You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/README.md
+30-6Lines changed: 30 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,11 +1,18 @@
1
1
# sbom-diff-and-risk
2
2
3
-
v0.3.0 adds opt-in PyPI provenance enrichment, provenance-aware policy and reporting, optional advisory Scorecard signals, and self-provenance verification guidance for workflow-built artifacts.
3
+
v0.4 keeps dependency analysis local and deterministic by default while improving how consumers verify `sbom-diff-and-risk` itself through workflow-built artifacts and GitHub Release assets.
4
4
5
5
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
6
6
7
7
It uses conservative heuristics for change intelligence. By default it does not resolve CVEs, does not act as a reputation oracle, and does not perform hidden network enrichment.
8
8
9
+
## Start Here
10
+
11
+
This project has two different provenance stories:
12
+
13
+
1. If you want to verify `sbom-diff-and-risk` itself, start with [docs/verification.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/verification.md).
14
+
2. If you want to use `sbom-diff-and-risk` to analyze third-party dependency provenance, start with [Dependency provenance analysis](#dependency-provenance-analysis-opt-in) and [Dependency provenance reporting](#dependency-provenance-reporting).
15
+
9
16
## Scope
10
17
11
18
- Normalize two local inputs into a shared component schema.
@@ -163,7 +170,9 @@ sbom-diff-risk compare \
163
170
164
171
Offline mode remains the default. No network access occurs unless `--enrich-pypi` or `--enrich-scorecard` is set explicitly.
165
172
166
-
## Opt-in Provenance Enrichment
173
+
## Dependency Provenance Analysis (Opt-in)
174
+
175
+
This section is about analyzing third-party package provenance signals. It is not about verifying the `sbom-diff-and-risk` tool's own release artifacts.
167
176
168
177
PyPI provenance and integrity enrichment is explicit and additive in this PR:
169
178
@@ -186,7 +195,7 @@ sbom-diff-risk compare \
186
195
--out-json outputs/report-enriched.json
187
196
```
188
197
189
-
## Provenance-Aware Reporting
198
+
## Dependency Provenance Reporting
190
199
191
200
When provenance enrichment is enabled, the reports surface trust signals directly instead of burying them in component evidence:
192
201
@@ -221,17 +230,26 @@ If you want policy gating, make it explicit with a v3 policy such as [policy-sco
221
230
222
231
Setting `minimum_scorecard_score` alone is advisory metadata for review. It only affects policy outcomes when `scorecard_below_threshold` is configured explicitly in `block_on`, `warn_on`, or `ignore_rules`.
223
232
224
-
## Self-provenance
233
+
## Tool Provenance And Verification
234
+
235
+
This section is about verifying `sbom-diff-and-risk` itself. If you want the shortest path to the right verification instructions, start with [docs/verification.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/verification.md).
225
236
226
237
This repository also records provenance for `sbom-diff-and-risk` itself by generating GitHub artifact attestations for the wheel and source distribution produced by the `sbom-diff-and-risk-ci` workflow.
227
238
228
239
- the attested files are the wheel and source distribution built by `python -m build` from `tools/sbom-diff-and-risk`
229
240
- the build files are uploaded together as the `sbom-diff-and-risk-dist` workflow artifact
241
+
- version-tag runs also publish those same built files as GitHub Release assets for the matching tag
230
242
- only trusted non-PR runs publish the attestation
231
-
- consumers can verify provenance with GitHub's attestation tooling after downloading one of those artifacts
243
+
- consumers can verify workflow-built artifacts with `gh attestation verify`
244
+
- consumers can verify immutable releases and downloaded release assets with `gh release verify` and `gh release verify-asset`
232
245
- this complements the tool's analysis of third-party supply-chain inputs, but it does not replace that analysis
233
246
234
-
See [docs/self-provenance.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/self-provenance.md) for the exact attested filenames, where the evidence appears in GitHub, and a run-by-run verification flow for consumers.
247
+
Verification docs:
248
+
249
+
-[docs/verification.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/verification.md) for the quick decision guide
250
+
-[docs/self-provenance.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/self-provenance.md) for workflow-artifact attestation
251
+
-[docs/release-provenance.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/release-provenance.md) for release-asset verification and immutable release guidance
252
+
-[docs/pypi-trusted-publishing-readiness.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/pypi-trusted-publishing-readiness.md) for PyPI publishing prerequisites and sequencing
235
253
236
254
## Examples
237
255
@@ -306,8 +324,14 @@ sbom-diff-risk compare \
306
324
307
325
For GitHub code scanning integration guidance and a minimal upload workflow, see [docs/github-code-scanning.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/github-code-scanning.md).
308
326
327
+
For the shortest path to the tool-verification docs, start with [docs/verification.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/verification.md).
328
+
309
329
For details on how this repository attests the tool's own wheel and source distribution artifacts, see [docs/self-provenance.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/self-provenance.md).
310
330
331
+
For details on how version-tag releases publish those same build outputs as release assets, and how consumers can verify immutable releases with GitHub CLI, see [docs/release-provenance.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/release-provenance.md).
332
+
333
+
For PyPI Trusted Publishing readiness, prerequisites, and the reasons this repository does not enable PyPI upload yet, see [docs/pypi-trusted-publishing-readiness.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/pypi-trusted-publishing-readiness.md).
334
+
311
335
## Parser Boundaries
312
336
313
337
Deterministic local mode intentionally supports a conservative subset of packaging syntax. The detailed matrix lives in [docs/parser-boundaries.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/parser-boundaries.md).
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/docs/github-code-scanning.md
+13Lines changed: 13 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,6 +11,7 @@ The example workflow in `.github/workflows/sbom-diff-and-risk-code-scanning.yml`
11
11
- checks out the repository
12
12
- installs Python and the local tool
13
13
- runs `sbom-diff-risk compare ... --out-sarif`
14
+
- uploads the generated SARIF file as the workflow artifact `sbom-diff-and-risk-sarif`
14
15
- uploads the generated SARIF file with `github/codeql-action/upload-sarif`
15
16
16
17
The example intentionally uses local example inputs and does not depend on secrets or network enrichment.
@@ -51,6 +52,18 @@ Set a SARIF category when you upload more than one analysis for the same commit
51
52
52
53
If you upload multiple SARIF files for the same tool and commit without distinct categories, later uploads replace earlier ones. In GitHub Actions, set the `category:` input on `github/codeql-action/upload-sarif`. Outside Actions, use `runAutomationDetails.id` in the SARIF file.
53
54
55
+
## Manual verification for one workflow run
56
+
57
+
After merging a change that touches `tools/sbom-diff-and-risk` or the workflow file itself:
58
+
59
+
1. Open the repository's **Actions** tab.
60
+
2. Open a successful `sbom-diff-and-risk-code-scanning` run for the pull request, or trigger it manually with `workflow_dispatch`.
61
+
- the visible run name starts with `sbom-diff-and-risk code scanning / <event> / <ref>`
62
+
3. Confirm that the `upload-sarif` job completed successfully.
63
+
4. Download the `sbom-diff-and-risk-sarif` artifact and confirm it contains `report.sarif`.
64
+
5. Open the repository's **Security** tab, then **Code scanning**.
65
+
6. Confirm the uploaded analysis appears under the category `sbom-diff-risk/example`.
66
+
54
67
## What this integration does not cover
55
68
56
69
- It does not add CVE lookup or advisory enrichment.
0 commit comments