Phase 2d: add --json flag for machine-readable stdout output#122
Merged
Conversation
## Summary Adds `--json` so DockSec results can be piped into other tools and CI pipelines as clean, parseable JSON. Fourth of the Phase 2 sequence. ## Changes - `--json`: prints one JSON object to stdout (scan_info, vulnerabilities, severity_counts, ai_analysis when available, report_files when files were written). - All human-readable output moves to stderr in `--json` mode (banner, sections, info/warn/error, the result summary) so stdout is never polluted. - `--json` alone writes no report files; pair with `--format` to also write files - their paths are included in the JSON payload under `report_files`. - The Docker Scout advanced scan is skipped under `--json` (not part of the payload). - `--fail-on` and exit codes are unchanged: the gate still evaluates the same findings regardless of `--json`. ## Notes - No default behavior change: omitting `--json` behaves exactly as before. - The JSON shape mirrors what `ReportGenerator.generate_json_report` writes to disk, so `--json` and the JSON report file stay consistent. ## Testing - `ruff check .` passes. - `pytest`: 126 passed (+7: JSON payload shape/contents, stdout purity, --format interaction, --fail-on exit code with --json). - Manual runs verified: pure JSON on stdout, zero files by default, --json + --format writes files and reports their paths, --fail-on still gates with exit 1, invalid --format still errors on stderr with exit 2 and empty stdout.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
--jsonso DockSec results can be piped into other tools and CI pipelines asclean, parseable JSON. Fourth of the Phase 2 sequence.
Changes
--json: prints one JSON object to stdout (scan_info, vulnerabilities,severity_counts, ai_analysis when available, report_files when files were written).
--jsonmode (banner, sections,info/warn/error, the result summary) so stdout is never polluted.
--jsonalone writes no report files; pair with--formatto also write files -their paths are included in the JSON payload under
report_files.--json(not part of the payload).--fail-onand exit codes are unchanged: the gate still evaluates the same findingsregardless of
--json.Notes
--jsonbehaves exactly as before.ReportGenerator.generate_json_reportwrites to disk,so
--jsonand the JSON report file stay consistent.Testing
ruff check .passes.pytest: 126 passed (+7: JSON payload shape/contents, stdout purity, --formatinteraction, --fail-on exit code with --json).
writes files and reports their paths, --fail-on still gates with exit 1, invalid
--format still errors on stderr with exit 2 and empty stdout.