coulomb/state-hub
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(sbom): add custodian ingest-sbom + fix help button target

Browse Source 
custodian_cli.py:
- new ingest-sbom subcommand: auto-detects repo slug from local_path
  registration, runs ingest_sbom.py --scan from the repo root
- --dry-run flag passes through to the underlying script
- --slug override for repos where path lookup fails

repos.md:
- ? button on "⚠ not ingested" now opens /docs/sbom (not /docs/repos)

docs/sbom.md:
- Ingest commands section now leads with `custodian ingest-sbom` (repo-root)
- make ingest-sbom kept as low-level alternative
- Per-ecosystem and gap-type references updated to new command

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-03-02 13:31:08 +01:00
parent 944104307a
commit 62fbe884e3
3 changed files with 65 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
dashboard/src/docs/sbom.md
View File

@@ -70,11 +70,12 @@ declaring `ansible` as a dependency. Fix: create the manifest.
**Type B — Manifest without lockfile**: a `pyproject.toml` or `package.json`
exists but no lockfile has been generated. Fix: run `uv lock` / `npm install`.
**Type C — Lockfile not ingested**: lockfile exists but `make ingest-sbom` has
not been run, so the State Hub has no record. Fix: run `make ingest-sbom`.
**Type C — Lockfile not ingested**: lockfile exists but `custodian ingest-sbom`
has not been run, so the State Hub has no record. Fix: run `custodian ingest-sbom`
from the repo root.
**Type D — Stale ingest**: lockfile exists and was ingested, but has since been
updated (new deps added) without a fresh ingest. Fix: re-run `make ingest-sbom`.
updated (new deps added) without a fresh ingest. Fix: re-run `custodian ingest-sbom`.
**Type E — Ecosystem not supported**: the repo uses an ecosystem the ingest
script doesn't yet parse (Go, Java, Ruby, Ansible Galaxy collections). The
@@ -92,7 +93,7 @@ uv add ansible # adds dep + resolves transitive tree
uv lock # generates or updates uv.lock
git add pyproject.toml uv.lock && git commit
```
Then ingest: `make ingest-sbom REPO=<slug> SCAN=1 REPO_PATH=<path>`
Then ingest: `custodian ingest-sbom` (from the repo root)
### Node / npm
`package-lock.json` is generated automatically by `npm install`. Commit it.
@@ -168,6 +169,22 @@ See the full standard: [`/docs/inter-repo-communication`](/docs/inter-repo-commu
## Ingest commands
### From the repo root (recommended)
```bash
# Scan all lockfiles in the current repo and ingest
custodian ingest-sbom
# Dry run — parse and report without submitting
custodian ingest-sbom --dry-run
```
`custodian ingest-sbom` looks up the repo slug from the State Hub registration
(`local_path` match), then scans the whole tree for all supported lockfile
formats. The repo must be registered first — see `custodian register-project`.
### From the state-hub directory (low-level)
```bash
# Auto-detect lockfile at repo root
make ingest-sbom REPO=<slug> REPO_PATH=/path/to/repo