This page documents how to regenerate the checked-in no-network example
artifacts for sbom-diff-and-risk.
Use this when an example input changes, such as
examples/requirements_before.txt or examples/requirements_after.txt.
The generated sample reports are intentionally committed so reviewers can
compare deterministic output without running enrichment services.
From tools/sbom-diff-and-risk:
python scripts/regenerate-example-artifacts.pyThe script regenerates these local, deterministic artifacts:
examples/sample-report.jsonexamples/sample-summary.jsonexamples/sample-report.mdexamples/sample-policy-warn-report.jsonexamples/sample-policy-warn-report.mdexamples/sample-policy-fail-report.jsonexamples/sample-policy.jsonexamples/sample-policy-fail-report.mdexamples/sample-requirements-report.jsonexamples/sample-requirements-report.mdexamples/sample-sarif.sarif
The strict-policy example intentionally exits with code 1 because it produces
blocking local policy findings. The script treats that as expected while still
capturing the generated reports.
The examples/policy-decisions/ fixtures are hand-authored consumer examples
for pass, warn, fail, and needs-review review outcomes. They are
validated by tests, but they are not regenerated by this script because
needs-review is a consumer interpretation rather than a runtime
summary.policy.status value.
Use --check to verify that generated output matches the checked-in artifacts
without modifying the repository:
python scripts/regenerate-example-artifacts.py --checkThe test suite runs this check mode so stale local JSON, Markdown, summary, or policy-sidecar examples fail predictably.
Use --list to see the available artifact set slugs:
python scripts/regenerate-example-artifacts.py --listUse --only SLUG to regenerate or check a focused subset:
python scripts/regenerate-example-artifacts.py --check --only requirements--only can be repeated when a change affects more than one artifact set.
The regeneration script covers no-network JSON, Markdown, summary, policy sidecar, policy-warning SARIF, and strict-policy SARIF examples produced through the public CLI.
It does not perform PyPI or Scorecard enrichment, does not call external services, and does not make dependency safety claims. Provenance-aware, Scorecard-aware, and enriched SARIF sample artifacts remain covered by their focused golden tests because those examples include mocked evidence.
For reviewer-facing interpretation of each checked-in example artifact, see reviewer-path.md#artifact-evidence-map.
For examples/sample-sarif.sarif, the script normalizes the generated
originalUriBaseIds.%SRCROOT%.uri value to file:///__PROJECT_ROOT__/ so
checked-in output does not depend on a maintainer's local checkout path.