Merge pull request #241 from OWASP/docs/issue-240-readme-reposition

docs: reposition README as developer-first security platform

Author: sonukapoor

README.md

@@ -16,7 +16,7 @@
 
   **🏆 Officially recognized as an [OWASP Incubator Project](https://owasp.org/cve-lite-cli)**
 
-  <p>Fast, developer-friendly vulnerability scanning for JavaScript and TypeScript projects.<br/>Practical fix guidance. Offline support. Usage-aware reachability. Clear direct vs transitive visibility.</p>
+  <p>Vulnerability scanning that belongs in your terminal — not your CI pipeline.<br/>Scan your lockfile, get copy-and-run fix commands, and ship clean code.</p>
 
   <strong>Scan. Understand. Fix.</strong>
 
@@ -45,6 +45,24 @@
 
 ---
 
+## The problem with how security scanning works today
+
+Most security tooling is designed around pipelines, not people.
+
+Dependabot files PRs you'll get to eventually. CI scanners block merges hours after the fact. Security dashboards surface a list of CVE IDs with no clear path to resolving them. By the time a developer is looking at a scan result, the code has already been reviewed and is waiting to ship.
+
+The feedback loop is too slow to be useful, and too noisy to be trusted. Developers learn to ignore it.
+
+There is also a more fundamental problem: these tools tell you what is vulnerable. Very few tell you what to actually do about it. The result is a gap between detection and remediation that security teams paper over with manual triage, and developers experience as alert fatigue.
+
+## A different model
+
+CVE Lite CLI is built around a different idea: **vulnerability scanning belongs at the developer's terminal, not at the end of a pipeline.**
+
+It reads your lockfile locally, queries [OSV](https://osv.dev) for advisory data, and produces a concrete remediation plan — not a list of identifiers. You get copy-and-run `npm install`, `pnpm add`, `yarn add`, or `bun add` commands scoped to your package manager. You see exactly which packages are directly installed versus pulled in transitively. You can scan with no internet connection in restricted-network environments.
+
+The tool is designed for the moment right before you push: fast, honest, and actionable.
+
 ## Quick start
 
 ```bash
@@ -58,39 +76,18 @@ Or one-off with `npx`:
 npx cve-lite-cli /path/to/project
 ```
 
-## What is CVE Lite CLI
-
-CVE Lite CLI scans JavaScript and TypeScript projects for known dependency vulnerabilities and tells you what to fix first. It reads your lockfile locally, queries [OSV](https://osv.dev) for advisory data, and produces a practical remediation plan — not just a list of advisory IDs.
+No account. No configuration. No source code leaves your machine.
 
-It is built for the moment right before release: fast, local-first, and honest about what it does and does not do.
+## What it does
 
-**Key differentiators:**
-
-- **Copy-and-run fix commands** — turns findings into package-manager-aware `npm install`, `pnpm add`, `yarn add`, or `bun add` commands you can run immediately
-- **Usage-aware reachability scanning** — uses static analysis to detect if vulnerable packages are actually imported in your code, cutting alert fatigue with `--usage` and `--only-used`
-- **Direct vs transitive visibility** — shows whether the risk comes from something you installed directly or a nested dependency
-- **Offline advisory DB** — sync advisory data ahead of time and scan with zero runtime API calls, useful for enterprise and restricted-network environments
-- **No account required** — no sign-up, no cloud dashboard, no source code upload
-- **Small dependency footprint** — only four runtime dependencies, intentionally kept minimal for a security tool
-
-## How it compares
-
-| Capability | CVE Lite CLI | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |
-|---|:---:|:---:|:---:|:---:|:---:|
-| JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ |
-| npm + pnpm + Yarn + Bun support | ✅ | ❌ | ✅ | ✅ | ✅ |
-| No account required | ✅ | ✅ | ✅ | ❌ | ❌ |
-| Free to use | ✅ | ✅ | ✅ | ❌ | ❌ |
-| Usage-aware reachability scanning | ✅ | ❌ | ❌ | ✅ | ⚠️ |
-| Direct vs transitive visibility | ✅ | ⚠️ | ✅ | ✅ | ✅ |
-| Copy-and-run fix commands | ✅ | ❌ | ❌ | ✅ | ⚠️ |
-| Suggested remediation plan | ✅ | ❌ | ⚠️ | ✅ | ⚠️ |
-| JSON output | ✅ | ✅ | ✅ | ✅ | ✅ |
-| Offline/local advisory DB | ✅ | ❌ | ⚠️ | ❌ | ❌ |
-
-<sub>✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength</sub>
-
-For detailed per-tool analysis, see [Comparison with other tools](docs/comparison.md).
+- **Produces copy-and-run fix commands** — every finding comes with a package-manager-aware install command you can run immediately
+- **Distinguishes direct from transitive risk** — shows whether the vulnerability is in something you installed or buried three levels deep in a dependency chain
+- **Usage-aware reachability** — optionally uses static analysis to detect whether vulnerable packages are actually imported in your code, cutting noise with `--usage` and `--only-used`
+- **Offline advisory DB** — sync advisory data ahead of time and scan with zero runtime API calls, designed for enterprise and air-gapped environments
+- **Interactive HTML report** — generate a self-contained dashboard with severity cards, a searchable findings table, and copy-ready fix commands (`--report`)
+- **Auto-fix mode** — apply validated direct dependency fixes and rescan automatically (`--fix`)
+- **CI-ready** — `--fail-on high` exits non-zero on findings at or above a severity threshold; a first-party [GitHub Action](https://github.com/marketplace/actions/cve-lite-cli) is available on the Marketplace
+- **Minimal footprint** — four runtime dependencies, intentionally kept small for a security tool
 
