Replace streamlit with cli

.github/workflows/test.yml

@@ -0,0 +1,20 @@
+name: Tests
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt pytest
+
+      - name: Run tests
+        run: python -m pytest tests/ -q

.gitignore

@@ -175,5 +175,9 @@ cython_debug/
 # PyPI configuration file
 .pypirc
 
+# macOS
+.DS_Store
+
 # Ignore any findings.db files
-findings.db
+findings.db
+working/

CLAUDE.md

@@ -0,0 +1,68 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Overview
+
+A security findings tracker that manages POA&M (Plan of Action and Milestones) lifecycle for compliance purposes. The CLI (`cli/cli.py`) is the sole entry point.
+
+## Commands
+
+### Setup
+```bash
+python -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+```
+
+### CLI Usage
+```bash
+./cli/cli.py --help
+./cli/cli.py poams weekly-update          # Interactive guided weekly update
+./cli/cli.py poams apply-diff <poam.xlsx> <diff.json> [<diff2.json> ...]
+./cli/cli.py poams merge-diffs <diff1.json> <diff2.json> -o merged.json
+./cli/cli.py trivy download-alerts [-d <dest>]
+./cli/cli.py trivy convert-alerts <alerts.json> [-o <output.csv>]
+./cli/cli.py trivy alerts-diff <poam.xlsx> <alerts.csv>
+./cli/cli.py zap alerts-to-findings <report.csv> [-o <output.json>]
+./cli/cli.py zap alerts-diff <poam.xlsx> <findings.json>
+./cli/cli.py cis split-connected-sheet <file.xlsx> [-o <output_dir>]
+./cli/cli.py cis csv-to-findings <file.csv> [-o <output.json>]
+./cli/cli.py cis alerts-diff <poam.xlsx> <findings.json>
+```
+
+### Tests
+```bash
+python -m pytest                          # Run all tests
+python -m pytest tests/test_diff.py      # Run a single test file
+python -m pytest tests/test_diff.py::test_name  # Run a single test
+```
+
+## Architecture
+
+### Data Flow (weekly update)
+1. **Download/collect** raw scan data: Trivy alerts from GitHub API, CIS Excel sheet, ZAP CSV report
+2. **Convert** to normalized intermediate formats: `.findings.csv` (Trivy) or `.findings.json` (CIS, ZAP)
+3. **Diff** each findings file against the existing POAM Excel → produces `.diff.json` files
+4. **Apply** one or more diff JSONs to create an updated POAM Excel file
+
+### Core Data Structures (`tools/`)
+- `tools/findings.py` — `Finding` dataclass: source-agnostic normalized security finding
+- `tools/poam.py` — `PoamEntry` dataclass + `PoamFile` class: reads POAM Excel files (headers on row 5 of "Open POA&M Items" / "Closed POA&M Items" sheets)
+- `tools/diff.py` — `compare_findings_to_poams()` and `PoamFileDiff`: matches findings to POAMs by exact `weakness_name` + asset coverage; produces lists of new/existing/closed/reopened
+- `tools/diff_apply.py` — `apply_diff()`: writes changes back to Excel using openpyxl
+
+### Source-Specific Modules
+Each scanner type (`trivy/`, `zap/`, `cis/`) has:
+- `alerts.py` or `converter.py` — converts raw scanner output to `Finding` objects
+- `diff.py` — calls `compare_findings_to_poams()` with the right POAM filter and generator
+- `poam_generator.py` — generates `PoamEntry` objects with appropriate POAM IDs
+
+POAM ID formats: Trivy → `YYYY-TRIVYXXXX`, CIS → `YYYY-CISXXXX`
+
+### Working Directory Convention
+By default, files are saved to `working/YYYY-MM-DD/`. The `WORKING` environment variable can override the base path.
+
+### Authentication
+- GitHub (for Trivy downloads): `gh auth login` or `GITHUB_TOKEN` env var
+- Google services: `gcloud auth application-default login` or `GOOGLE_APPLICATION_CREDENTIALS` env var

README.md

@@ -1,6 +1,6 @@
 # Security Findings Tracker
 
-A Streamlit-based application for tracking and managing security findings from weekly CSV uploads. The application provides an interface for analyzing security findings, tracking their status, and managing their lifecycle.
+A CLI tool for tracking and managing POA&M (Plan of Action and Milestones) lifecycle for compliance purposes. Processes weekly security findings from Trivy, ZAP, and CIS scans and applies them to a POAM Excel file.
 
