pre-commit hook performs should performs a scan by default

[pcastellazzi]

When osv-scanner is running from a pre-commit hook without args it does not fail.

Steps to reproduce:

1. Create a .pre-commit-config.yaml with the following content:

repos:
  - repo: https://github.com/google/osv-scanner/
    rev: "v2.2.3"
    hooks:
      - id: osv-scanner

2. Run

pre-commit run --all-files --verbose osv-scanner

I understand the documentation clearly states it should be used with args, but i would argue that, when that's not the case, the hook should fail.

The same behavior is observed when osv-scanner is run from the command line. 0 (zero) is returned as an exit code instead of non zero value.

This behavior hides mistakes like incorrect indentation on the pre-commit hook configuration or the all too common misspelled variable name in a bash script.

[another-rex]

I'm not sure about scanning by default, but I agree just running osv-scanner by itself should return a non 0 exit code. (probably 129 (we should move all invalid flag errors to 129, as 127 could mean a lot of different errors)).

[pcastellazzi]

I'm not sure about scanning by default, but I agree just running osv-scanner by itself should return a non 0 exit code. (probably 129 (we should move all invalid flag errors to 129, as 127 could mean a lot of different errors)).

I meant scanning by default on the pre-commit hook, the program should definitely fail.

Also the numbers used as exit codes are a problem. They are reserved, in a way.
127+N, is interpreted as the program failed because of a signal, N, being the signal number.

I am not sure if this behaviour is observed on all Unix like operating systems or shells, but based on what i have to test, Linux (Fedora, Ubuntu, Debian) and macOS (Tahoe), zsh, fish, and of course bash, do respect this.

[another-rex]

I meant scanning by default on the pre-commit hook, the program should definitely fail.

Ah I see, I'm not familiar with the precommit hook config, but happy to receive the a PR updating https://github.com/google/osv-scanner/blob/main/.pre-commit-hooks.yaml to run recursive scans by default if no args are passed in.

Also the numbers used as exit codes are a problem. ...

Hmm I'm not sure it applies beyond shell scripts, though I agree ideally we'll be following that. However, I think making a breaking change on exit codes now will cause more problems than if we kept following our current exit codes.