Skip to content

Add SBOM export, offline mode, install-skill, and fix-command output#138

Merged
advaitpatel merged 2 commits into
mainfrom
feat/sbom-offline-skill-polish
Jul 3, 2026
Merged

Add SBOM export, offline mode, install-skill, and fix-command output#138
advaitpatel merged 2 commits into
mainfrom
feat/sbom-offline-skill-polish

Conversation

@advaitpatel

Copy link
Copy Markdown
Collaborator

Summary

Adds four features adapted from the sibling OWASP project cve-lite-cli, closing
the remaining comparison-table gaps and the CLAUDE.md "still open" parity items,
plus a fix for a --json output-purity bug found along the way.

Features

  • CycloneDX SBOM export (--sbom) — writes a spec-compliant CycloneDX BOM
    (<image>.cdx.json) of the scanned image via Trivy's native exporter, with
    DockSec stamped into the tool metadata. Opt-in and independent of --format;
    needs a single image (-i), so it is skipped for compose runs. Surfaced in the
    report summary and in --json under report_files.
  • Offline mode (--offline) — scans with no network: Trivy runs with
    --offline-scan --skip-db-update (uses the local vuln DB) and the AI pass and
    Docker Scout are skipped. Makes air-gapped scanning a single flag.
  • install-skill subcommanddocksec install-skill writes DockSec usage
    instructions into AI-assistant context files (Claude Code, Cursor, Codex
    AGENTS.md, Gemini GEMINI.md, GitHub Copilot). Idempotent (updates the
    DockSec section in place). Added via backward-compatible subcommand dispatch:
    all existing flag-based usage is unchanged.
  • Fixable-count and suggested-fix output — the result summary now reports how
    many findings have an upstream fixed version and prints a "Suggested fixes"
    block of severity-ranked, deduplicated upgrade PKG old -> new hints. Trivy's
    FixedVersion is threaded into every finding (also present in JSON/CSV/SARIF).

Fixed

  • --json stdout was polluted by the Rich progress spinner, breaking the
    machine-readable contract for CI consumers. The spinner now routes through the
    shared output console (stderr in --json mode), so stdout is pure JSON.

Docs

  • README: SBOM comparison row flipped to supported, new install-skill row,
    usage examples, and dedicated sections for SBOM / offline / install-skill.
  • CHANGELOG: [Unreleased] Added/Changed/Fixed entries.
  • CLAUDE.md: the three cve-lite parity items moved to resolved; new flags,
    subcommand, and install_skill.py module documented.

Testing

  • pytest: 175 passed (was 157; +18 new tests covering the CycloneDX writer,
    install-skill idempotency/append/in-place-replace, the fix-command helper, and
    --sbom / --offline / install-skill CLI wiring).
  • End-to-end verified against python:3.9-slim and alpine:3.18: SBOM validity
    (CycloneDX 1.6), --json purity, offline scanning, and the fix-command output.

Notes / not included

  • CycloneDX only (no SPDX yet); --offline relies on the local Trivy DB rather
    than a bundled advisory DB. Both noted as future work in CLAUDE.md.
  • setup.py version is unchanged (2026.7.2); a release bump for these features
    is deliberately left out of this PR.

@github-actions github-actions Bot added documentation Improvements or additions to documentation cli Changes to the CLI entry point core Changes to core scanning logic reports Changes to report generation tests Changes to the test suite labels Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Comment thread tests/test_report_generator.py Outdated
path = rg.generate_cyclonedx_report(trivy_bom, tool_version="9.9.9")
assert os.path.exists(path)
assert path.endswith(".cdx.json")
written = json.loads(open(path).read())
Comment thread tests/test_report_generator.py Outdated
"components": [],
})
path = rg.generate_cyclonedx_report(trivy_bom, tool_version="1.0")
written = json.loads(open(path).read())
Comment thread tests/test_cli.py
with patch('builtins.print'):
try:
main()
except SystemExit:
Comment thread tests/test_report_generator.py Fixed
Comment thread tests/test_report_generator.py Fixed
Comment thread tests/test_cli.py Fixed
…code-quality bot findings on the SBOM/offline/skill PR: - Use a context manager for the two CycloneDX report reads in test_report_generator.py so the file is always closed. - Add an explanatory comment to the empty `except SystemExit` in the --offline CLI test.
@advaitpatel advaitpatel merged commit 85d2c2d into main Jul 3, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cli Changes to the CLI entry point core Changes to core scanning logic documentation Improvements or additions to documentation reports Changes to report generation tests Changes to the test suite

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants