@@ -34,13 +34,13 @@ Token needs scopes: `repo`, `read:org`, and `security_events` (for dependency gr
3434Collect SBOMs for all repositories in an organization (writes JSON files into ` sboms/ ` ) then perform a PURL search:
3535
3636``` bash
37- node dist/cli.js --sync-sboms --org my-org --sbom-cache sboms --purl pkg:npm/
[email protected] 37+ npm run start -- --sync-sboms --org my-org --sbom-cache sboms --purl pkg:npm/
[email protected] 3838```
3939
4040Search multiple PURLs (exact, wildcard, and a semver range). The ` pkg: ` prefix is optional; it will be auto-added:
4141
4242``` bash
43- node dist/cli.js --sbom-cache sboms \
43+ npm run start -- --sbom-cache sboms \
44444545 --purl ' npm/express/*'
4646 --purl ' npm/chalk@>=5.0.0 <6.0.0'
@@ -49,51 +49,47 @@ node dist/cli.js --sbom-cache sboms \
4949Using GitHub Enterprise Server:
5050
5151``` bash
52- node dist/cli.js --sync-sboms --enterprise ent \
53- --base-url https://github.internal/api/v3 \
54- --sbom-cache sboms --token $GHES_TOKEN
52+ npm run start -- --sync-sboms --enterprise ent --base-url https://github.internal/api/v3 --sbom-cache sboms --token $GHES_TOKEN
5553```
5654
5755### SBOM Caching Workflow
5856
59571 . First collection (populates cache progressively as it runs):
6058
6159``` bash
62- node dist/cli.js --sync-sboms --org my-org --sbom-cache sboms
60+ npm run start -- --sync-sboms --org my-org --sbom-cache sboms
6361```
6462
65631 . Later offline search (no API calls; uses previously written per‑repo JSON):
6664
6765``` bash
68- node dist/cli.js --sbom-cache sboms --purl pkg:npm/
[email protected] 66+ npm run start -- --sbom-cache sboms --purl pkg:npm/
[email protected] 6967```
7068
7169### Malware Advisory Sync & Matching
7270
7371Sync malware advisories and then match against SBOM packages in one run:
7472
7573``` bash
76- node dist/cli.js \
77- --sync-sboms --org my-org --sbom-cache sboms \
78- --sync-malware --malware-cache malware-cache --match-malware
74+ npm run start -- --sync-sboms --org my-org --sbom-cache sboms --sync-malware --malware-cache malware-cache --match-malware
7975```
8076
8177Use already cached SBOMs (offline) while updating advisories:
8278
8379``` bash
84- node dist/cli.js --sbom-cache sboms --sync-malware --malware-cache malware-cache --match-malware
80+ npm run start -- --sbom-cache sboms --sync-malware --malware-cache malware-cache --match-malware
8581```
8682
8783Offline match with already-cached malware advisories (no network calls):
8884
8985``` bash
90- node dist/cli.js --sbom-cache sboms --malware-cache malware-cache --match-malware
86+ npm run start -- --sbom-cache sboms --malware-cache malware-cache --match-malware
9187```
9288
9389Write malware matches (and optionally search results later) to a JSON file using ` --output-file ` :
9490
9591``` bash
96- node dist/cli.js --sbom-cache sboms --malware-cache malware-cache --match-malware --output-file report.json
92+ npm run start -- --sbom-cache sboms --malware-cache malware-cache --match-malware --output-file report.json
9793```
9894
9995If you also perform a search in the same invocation (add ` --purl ` or ` --purl-file ` ), the JSON file will contain both ` malwareMatches ` and ` search ` top-level keys.
@@ -103,15 +99,15 @@ If you also perform a search in the same invocation (add `--purl` or `--purl-fil
10399Generate SARIF 2.1.0 files (one per repository with matches) for malware findings:
104100
105101``` bash
106- node dist/cli.js --sbom-cache sboms --malware-cache malware-cache --match-malware --sarif-dir sarif-out
102+ npm run start -- --sbom-cache sboms --malware-cache malware-cache --match-malware --sarif-dir sarif-out
107103```
108104
109105Each file is named ` <owner>_<repo>.sarif ` and contains rules (one per advisory GHSA) and results (one per matched package).