 ## Requirements
 
@@ -9,12 +9,10 @@ A Streamlit-based application for tracking and managing security findings from w
 
 ## Features
 
-- Upload and process weekly CSV security findings
-- Track new, existing, and resolved findings
+- Download and process Trivy, ZAP, and CIS findings
+- Diff findings against existing POAMs to identify new, closed, and reopened items
 - Automatic due date assignment based on severity
-- Interactive data visualization
-- Export capabilities for active and resolved findings
-- Modern, responsive UI inspired by hail.is
+- Apply diffs to update the POAM Excel file
 
 ## Installation
 
@@ -40,33 +38,62 @@ source venv/bin/activate  # On Windows: venv\Scripts\activate
 pip install -r requirements.txt
 ```
 
-## Usage
+## Command Line Tools
+
+The application includes command line tools for automation and data management. These tools are available through the `cli.py` script in the `cli` directory.
+
+### Command Groups
+
+The CLI is organized into the following command groups:
+
+1. `poams` - Commands for working with POAMs:
+   ```bash
+   # Interactive weekly update process
+   ./cli/cli.py poams weekly-update
+
+   # Preview Trivy POAMs from an Excel file
+   ./cli/cli.py poams preview-trivy <file_path> [--limit <n>]
+
+   # Apply diff changes to a POAM Excel file
+   ./cli/cli.py poams apply-diff <poam_file> <diff_file>
+   ```
+
+2. `trivy` - Commands for working with Trivy:
+   ```bash
+   # Download Trivy alerts from GitHub code scanning API
+   ./cli/cli.py trivy download-alerts [--destination <file_path>]
+
+   # Convert GitHub Trivy alerts JSON to POAM CSV format
+   ./cli/cli.py trivy convert-alerts <alerts_file> [--output <file_path>]
+
+   # Compare Trivy alerts against existing POAMs
+   ./cli/cli.py trivy alerts-diff <poam_file> <alerts_csv>
+   ```
+
+To see all available commands and their options:
+```bash
+./cli/cli.py --help
+```
 
-1. Start the Streamlit application (make sure you're in the repository root directory):
+For help on a specific command group:
 ```bash
-# On Unix/macOS:
-PYTHONPATH=$PYTHONPATH:. streamlit run app/main.py
+./cli/cli.py poams --help
+./cli/cli.py trivy --help
+```
 
-# On Windows (PowerShell):
-$env:PYTHONPATH = "$env:PYTHONPATH;."
-streamlit run app/main.py
+### Authentication
 
-# On Windows (Command Prompt):
-set PYTHONPATH=%PYTHONPATH%;.
-streamlit run app/main.py
-```
+The tools that interact with Google services use Application Default Credentials (ADC). To set up authentication:
 
-2. Open your web browser and navigate to the URL shown in the terminal (typically http://localhost:8501)
+1. Using gcloud (recommended for development):
+```bash
+gcloud auth application-default login
+```
 
-3. Use the application:
-   - Upload your weekly CSV file using the file uploader
-   - Set the analysis date
-   - View the summary statistics and visualizations
-   - Track recurrances and resolutions through additional scans and uploads.
-   - Export findings as needed
+2. Or using a service account (recommended for production):
+```bash
+export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"
+```
 
-## Database
+### Available Commands
 
-The application uses SQLite for data storage. The database file is created at `app/database/findings.db` and includes tables for:
-- Findings tracking
-- Upload history