Skip to content

feat: add local analysis orchestration #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
seonghobae wants to merge 6 commits into from
Closed

feat: add local analysis orchestration #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d3da181
docs: plan issue 32 orchestration work
seonghobae Mar 12, 2026
28554f9
feat: add local analysis orchestration
seonghobae Mar 12, 2026
0e9a12b
fix: harden orchestration contract handling
seonghobae Mar 12, 2026
b3b50c4
fix: tighten orchestration review feedback
seonghobae Mar 12, 2026
ca8e1b1
fix: resolve orchestration review gaps
seonghobae Mar 12, 2026
f708c01
fix: pin sbom generation tooling
seonghobae Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions .github/workflows/sbom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,14 @@ jobs:
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install Syft
run: |
curl -sSfL -o "$RUNNER_TEMP/syft.tar.gz" "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
tar -xzf "$RUNNER_TEMP/syft.tar.gz" -C "$RUNNER_TEMP" syft
Comment on lines +41 to +44
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Syft v1.20.0 release checksum sha256

💡 Result:

Anchore Syft v1.20.0 publishes per-artifact SHA256 sums in the GitHub release asset syft_1.20.0_checksums.txt on the v1.20.0 release page. [1]

To get the SHA256 for the specific binary you downloaded (linux/windows/darwin + arch), download that checksums file and match the filename:

curl -sSfL -O https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_checksums.txt
grep 'syft_1.20.0_' syft_1.20.0_checksums.txt
# then verify, e.g.:
sha256sum -c syft_1.20.0_checksums.txt --ignore-missing

(Anchore’s install docs also point to downloading artifacts from the GitHub releases page.) [2]

If you tell me which exact asset filename you need (e.g., syft_1.20.0_linux_amd64.tar.gz vs syft_1.20.0_windows_amd64.zip), I can help you extract the right line format to look for.

References: [1] (github.com) [2] (oss.anchore.com)

Citations:

🌐 Web query:

Syft latest version 2024 2025 current release

💡 Result:

  • Current/latest Syft release (as of Mar 12, 2026): v1.42.2 (released Mar 9, 2026) [1]
  • Latest release in 2025: v1.39.0 (released Dec 22, 2025) [2][3]
  • Latest release in 2024: v1.18.0 (released Dec 9, 2024) [4]

Sources: [1] anchore/syft GitHub repo (latest release badge), [2] anchore/syft GitHub release v1.39.0 page, [3] Chocolatey bot test log showing syft 1.39.0 on 2025-12-23, [4] Anchore Community announcement for v1.18.0.

🌐 Web query:

Syft v1.20.0 security vulnerability CVE

💡 Result:

Syft v1.20.0 does not appear to have any Syft-specific CVEs affecting that release line; the only CVE currently listed in the anchore/syft GitHub Security Advisories is:

  • CVE-2023-24827 (GHSA-jp7v-3587-2956): credential/password disclosure when SYFT_ATTEST_PASSWORD is set; affected: >= v0.69.0 and < v0.70.0; patched in: v0.70.0—so Syft v1.20.0 is not in the affected range. [1][2][3]

Sources: [1] GitHub advisory, [2] GitHub security overview, [3] NVD entry.

🏁 Script executed:

# Let me also check if there's any way to retrieve the actual checksum from the GitHub release
# by constructing the URL to the checksums file
curl -s "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_checksums.txt" | head -20

Repository: seonghobae/bandscope

Length of output: 2064

보안 위험: 다운로드된 바이너리에 대한 체크섬 검증 누락

외부 바이너리를 직접 다운로드하여 실행하는 경우, 반드시 SHA-256 체크섬을 검증해야 합니다. 현재 구현은 다운로드가 변조되었을 경우 악성 코드가 CI에서 실행될 수 있는 공급망 공격에 취약합니다.

Syft는 GitHub 릴리스 페이지에서 syft_1.20.0_checksums.txt 파일로 각 아티팩트의 SHA256 체크섬을 제공합니다. 다음과 같이 검증을 추가하세요:

🛡️ 체크섬 검증 추가 
       - name: Install Syft
         run: |
           curl -sSfL -o "$RUNNER_TEMP/syft.tar.gz" "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_linux_amd64.tar.gz"
+          curl -sSfL -o "$RUNNER_TEMP/syft_checksums.txt" "https://github.com/anchore/syft/releases/download/v1.20.0/syft_1.20.0_checksums.txt"
+          grep "syft_1.20.0_linux_amd64.tar.gz" "$RUNNER_TEMP/syft_checksums.txt" | sha256sum -c -
           tar -xzf "$RUNNER_TEMP/syft.tar.gz" -C "$RUNNER_TEMP" syft

추가로, Syft v1.20.0은 2024년 버전으로 현재(2026년 3월) 최신 버전 v1.42.2에서 크게 뒤떨어져 있습니다. 최신 버전으로의 업그레이드도 검토하세요.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sbom.yml around lines 41 - 44, The "Install Syft" workflow
step currently downloads syft_1.20.0_linux_amd64.tar.gz without verifying
integrity; update the step to also download syft_1.20.0_checksums.txt (from the
same GitHub release), compute the SHA-256 of "$RUNNER_TEMP/syft.tar.gz" (e.g.,
via sha256sum) and compare it against the expected value from the checksums
file, and exit non‑zero / fail the job if the checksum does not match; ensure
references in the step to "$RUNNER_TEMP/syft.tar.gz" and the downloaded
checksums file are used for the verification, and consider updating the version
string (syft_1.20.0_... and syft_1.20.0_checksums.txt) to a newer release when
changing the URLs.


- name: Generate CycloneDX SBOM
uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
with:
path: .
format: cyclonedx-json
output-file: bandscope-sbom.cdx.json
run: |
"$RUNNER_TEMP/syft" dir:. -o cyclonedx-json=bandscope-sbom.cdx.json

- name: Upload SBOM artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
Expand Down
1 change: 1 addition & 0 deletions ARCHITECTURE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ Last updated: 2026-03-11
- Shared contracts live in `packages/shared-types` so the UI can evolve without importing Python internals.
- Shared contracts should ultimately model section, role, cue, confidence, and export artifacts explicitly enough that desktop UI and analysis outputs do not invent their own parallel schemas.
- The current shared-types baseline includes a rehearsal-domain fixture that exercises section, role, cue, confidence, provenance, and export-summary fields in the desktop shell before the full analysis pipeline lands.
- Local analysis orchestration uses typed Tauri IPC commands and a Python subprocess over stdin/stdout rather than a loopback HTTP listener.
- Product and UX decisions should prefer rehearsal-first simplicity while still maintaining high analytical accuracy.
- Security decisions should prefer allowlisted narrow capabilities over generic convenience APIs.

Expand Down
1 change: 1 addition & 0 deletions apps/desktop/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
"test": "node -e \"require('node:fs').mkdirSync('coverage/.tmp', { recursive: true })\" && vitest run --coverage"
},
"dependencies": {
"@tauri-apps/api": "^2.8.0",
"@bandscope/shared-types": "0.1.0",
"react": "^19.2.4",
"react-dom": "^19.2.4"
Expand Down
3 changes: 3 additions & 0 deletions apps/desktop/src-tauri/Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions apps/desktop/src-tauri/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,10 @@ edition = "2021"
tauri-build = { version = "2" }

[dependencies]
serde = { version = "1", features = ["derive"] }
serde_json = "1"
tauri = { version = "2.3.1" }
time = { version = "0.3", features = ["formatting", "macros"] }

[features]
default = []
8 changes: 7 additions & 1 deletion apps/desktop/src-tauri/build.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
fn main() {
tauri_build::build()
tauri_build::try_build(
tauri_build::Attributes::new().app_manifest(
tauri_build::AppManifest::new()
.commands(&["start_analysis_job", "get_analysis_job_status"]),
),
)
.expect("failed to build tauri application manifest");
}
11 changes: 11 additions & 0 deletions apps/desktop/src-tauri/capabilities/main.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"$schema": "../gen/schemas/desktop-schema.json",
"identifier": "main-capability",
"description": "Capability for the main BandScope window to use the analysis orchestration commands.",
"windows": ["main"],
"permissions": [
"core:default",
"allow-start-analysis-job",
"allow-get-analysis-job-status"
]
}
1 change: 1 addition & 0 deletions apps/desktop/src-tauri/gen/schemas/acl-manifests.json
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions apps/desktop/src-tauri/gen/schemas/capabilities.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"main-capability":{"identifier":"main-capability","description":"Capability for the main BandScope window to use the analysis orchestration commands.","local":true,"windows":["main"],"permissions":["core:default","allow-start-analysis-job","allow-get-analysis-job-status"]}}
2,268 changes: 2,268 additions & 0 deletions apps/desktop/src-tauri/gen/schemas/desktop-schema.json
View file
Open in desktop

Large diffs are not rendered by default.

2,268 changes: 2,268 additions & 0 deletions apps/desktop/src-tauri/gen/schemas/macOS-schema.json
View file
Open in desktop

Large diffs are not rendered by default.

11 changes: 11 additions & 0 deletions apps/desktop/src-tauri/permissions/autogenerated/get_analysis_job_status.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Automatically generated - DO NOT EDIT!

[[permission]]
identifier = "allow-get-analysis-job-status"
description = "Enables the get_analysis_job_status command without any pre-configured scope."
commands.allow = ["get_analysis_job_status"]

[[permission]]
identifier = "deny-get-analysis-job-status"
description = "Denies the get_analysis_job_status command without any pre-configured scope."
commands.deny = ["get_analysis_job_status"]
11 changes: 11 additions & 0 deletions apps/desktop/src-tauri/permissions/autogenerated/start_analysis_job.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Automatically generated - DO NOT EDIT!

[[permission]]
identifier = "allow-start-analysis-job"
description = "Enables the start_analysis_job command without any pre-configured scope."
commands.allow = ["start_analysis_job"]

[[permission]]
identifier = "deny-start-analysis-job"
description = "Denies the start_analysis_job command without any pre-configured scope."
commands.deny = ["start_analysis_job"]
Loading
Loading