Skip to content

Commit b556aca

Browse files
authored
[codex] Sync policy JSON reviewer docs
1 parent 8908971 commit b556aca

2 files changed

Lines changed: 34 additions & 5 deletions

File tree

tools/sbom-diff-and-risk/docs/reviewer-brief.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ Dependency review often needs evidence that is stable enough for code review, CI
1515
| Area | What exists |
1616
| --- | --- |
1717
| Deterministic local analysis | Compares CycloneDX, SPDX, `requirements.txt`, and conservative `pyproject.toml` inputs without hidden network access by default. |
18-
| Reviewer output | Produces JSON and Markdown reports for dependency diffs, heuristic risk buckets, and policy outcomes. |
18+
| Reviewer output | Produces JSON and Markdown reports for dependency diffs, heuristic risk buckets, and policy outcomes. It can also write compact `summary.json` and policy-only `policy.json` sidecars for CI consumers. |
1919
| Security tooling output | Emits a conservative SARIF subset for selected high-signal findings and explicit policy violations. |
2020
| Provenance-aware reporting | Optionally records PyPI provenance and integrity evidence when `--enrich-pypi` is enabled. |
2121
| Scorecard signals | Optionally records OpenSSF Scorecard evidence when `--enrich-scorecard` is enabled and a repository mapping is explicit enough. |
@@ -29,6 +29,7 @@ Dependency review often needs evidence that is stable enough for code review, CI
2929
| How can a reviewer reproduce the core evidence? | [reviewer-evidence-pack.md](reviewer-evidence-pack.md) for demo, release, TestPyPI, and SARIF verification paths. |
3030
| What is the stable JSON shape? | [report-schema.md](report-schema.md) documents the machine-readable report structure and `summary` contract. |
3131
| How are policy findings explained? | [policy-decision-explainability.md](policy-decision-explainability.md) documents the policy decision metadata in JSON reports. |
32+
| Can CI consume compact policy decisions? | [policy-decision-ci-cookbook.md](policy-decision-ci-cookbook.md), [examples/sample-policy.json](../examples/sample-policy.json), and [examples/github-actions-policy-consumer.yml](../examples/github-actions-policy-consumer.yml) show the policy sidecar path. |
3233
| Are default runs offline? | CLI docs, tests for no-enrichment behavior, and explicit enrichment flags. |
3334
| Can code scanning consume the output? | `docs/github-code-scanning.md` and `examples/sample-sarif.sarif`. |
3435
| Can the tool's own artifacts be verified? | `docs/self-provenance.md` for workflow artifact attestations. |

tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md

Lines changed: 32 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,8 @@ sbom-diff-risk compare `
3737
--out-md outputs/report.md
3838
```
3939

40-
Expected output files:
41-
40+
Expected output files:
41+
4242
- `outputs/report.json`
4343
- `outputs/summary.json`
4444
- `outputs/report.md`
@@ -55,8 +55,33 @@ No differences means the sample path reproduced the committed example output.
5555

5656
`examples/sample-summary.json` is the summary-only artifact for the same run
5757
and is expected to match `examples/sample-report.json`'s `summary` object.
58-
59-
Generate the strict-policy SARIF sample:
58+
59+
Generate the strict-policy JSON sidecar:
60+
61+
```powershell
62+
sbom-diff-risk compare `
63+
--before examples/cdx_before.json `
64+
--after examples/cdx_after.json `
65+
--policy examples/policy-strict.yml `
66+
--out-json outputs/policy-report.json `
67+
--policy-json outputs/policy.json
68+
```
69+
70+
The strict policy example returns exit code `1` because it intentionally
71+
produces blocking local policy findings. The JSON artifacts are still written.
72+
73+
Compare the sidecar output against the checked-in sample:
74+
75+
```powershell
76+
Compare-Object (Get-Content examples/sample-policy.json) (Get-Content outputs/policy.json)
77+
```
78+
79+
`examples/sample-policy.json` is expected to match the policy-related sections
80+
from `outputs/policy-report.json`, including `summary.policy`, policy finding
81+
lists, and `rule_catalog`. It intentionally omits full report `components` and
82+
`risks`.
83+
84+
Generate the strict-policy SARIF sample:
6085

6186
```powershell
6287
sbom-diff-risk compare `
@@ -86,6 +111,9 @@ and suppressions.
86111
For CI job-summary examples that consume policy decision metadata, see
87112
[policy-decision-ci-cookbook.md](policy-decision-ci-cookbook.md).
88113

114+
For a copyable GitHub Actions example that captures `outputs/policy.json`, see
115+
[../examples/github-actions-policy-consumer.yml](../examples/github-actions-policy-consumer.yml).
116+
89117
For CI dashboard, job-summary, and local-threshold examples that consume
90118
`outputs/summary.json`, see
91119
[summary-json-ci-cookbook.md](summary-json-ci-cookbook.md).

0 commit comments

Comments
 (0)