Skip to content

[codex] Add optional policy JSON output#50

Merged
stacknil merged 1 commit intomainfrom
codex/add-policy-json-output
May 10, 2026
Merged

[codex] Add optional policy JSON output#50
stacknil merged 1 commit intomainfrom
codex/add-policy-json-output

Conversation

@stacknil
Copy link
Copy Markdown
Owner

@stacknil stacknil commented May 10, 2026

Brief Design Summary

This PR adds optional --policy-json PATH support to sbom-diff-risk compare.

When provided, the command writes a policy-only JSON sidecar using the same policy-related sections already present in the full report.json. The sidecar includes policy_evaluation, policy finding lists, rule_catalog, summary.policy when policy evaluation is applied, and provenance policy sections when those sections are relevant.

The implementation reuses the existing report rendering helpers and does not create a second policy finding schema. Existing --out-json, --summary-json, Markdown, and SARIF behavior remain unchanged.

Files Changed

  • tools/sbom-diff-and-risk/src/sbom_diff_risk/cli.py
  • tools/sbom-diff-and-risk/src/sbom_diff_risk/report_json.py
  • tools/sbom-diff-and-risk/tests/test_cli_policy_json.py
  • tools/sbom-diff-and-risk/tests/test_cli_exit_codes.py
  • tools/sbom-diff-and-risk/README.md
  • tools/sbom-diff-and-risk/docs/report-schema.md
  • tools/sbom-diff-and-risk/docs/policy-decision-ci-cookbook.md

Tests Added/Updated

Added CLI coverage for:

  • policy-only JSON sidecar output
  • sidecar equality with the policy sections in full report.json
  • no-policy behavior with policy_evaluation.applied: false
  • omitted-output behavior
  • help text exposure

Validation

cd tools/sbom-diff-and-risk
python -m pytest
python -m build
$files = Get-ChildItem dist -File | ForEach-Object { $_.FullName }
python -m twine check $files
git diff --check

Results:

  • python -m pytest: 161 passed
  • python -m build: produced sbom_diff_and_risk-0.8.0.tar.gz and sbom_diff_and_risk-0.8.0-py3-none-any.whl
  • python -m twine check: passed for wheel and sdist
  • git diff --check: passed
  • smoke command confirmed outputs/policy.json matches full report.json policy sections and has no components or risks
  • checked changed files for Unicode Cf/Cc control or format characters; no non-tab/newline matches found
  • package version remains 0.8.0
  • no workflow files changed

Out of Scope

  • No package version bump
  • No workflow changes
  • No release tag or GitHub Release
  • No PyPI/TestPyPI publishing
  • No production PyPI workflow
  • No CVE lookup or hidden network behavior

@stacknil stacknil merged commit fe6eb2d into main May 10, 2026
9 checks passed
@stacknil stacknil deleted the codex/add-policy-json-output branch May 10, 2026 00:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stacknil