 ## What it looks like
 
@@ -126,16 +123,97 @@ For detailed per-tool analysis, see [Comparison with other tools](docs/compariso
 </p>
 </details>
 
-## HTML vulnerability report (`--report`)
+## Workflow integration
 
-Generate a self-contained HTML dashboard from any scan — severity cards, an interactive findings table, and copy-ready fix commands, all written to a local directory and opened automatically in your browser.
+CVE Lite CLI fits at every stage of the development workflow, not just CI.
 
-```bash
-cve-lite /path/to/project --report
-cve-lite /path/to/project --report ./my-report --no-open
+**Local development** — run a scan before opening a PR. The default output is fast and minimal. `--verbose` adds the full fix plan with dependency paths and prioritized remediation commands. `--report` opens an interactive HTML dashboard.
+
+**CI pipelines** — use `--fail-on high` to gate builds on severity. JSON output (`--json`) integrates with SIEM, dashboards, and custom automation. SARIF output is on the roadmap for direct integration with GitHub Security.
+
+**Restricted and enterprise environments** — sync the advisory database ahead of time with `cve-lite advisories sync`, then scan offline with `--offline`. No runtime outbound calls during the scan. Syncing ~217,065 advisory records completes in under 9 seconds.
+
+**GitHub Actions** — a first-party action is available on the Marketplace:
+
+```yaml
+- uses: OWASP/cve-lite-cli@v1
+  with:
+    verbose: "true"
+    fail-on: high
 ```
 
-See the [HTML Report guide](docs/html-report.md) for the full option reference and output details.
+CVE Lite CLI scans its own dependencies in CI. See [`self-scan.yml`](https://github.com/OWASP/cve-lite-cli/blob/main/.github/workflows/self-scan.yml).
+
+For full CI patterns including offline workflows, git hooks, and scripted automation, see the [CI and Workflow Integration guide](docs/ci-integration.md).
+
+## How it compares
+
+| Capability | CVE Lite CLI | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |
+|---|:---:|:---:|:---:|:---:|:---:|
+| JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ |
+| npm + pnpm + Yarn + Bun support | ✅ | ❌ | ✅ | ✅ | ✅ |
+| No account required | ✅ | ✅ | ✅ | ❌ | ❌ |
+| Free to use | ✅ | ✅ | ✅ | ❌ | ❌ |
+| Usage-aware reachability scanning | ✅ | ❌ | ❌ | ✅ | ⚠️ |
+| Direct vs transitive visibility | ✅ | ⚠️ | ✅ | ✅ | ✅ |
+| Copy-and-run fix commands | ✅ | ❌ | ❌ | ✅ | ⚠️ |
+| Suggested remediation plan | ✅ | ❌ | ⚠️ | ✅ | ⚠️ |
+| JSON output | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Offline/local advisory DB | ✅ | ❌ | ⚠️ | ❌ | ❌ |
+
+<sub>✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength</sub>
+
+For detailed per-tool analysis, see [Comparison with other tools](docs/comparison.md).
+
+## Real-world validation
+
+CVE Lite CLI has been evaluated against real open-source projects to verify that it surfaces meaningful issues — including non-obvious transitive vulnerabilities and complex upgrade paths — not just low-signal advisory matches.
+
+- [OWASP Juice Shop](docs/case-studies/owasp-juice-shop.md) — scanning a deliberately vulnerable application with known dependency issues
+- [NestJS](docs/case-studies/nestjs.md) — working through a real transitive dependency remediation sequence across a widely-used Node.js framework
+- [Analog](docs/case-studies/analog.md) — scanning a modern pnpm v9 Angular monorepo (3,367 packages) with unexpected toolchain vulnerabilities
+
+These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.
+
+If you maintain an open-source JavaScript or TypeScript project and want CVE Lite CLI evaluated on it, open an issue and share the repository. Strong candidates may be turned into future public case studies.
+
+## Recognized by OWASP
+
+CVE Lite CLI is an [OWASP Incubator Project](https://owasp.org/cve-lite-cli), peer-reviewed and maintained under the Open Web Application Security Project Foundation. Being part of OWASP means:
+
+- **Peer-reviewed** by security professionals
+- **Community-driven** development and governance
+- **Vendor-neutral** with no commercial platform required
+- **Open source** with transparent security practices and a minimal dependency footprint
+
+**Where it fits in the OWASP ecosystem:**
+
+CVE Lite CLI fills a specific gap — fast, local-first JS/TS dependency scanning close to release time — that broader OWASP tools are not optimized for:
+
+| Tool | Focus |
+|---|---|
+| CVE Lite CLI | Lockfile-first, local developer CLI, remediation-focused, JS/TS |
+| OWASP Dependency-Check | Multi-language, SAST-style, broader ecosystem |
+| OWASP dep-scan | Multi-language and environment, SBOM and cloud-native |
+| OWASP Dependency-Track | Platform and SBOM management, not a local CLI |
+
+CVE Lite CLI complements these tools. It is not a replacement for continuous monitoring or full SBOM management — it is the fast local check you run before pushing.
+
+## Philosophy
+
+Security tooling has optimized heavily for breadth of detection and compliance reporting. That is useful at the platform level. It is the wrong model for the individual developer trying to ship clean code before end of day.
+
+Detection without remediation creates work without resolution. A vulnerability report that ends with a list of CVE IDs shifts the burden entirely onto the developer: look up each advisory, figure out which version is safe, work out whether it is a direct or transitive dependency, and construct the right install command by hand. That friction is why security findings go unresolved.
+
+CVE Lite CLI is built on the premise that **the closer a security tool is to the developer's natural workflow, the more likely it is to be used** — and that a tool that surfaces a problem alongside the fix is more valuable than one that only surfaces the problem.
+
+## What's next
+
+The CLI is the foundation. The model — local-first, actionable, developer-native — extends naturally beyond the terminal.
+
+JSON and SARIF outputs make findings consumable by editors, dashboards, and automated workflows today. The next phase of the project is oriented around tighter developer integration: surfacing vulnerabilities at the point of dependency installation, not just at scan time; deeper IDE integration; and team-level visibility without requiring a cloud platform.
+
+See [roadmap.md](docs/roadmap.md) for the current plan.
 
 ## Usage
 
@@ -192,7 +270,7 @@ cve-lite --version
 
 ### Why is `--usage` an opt-in flag?
 
-CVE Lite CLI is designed to be blazing fast. Scanning a lockfile is nearly instantaneous, whereas running static reachability analysis across thousands of source files takes significantly more time. Furthermore, static analysis can occasionally produce false negatives (e.g., if a package is used in a build script or dynamically imported at runtime). Making `--usage` opt-in ensures the default lockfile scan remains instant and strictly reflects your dependency graph, while giving you the option to aggressively filter out unreachable noise when triaging findings.
+CVE Lite CLI is designed to be fast. Scanning a lockfile is nearly instantaneous, whereas running static reachability analysis across thousands of source files takes significantly more time. Static analysis can also produce false negatives when packages are used in build scripts or dynamically imported at runtime. Making `--usage` opt-in ensures the default lockfile scan remains instant and strictly reflects your dependency graph, while giving you the option to aggressively filter out unreachable noise when triaging findings.
 
