Skip to content

Fix CycloneDX CLI syntax and add critical-only vulnerability checks#2

Merged
atulionet merged 5 commits intomainfrom
fix/cyclonedx-cli-syntax
Jan 23, 2026
Merged

Fix CycloneDX CLI syntax and add critical-only vulnerability checks#2
atulionet merged 5 commits intomainfrom
fix/cyclonedx-cli-syntax

Conversation

@atulionet
Copy link
Collaborator

@atulionet atulionet commented Jan 23, 2026

Summary

  • Fix cyclonedx-py CLI syntax using the environment command instead of deprecated requirements command
  • Enable SLSA provenance generation for private repositories with private-repository: true
  • Add vulnerability scanning with grype that fails only on critical severity vulnerabilities
  • Update deploy/verify.sh to check for critical vulnerabilities only (not high)

Test plan

  • Verified workflow runs successfully via workflow_dispatch
  • Verify SBOM generation produces valid CycloneDX JSON
  • Verify provenance attestation is generated correctly
  • Confirm build fails only when critical vulnerabilities are present

🤖 Generated with Claude Code

atulionet and others added 5 commits January 23, 2026 15:11
@atulionet @claude
Fix cyclonedx-py CLI syntax for SBOM generation
a4326dc 
Use 'cyclonedx-py environment' with '--of json' flag instead of
deprecated 'requirements' subcommand with '--format' flag.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@atulionet @claude
Fix SLSA provenance for private repository
7cb7597 
Add 'private-repository: true' to allow provenance generation
without exposing repository name in public transparency log.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@atulionet @claude
Fail build on dependency vulnerabilities
bd6ec59 
Remove '|| true' from pip-audit step so the build fails if any
vulnerabilities are detected. Uses --strict flag to fail on any
vulnerability regardless of severity.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@atulionet @claude
Fail build only on high/critical vulnerabilities
671b801 
- pip-audit runs for informational purposes (all severities)
- grype scans SBOM and fails only on high/critical severity
- Low/medium vulnerabilities are reported but don't block the build

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@atulionet @claude
Change vulnerability threshold to critical only
346c378 
NVIDIA SDK pins vulnerable versions of ecdsa, cryptography, and signxml
that cannot be easily updated. Changed threshold from high to critical
to allow builds to pass while still catching the most severe issues.

Updated both CI workflow and verify.sh deployment script.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@atulionet atulionet merged commit d838ece into main Jan 23, 2026
7 checks passed
@atulionet atulionet deleted the fix/cyclonedx-cli-syntax branch January 23, 2026 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@atulionet