You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/docs/reviewer-brief.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ Dependency review often needs evidence that is stable enough for code review, CI
15
15
| Area | What exists |
16
16
| --- | --- |
17
17
| Deterministic local analysis | Compares CycloneDX, SPDX, `requirements.txt`, and conservative `pyproject.toml` inputs without hidden network access by default. |
18
-
| Reviewer output | Produces JSON and Markdown reports for dependency diffs, heuristic risk buckets, and policy outcomes. |
18
+
| Reviewer output | Produces JSON and Markdown reports for dependency diffs, heuristic risk buckets, and policy outcomes. It can also write compact `summary.json` and policy-only `policy.json` sidecars for CI consumers. |
19
19
| Security tooling output | Emits a conservative SARIF subset for selected high-signal findings and explicit policy violations. |
20
20
| Provenance-aware reporting | Optionally records PyPI provenance and integrity evidence when `--enrich-pypi` is enabled. |
21
21
| Scorecard signals | Optionally records OpenSSF Scorecard evidence when `--enrich-scorecard` is enabled and a repository mapping is explicit enough. |
@@ -29,6 +29,7 @@ Dependency review often needs evidence that is stable enough for code review, CI
29
29
| How can a reviewer reproduce the core evidence? |[reviewer-evidence-pack.md](reviewer-evidence-pack.md) for demo, release, TestPyPI, and SARIF verification paths. |
30
30
| What is the stable JSON shape? |[report-schema.md](report-schema.md) documents the machine-readable report structure and `summary` contract. |
31
31
| How are policy findings explained? |[policy-decision-explainability.md](policy-decision-explainability.md) documents the policy decision metadata in JSON reports. |
32
+
| Can CI consume compact policy decisions? |[policy-decision-ci-cookbook.md](policy-decision-ci-cookbook.md), [examples/sample-policy.json](../examples/sample-policy.json), and [examples/github-actions-policy-consumer.yml](../examples/github-actions-policy-consumer.yml) show the policy sidecar path. |
32
33
| Are default runs offline? | CLI docs, tests for no-enrichment behavior, and explicit enrichment flags. |
33
34
| Can code scanning consume the output? |`docs/github-code-scanning.md` and `examples/sample-sarif.sarif`. |
34
35
| Can the tool's own artifacts be verified? |`docs/self-provenance.md` for workflow artifact attestations. |
0 commit comments