Fix: AI-only analysis now writes a report instead of pointing to nonexistent files#134
Merged
Merged
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Running an AI analysis with a Dockerfile but no image —
docksec Dockerfile --provider anthropic(no-i), or--ai-only— printed the AI findings on screen (truncated to the top few per section) and then said:But no report was ever written. In that mode
run_aiis true andrun_scanis false, and report generation only lived inside the scan block, sogenerate_all_reportsnever ran. The directory the message pointed at contained only stale files from earlier runs, and the full (untruncated) AI findings were effectively unreachable.Fix
Two parts:
docksec/utils.py— removed the unconditional "check the generated reports at: ..." line fromanalyze_security(). The CLI now owns that message and prints it only when a report is actually written.docksec/cli.py— added an AI-only report path after the scan block. When AI analysis succeeds but no scan ran, it builds a minimal results dict (scan_mode: ai_only, skipped dockerfile/image scans, emptyjson_data, plusai_findings) and callsgenerate_all_reports, honoring--format,--output-dir, and--sarif. The complete AI findings now land in the JSON/CSV/PDF/HTML (and SARIF) reports.Version bumped to
2026.7.3;docs/CHANGELOG.mdupdated.Test plan
pytest tests/— 157 passed--ai-onlyand Dockerfile-without-image now write reports to the configured results dir (verified with a mocked LLM response; the JSON report contains a fullai_analysisblock with all five finding categories, untruncated)--sarifworks in the AI-only path (all report formats written)Notes
README needed no change: it already documents that scanning a Dockerfile saves reports to
~/.docksec/results/, which this fix makes true.