[Bug]: dependency-confusion pre-commit path ignores shell scripts with pip install commands

[DhineshPonnarasan]

Package

Other

Description

Summary

In pre-commit mode (no explicit file list), scripts/check_dependency_confusion.py only scans staged files with these extensions:

• .md, .py, .ts, .txt, .yaml, .yml, .ipynb, .svg

So staged shell scripts (.sh) are excluded, even when they contain executable pip install commands.

Affected file

• scripts/check_dependency_confusion.py (staged-file filter in main())

Repository evidence

The repo contains shell scripts with real install commands, e.g.:

• agent-governance-python/agent-os/modules/control-plane/build_and_publish.sh
• agent-governance-python/agent-os/modules/scak/build_and_publish.sh

Why this matters

This creates a coverage gap in dependency-confusion checks for contributor tooling and release scripts.

Proposed fix

Extend staged-file scanning coverage to shell scripts and ensure parser logic distinguishes real command lines from echoed documentation strings.

Suggested tests

Add tests to verify:

1. Real shell command lines like pip install ... are scanned.
2. echo "pip install ..." instructional lines do not create false positives.
3. Existing behavior for currently scanned file types remains unchanged.

Acceptance criteria

• Pre-commit mode includes .sh files in dependency-confusion scanning.
• False positives for echoed command examples are avoided.
• Regression tests cover shell-script scanning behavior.

Code of Conduct

• I agree to follow the Microsoft Open Source Code of Conduct

[github-actions]

🟡 Contributor Check: MEDIUM

Check	Result
Profile	MEDIUM
Credential	NONE
Overall	MEDIUM

Automated check by AGT Contributor Check.

[github-actions]

🤖 AI Agent: contributor-guide

Welcome to the microsoft/agent-governance-toolkit community! 🎉

Your issue is relevant to the scripts/check_dependency_confusion.py package, as it handles the staged-file scanning. We appreciate your detailed insights and proposed fixes!

For contributing guidelines, please check out our CONTRIBUTING.md.

[Ricky-G]

Thank you for raising this, it is completely valid issue, PR will follow to fix

[DhineshPonnarasan]

Thank you for raising this, it is completely valid issue, PR will follow to fix
@Ricky-G, Thanks for confirming the issue and taking this up!