Skip to content

Phase 2d: add --json flag for machine-readable stdout output#122

Merged
advaitpatel merged 1 commit into
mainfrom
feat/json-stdout
Jul 2, 2026
Merged

Phase 2d: add --json flag for machine-readable stdout output#122
advaitpatel merged 1 commit into
mainfrom
feat/json-stdout

Conversation

@advaitpatel

@advaitpatel advaitpatel commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds --json so DockSec results can be piped into other tools and CI pipelines as
clean, parseable JSON. Fourth of the Phase 2 sequence.

Changes

  • --json: prints one JSON object to stdout (scan_info, vulnerabilities,
    severity_counts, ai_analysis when available, report_files when files were written).
  • All human-readable output moves to stderr in --json mode (banner, sections,
    info/warn/error, the result summary) so stdout is never polluted.
  • --json alone writes no report files; pair with --format to also write files -
    their paths are included in the JSON payload under report_files.
  • The Docker Scout advanced scan is skipped under --json (not part of the payload).
  • --fail-on and exit codes are unchanged: the gate still evaluates the same findings
    regardless of --json.

Notes

  • No default behavior change: omitting --json behaves exactly as before.
  • The JSON shape mirrors what ReportGenerator.generate_json_report writes to disk,
    so --json and the JSON report file stay consistent.

Testing

  • ruff check . passes.
  • pytest: 126 passed (+7: JSON payload shape/contents, stdout purity, --format
    interaction, --fail-on exit code with --json).
  • Manual runs verified: pure JSON on stdout, zero files by default, --json + --format
    writes files and reports their paths, --fail-on still gates with exit 1, invalid
    --format still errors on stderr with exit 2 and empty stdout.

## Summary

Adds `--json` so DockSec results can be piped into other tools and CI pipelines as
clean, parseable JSON. Fourth of the Phase 2 sequence.

## Changes
- `--json`: prints one JSON object to stdout (scan_info, vulnerabilities,
  severity_counts, ai_analysis when available, report_files when files were written).
- All human-readable output moves to stderr in `--json` mode (banner, sections,
  info/warn/error, the result summary) so stdout is never polluted.
- `--json` alone writes no report files; pair with `--format` to also write files -
  their paths are included in the JSON payload under `report_files`.
- The Docker Scout advanced scan is skipped under `--json` (not part of the payload).
- `--fail-on` and exit codes are unchanged: the gate still evaluates the same findings
  regardless of `--json`.

## Notes
- No default behavior change: omitting `--json` behaves exactly as before.
- The JSON shape mirrors what `ReportGenerator.generate_json_report` writes to disk,
  so `--json` and the JSON report file stay consistent.

## Testing
- `ruff check .` passes.
- `pytest`: 126 passed (+7: JSON payload shape/contents, stdout purity, --format
  interaction, --fail-on exit code with --json).
- Manual runs verified: pure JSON on stdout, zero files by default, --json + --format
  writes files and reports their paths, --fail-on still gates with exit 1, invalid
  --format still errors on stderr with exit 2 and empty stdout.
@advaitpatel advaitpatel merged commit dd7c84f into main Jul 2, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant