Add shell-deps subcommand to tw

[smoser]

shell-deps parses shell scripts and determines dependencies.
See README.md for more info.

[smoser]

This is untested other than what claude did.
I did not sanity check the output.

The idea is just to be able to identify dependencies of a shell script that are missing.

Ideally, I'd ultimately like to be able to point it at a image and have it spit out things that it thinks are missing.

$ tw  shell-deps scan-image cgr.dev/chainguard/my-image:latest

Right now it only handles local files or directory tree.

[kranurag7]

sorry for coming late on this, great work Scott

It would be awesome to have scan supported on files and directories both then we can do things like fd -e sh -x tw shell-deps scan

[smoser]

@Aditevil ,
thanks for pushing on this a bit.

From our meet session, think we came up with:

• Your recent commit adds coreutils compatibility checks, which i think is super awesome. I'd like to make sure that the code is actually checking specific commands and arguments found in a script versus just regex comparing to lines. (ie, we want it to catch split across a newline chmod \\\n --reference foo bar , but not believe that this line contains a call to chmod with --reference: chmod 644 foo && some-command --reference foo)

• Our goal is to expose 2 different pipelines for melange testing:

  1. full package check uses: test/tw/shell-deps-check-package .
     this would commonly call tw shell-deps check -package ${{context.name}}

  2. check specific scripts or directories : uses: test/tw/shell-deps .
     this one requires a files or other input to check.

     The files would be explicit paths to files to check this has the potential of bit-rotting and missing newly added scripts, but allows us to not cast as wide a net and may avoid some false positives.

  both of these can take a path argument, but would default to a path of /usr/local/bin:/usr/bin and possibly with /opt/iamguarded in there.. i'm not opposed to that. Then it would a given script uses only programs that are in the path provided.

• I think that tw shell-deps show does much of 2 above, so i'm not convinced we should/would need a new command for that. I think that --missing should basically be --path and it should not just look through an entire directory recursively, but expect a given path.

• automatic gnu/coreutils detection. The coreutils compatibility stuff is wonderful, but I'd like it to just do the right thing by default. Given a system, you can easily determine if chmod is provided by busybox or coreutils by looking at the target of the symlink. If a script needs chmod from coreutils due to --reference use, then it should look at the chmod that is found in --path and if that is coreutils, then it looks good. If it is busybox, it should fail.

  the reason for this is the following workflow:

  • we add this package test
  • package test fails because coreutils is not installed and chmod --reference is used.
  • we add a dependency in the package on coreutils
  • package test runs and sees /usr/bin/chmod is now coreutils, so there is not a problem.

[smoser]

So I think basically, what I'm asaying we want in tw shell-deps is 3 sub-commands, all which take '--path' argumetn rather than --missing.

• tw shell-deps check file [.....]
• tw shell-deps check-package package-name

maybe we still keep 'show' to just show fuller output and not check deps? we can ditch scan for now.. that was to be pointed at a full image, we can maybe add it back later when its needed.

[smoser]

this doesn't seem right:

smoser@work:~/src/tw/tw$ apk info -v | grep vim
neovim-0.11.5-r0
vim-9.1.2103-r0
smoser@work:~/src/tw/tw$ ./bin/tw shell-deps check-package vim
Error: package vim not found in .
2026/01/23 12:46:57 ERROR failed to execute command: package vim not found in .

i have vim intsalled, i wanted it to check all the shell scripts installed by vim.

[smoser]

@Aditevil i pushed one change that fixed the symlink usage I think I'm pretty happy with this.
there one thing remaining is to add pipelines for test/tw/shell-deps-check-package and test/tw/shell-deps-check

then we need to get someone else's review and land this.l

[Aditevil]

there one thing remaining is to add pipelines for test/tw/shell-deps-check-package and test/tw/shell-deps-check

raised a draft PR for this - https://github.com/chainguard-dev/stereo/pull/13152

[aborrero]

LGTM.