name in packages:
+            packages[dep_name].is_dev = True
 
     # Build reverse map (who depends on whom)
     reverse_map: dict[str, list[str]] = {}
@@ -123,6 +156,7 @@ def parse_uv_lock(lock_path: Path | str) -> DependencyGraph:
         packages=packages,
         reverse_map=reverse_map,
         direct_deps=direct_deps,
+        dev_deps=dev_deps,
     )
 
 

scanner/report.py

@@ -20,6 +20,7 @@ class Finding:
     fixed_versions: list[str]
     chain: list[str]
     status: str  # "fixable", "blocked", "ignored"
+    is_dev: bool = False
 
 
 def build_findings(
@@ -51,6 +52,7 @@ def build_findings(
             status = "blocked"
 
         chain = graph.trace_chain(vuln.package)
+        is_dev = graph.is_dev_only(vuln.package)
 
         findings.append(
             Finding(
@@ -62,6 +64,7 @@ def build_findings(
                 fixed_versions=vuln.fixed_versions,
                 chain=chain,
                 status=status,
+                is_dev=is_dev,
             )
         )
 
@@ -109,7 +112,7 @@ def generate_markdown(findings: list[Finding]) -> str:
 
         fix_display = ", ".join(f.fixed_versions) if f.fixed_versions else "None"
 
-        chain_display = _format_chain(f.chain, f.status)
+        chain_display = _format_chain(f.chain, f.status, f.is_dev)
 
         lines.append(
             f"| {f.package} | {f.version} | {vuln_display} | {fix_display} | {chain_display} |"
@@ -118,25 +121,30 @@ def generate_markdown(findings: list[Finding]) -> str:
     # Summary
     fixable = sum(1 for f in active if f.status == "fixable")
     blocked = sum(1 for f in active if f.status == "blocked")
+    dev_count = sum(1 for f in active if f.is_dev)
 
     lines.append("")
     lines.append("### Summary")
     if fixable:
         lines.append(f"- {fixable} fixable via dependency upgrade")
     if blocked:
         lines.append(f"- {blocked} blocked by upstream constraints")
+    if dev_count:
+        lines.append(f"- {dev_count} in dev dependencies only")
     if ignored:
         lines.append(f"- {len(ignored)} ignored")
 
     return "\n".join(lines)
 
 
-def _format_chain(chain: list[str], status: str) -> str:
+def _format_chain(chain: list[str], status: str, is_dev: bool = False) -> str:
     """Format a dependency chain for display."""
+    dev_suffix = " (dev)" if is_dev else ""
+
     if len(chain) <= 1:
         pkg = chain[0] if chain else "unknown"
         if status == "blocked":
-            return f"**{pkg}** (pinned, blocked)"
-        return pkg
+            return f"**{pkg}** (pinned, blocked){dev_suffix}"
+        return f"{pkg}{dev_suffix}"
 
-    return " > ".join(chain)
+    return " > ".join(chain) + dev_suffix

tests/test_graph.py

@@ -92,10 +92,23 @@ def test_trace_chain_two_levels(self, graph: DependencyGraph):
         chain = graph.trace_chain("urllib3")
         assert chain == ["requests", "urllib3"]
 
-    def test_dev_deps_included(self, graph: DependencyGraph):
-        # pytest is a dev dep — it should be in packages but NOT a direct dep
-        # (dev-dependencies are on the root package, not in its dependencies list)
+    def test_dev_deps_tracked(self, graph: DependencyGraph):
         assert "pytest" in graph.packages
+        assert "pytest" in graph.dev_deps
+        assert "pytest" not in graph.direct_deps
+
+    def test_dev_dep_is_dev_only(self, graph: DependencyGraph):
+        assert graph.is_dev_only("pytest") is True
+        assert graph.is_dev_only("iniconfig") is True  # transitive dev dep
+
+    def test_runtime_dep_not_dev(self, graph: DependencyGraph):
+        assert graph.is_dev_only("flask") is False
+        assert graph.is_dev_only("werkzeug") is False
+
+    def test_trace_chain_through_dev(self, graph: DependencyGraph):
+        chain = graph.trace_chain("iniconfig")
+        assert chain[0] == "pytest"
+        assert chain[-1] == "iniconfig"
 
     def test_unknown_package(self, graph: DependencyGraph):
         chain = graph.trace_chain("nonexistent")