 ## Auto-fix mode (`--fix`)
 
@@ -210,6 +288,17 @@ npx cve-lite-cli /path/to/project --fix
 
 See the [Fix mode guide](docs/fix-mode.md) for output details and interpretation.
 
+## HTML vulnerability report (`--report`)
+
+Generate a self-contained HTML dashboard from any scan — severity cards, an interactive findings table with search, copy-ready fix commands, and breaking-change indicators on upgrades — all written to a local directory and opened automatically in your browser.
+
+```bash
+cve-lite /path/to/project --report
+cve-lite /path/to/project --report ./my-report --no-open
+```
+
+See the [HTML Report guide](docs/html-report.md) for the full option reference and output details.
+
 ## Offline support
 
 For teams in enterprise, restricted-network, or air-gapped environments:
@@ -226,51 +315,6 @@ Syncing ~217,065 advisory records runs in under 9 seconds after bulk SQLite inge
 
 See the [Offline Advisory DB guide](docs/offline-advisory-db.md) for the full workflow including CI, scheduled refresh, and controlled-network patterns.
 
-## CI integration
-
-The project ships a first-party [GitHub Action on the Marketplace](https://github.com/marketplace/actions/cve-lite-cli):
-
-```yaml
-- uses: OWASP/cve-lite-cli@v1
-  with:
-    verbose: "true"
-    fail-on: high
-```
-
-CVE Lite CLI also uses itself in CI to scan its own dependencies. See [`self-scan.yml`](https://github.com/OWASP/cve-lite-cli/blob/main/.github/workflows/self-scan.yml).
-
-For full CI patterns including offline workflows, git hooks, and scripted automation, see the [CI and Workflow Integration guide](docs/ci-integration.md).
-
-## Recognized by OWASP
-
-CVE Lite CLI is an [OWASP Incubator Project](https://owasp.org/cve-lite-cli), peer-reviewed and maintained under the Open Web Application Security Project Foundation. Being part of OWASP means:
-
-- **Peer-reviewed** by security professionals
-- **Community-driven** development and governance
-- **Vendor-neutral** with no commercial platform required
-- **Open source** with transparent security practices and a minimal dependency footprint
-
-**Where it fits in the OWASP ecosystem:**
-
-CVE Lite CLI fills a specific gap — fast, local-first JS/TS dependency scanning close to release time — that broader OWASP tools are not optimized for:
-
-| Tool | Focus |
-|---|---|
-| CVE Lite CLI | Lockfile-first, local developer CLI, remediation-focused, JS/TS |
-| OWASP Dependency-Check | Multi-language, SAST-style, broader ecosystem |
-| OWASP dep-scan | Multi-language and environment, SBOM and cloud-native |
-| OWASP Dependency-Track | Platform and SBOM management, not a local CLI |
-
-CVE Lite CLI complements these tools. It is not a replacement for continuous monitoring or full SBOM management — it is the fast local check you run before pushing.
-
-## Real-world case studies
-
-- [OWASP Juice Shop](docs/case-studies/owasp-juice-shop.md) — scanning a deliberately vulnerable application with known dependency issues
-- [NestJS](docs/case-studies/nestjs.md) — working through a real transitive dependency remediation sequence
-- [Analog](docs/case-studies/analog.md) — scanning a modern pnpm v9 Angular monorepo (3,367 packages) with unexpected toolchain vulnerabilities
-
-If you maintain an open-source JavaScript or TypeScript project and want CVE Lite CLI evaluated on it, open an issue and share the repository. Strong candidates may be turned into future public case studies.
-
 ## Who uses it
 
 CVE Lite CLI is a good fit for:
@@ -339,6 +383,10 @@ For security-related reporting: [SECURITY.md](https://github.com/OWASP/cve-lite-
 
 If CVE Lite CLI helps your release workflow, a [GitHub star](https://github.com/OWASP/cve-lite-cli) helps more developers find it.
 
+---
+
+*Most tools tell you what's wrong. CVE Lite CLI tells you what to run.*
+
 ## License
 
 MIT