110106
111107Upload those SARIF files to GitHub Code Scanning (creates alerts in each affected repository):
112108
113109``` bash
114- node dist/cli.js --sbom-cache sboms --malware-cache malware-cache \
110+ npm run start -- --sbom-cache sboms --malware-cache malware-cache \
115111 --match-malware --sarif-dir sarif-out --upload-sarif --token $GITHUB_TOKEN
116112```
117113
@@ -127,13 +123,13 @@ Notes:
127123When collecting a large number of SBOMs you can enable a lightweight progress bar:
128124
129125``` bash
130- node dist/cli.js --sync-sboms --org my-org --sbom-cache sboms --progress
126+ npm run start -- --sync-sboms --org my-org --sbom-cache sboms --progress
131127```
132128
133129If you routinely encounter secondary rate limit warnings (which can visually disrupt the bar) you can silence those specific warnings:
134130
135131``` bash
136- node dist/cli.js --sync-sboms --org my-org --sbom-cache sboms --progress --suppress-secondary-rate-limit-logs
132+ npm run start -- --sync-sboms --org my-org --sbom-cache sboms --progress --suppress-secondary-rate-limit-logs
137133```
138134
139135Behaviour details:
@@ -148,13 +144,13 @@ Behaviour details:
148144JSON only to stdout:
149145
150146``` bash
151- node dist/cli.js --sbom-cache sboms --purl pkg:npm/
[email protected] --json
147+ npm run start -- --sbom-cache sboms --purl pkg:npm/
[email protected] --json
152148```
153149
154150Human + JSON (JSON written to file; stdout remains readable):
155151
156152``` bash
157- node dist/cli.js --sbom-cache sboms --purl pkg:npm/
[email protected] \
153+ npm run start -- --sbom-cache sboms --purl pkg:npm/
[email protected] \
158154 --json --cli --output-file search-results.json
159155```
160156
@@ -165,7 +161,7 @@ If you specify `--cli --json`, you must also supply `--output-file` to avoid cor
165161Enter an interactive prompt (arrow key history, Ctrl+C handling) after initial collection/load:
166162
167163``` bash
168- node dist/cli.js --sbom-cache sboms --interactive
164+ npm run start -- --sbom-cache sboms --interactive
169165```
170166
171167Then type one PURL query per line. Entering a blank line or using Ctrl+C on a blank line exits. Ctrl+C on a non-blank line clears the line.
@@ -197,10 +193,9 @@ chalk-org/chalk-repo => pkg:npm/
[email protected] matched advisory GHSA-test-chalk-561
197193Alternatively, you can exercise the CLI purely offline using the fixtures (no token required):
198194
199195``` bash
200- node dist/cli.js --sbom-cache fixtures/sboms --malware-cache fixtures/malware-cache --match-malware
196+ npm run start -- --sbom-cache fixtures/sboms --malware-cache fixtures/malware-cache --match-malware
201197```
202198
203-
204199## Build
205200
206201``` bash
@@ -231,13 +226,13 @@ pkg:npm/chalk@>=5.0.0 <6.0.0
231226Run with (offline):
232227
233228``` bash
234- node dist/cli.js --sbom-cache sboms --purl-file queries.txt
229+ npm run start -- --sbom-cache sboms --purl-file queries.txt
235230```
236231
237232Or (fresh sync + file-based queries):
238233
239234``` bash
240- node dist/cli.js --sync-sboms --org my-org --sbom-cache sboms --purl-file queries.txt
235+ npm run start -- --sync-sboms --org my-org --sbom-cache sboms --purl-file queries.txt
241236```
242237
243238### Argument Reference
0 commit comments