Skip to content

Fix: AI-only analysis now writes a report instead of pointing to nonexistent files#134

Merged
advaitpatel merged 1 commit into
mainfrom
fix/ai-only-report-generation
Jul 3, 2026
Merged

Fix: AI-only analysis now writes a report instead of pointing to nonexistent files#134
advaitpatel merged 1 commit into
mainfrom
fix/ai-only-report-generation

Conversation

@advaitpatel

Copy link
Copy Markdown
Collaborator

Summary

Running an AI analysis with a Dockerfile but no image — docksec Dockerfile --provider anthropic (no -i), or --ai-only — printed the AI findings on screen (truncated to the top few per section) and then said:

For detailed AI analysis, check the generated reports at: ~/.docksec/results

But no report was ever written. In that mode run_ai is true and run_scan is false, and report generation only lived inside the scan block, so generate_all_reports never ran. The directory the message pointed at contained only stale files from earlier runs, and the full (untruncated) AI findings were effectively unreachable.

Fix

Two parts:

  1. docksec/utils.py — removed the unconditional "check the generated reports at: ..." line from analyze_security(). The CLI now owns that message and prints it only when a report is actually written.
  2. docksec/cli.py — added an AI-only report path after the scan block. When AI analysis succeeds but no scan ran, it builds a minimal results dict (scan_mode: ai_only, skipped dockerfile/image scans, empty json_data, plus ai_findings) and calls generate_all_reports, honoring --format, --output-dir, and --sarif. The complete AI findings now land in the JSON/CSV/PDF/HTML (and SARIF) reports.

Version bumped to 2026.7.3; docs/CHANGELOG.md updated.

Test plan

  • pytest tests/ — 157 passed
  • --ai-only and Dockerfile-without-image now write reports to the configured results dir (verified with a mocked LLM response; the JSON report contains a full ai_analysis block with all five finding categories, untruncated)
  • --sarif works in the AI-only path (all report formats written)
  • The old misleading "check the generated reports" message no longer prints; the "Reports ... -> " line prints only when files are actually written
  • Manual run against a live LLM provider (could not verify in-repo — the test API key from earlier is expired; needs a valid key)

Notes

README needed no change: it already documents that scanning a Dockerfile saves reports to ~/.docksec/results/, which this fix makes true.

@github-actions github-actions Bot added documentation Improvements or additions to documentation cli Changes to the CLI entry point core Changes to core scanning logic labels Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@advaitpatel
advaitpatel merged commit 3beff9e into main Jul 3, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cli Changes to the CLI entry point core Changes to core scanning logic documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant