{"id":45695977,"url":"https://github.com/rebaze/scat","last_synced_at":"2026-05-13T10:01:04.820Z","repository":{"id":339466921,"uuid":"1161753921","full_name":"rebaze/scat","owner":"rebaze","description":"AI-native SBOM reporter","archived":false,"fork":false,"pushed_at":"2026-05-12T20:30:15.000Z","size":786,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-12T20:30:37.973Z","etag":null,"topics":["sbom","security","vulnerability"],"latest_commit_sha":null,"homepage":"https://www.rebaze.de","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rebaze.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-19T13:33:01.000Z","updated_at":"2026-05-12T20:28:07.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rebaze/scat","commit_stats":null,"previous_names":["rebaze/scat"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/rebaze/scat","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rebaze%2Fscat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rebaze%2Fscat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rebaze%2Fscat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rebaze%2Fscat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rebaze","download_url":"https://codeload.github.com/rebaze/scat/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rebaze%2Fscat/sbom","scorecard":{"id":1246715,"data":{"date":"2026-04-29T11:55:37Z","repo":{"name":"github.com/rebaze/scat","commit":"3231e80a2662cab7c7dacaf233691c7f2d1851b2"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":6.5,"checks":[{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Code-Review","score":0,"reason":"Found 0/23 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yaml:10","Info: topLevel permissions set to 'read-all': .github/workflows/codeql.yaml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yaml:9","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yaml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/verify-release-app.yaml:7","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  14 out of  14 GitHub-owned GitHubAction dependencies pinned","Info:   3 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.6.0 not signed: https://api.github.com/repos/rebaze/scat/releases/315132617","Warn: release artifact v0.5.0 not signed: https://api.github.com/repos/rebaze/scat/releases/289758693","Warn: release artifact v0.4.0 not signed: https://api.github.com/repos/rebaze/scat/releases/289173856","Warn: release artifact v0.3.0 not signed: https://api.github.com/repos/rebaze/scat/releases/288996138","Warn: release artifact v0.2.1 not signed: https://api.github.com/repos/rebaze/scat/releases/288482625","Warn: release artifact v0.6.0 does not have provenance: https://api.github.com/repos/rebaze/scat/releases/315132617","Warn: release artifact v0.5.0 does not have provenance: https://api.github.com/repos/rebaze/scat/releases/289758693","Warn: release artifact v0.4.0 does not have provenance: https://api.github.com/repos/rebaze/scat/releases/289173856","Warn: release artifact v0.3.0 does not have provenance: https://api.github.com/repos/rebaze/scat/releases/288996138","Warn: release artifact v0.2.1 does not have provenance: https://api.github.com/repos/rebaze/scat/releases/288482625"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/ci.yaml:13"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 8 commits out of 10 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Warn: could not determine whether codeowners review is allowed","Warn: no status checks found to merge onto branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Contributors","score":6,"reason":"project has 2 contributing companies or organizations -- score normalized to 6","details":["Info: found contributions from: ops4j, rebaze"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"9 out of 9 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}}]},"last_synced_at":"2026-04-29T12:28:59.668Z","repository_id":339466921,"created_at":"2026-04-29T12:28:59.668Z","updated_at":"2026-04-29T12:28:59.668Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32977273,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-13T06:31:55.726Z","status":"ssl_error","status_checked_at":"2026-05-13T06:31:51.336Z","response_time":115,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["sbom","security","vulnerability"],"created_at":"2026-02-24T20:46:23.007Z","updated_at":"2026-05-13T10:01:04.813Z","avatar_url":"https://github.com/rebaze.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# scat\n\n[![CI](https://github.com/rebaze/scat/actions/workflows/ci.yaml/badge.svg)](https://github.com/rebaze/scat/actions/workflows/ci.yaml)\n[![Release](https://github.com/rebaze/scat/actions/workflows/release.yaml/badge.svg)](https://github.com/rebaze/scat/actions/workflows/release.yaml)\n[![GitHub Release](https://img.shields.io/github/v/release/rebaze/scat)](https://github.com/rebaze/scat/releases/latest)\n[![License: Apache-2.0](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](LICENSE)\n[![Go](https://img.shields.io/github/go-mod/go-version/rebaze/scat)](go.mod)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/rebaze/scat/badge)](https://scorecard.dev/viewer/?uri=github.com/rebaze/scat)\n\n**Software Composition Analysis Tool** — that's what scat stands for.\n\nOne command that answers three questions: what's in your software, what's vulnerable, and what are the license obligations? Built for two audiences — AI agents that need structured data on stdout, and humans who want a visual dashboard. Both are first-class.\n\n## For machines\n\nAI agent? Run this:\n\n    scat \u003ctarget\u003e --quiet -f markdown\n\nFull SCA report — SBOM, vulnerabilities, licenses — as structured Markdown on stdout. No files written, no TUI, just data. Pipe it, parse it, feed it to your next step.\n\n## For humans\n\n    scat \u003ctarget\u003e\n\nOpens an HTML dashboard with severity bars, risk heatmap, and license overview. One file, ready to share.\n\n![Dark mode](assets/screen1_dark.png)\n![Light mode](assets/screen2_light.png)\n\n## For AI agents\n\nInstall the [Claude Code](https://claude.ai/code) skill to let AI agents use scat:\n\n```bash\nmkdir -p ~/.claude/skills/scat\ncurl -fsSL https://raw.githubusercontent.com/rebaze/scat/main/skill/SKILL.md \\\n  -o ~/.claude/skills/scat/SKILL.md\n```\n\nOnce installed, Claude knows when and how to run scat on your projects.\n\n## Features\n\n- **CycloneDX SBOM** — industry-standard software bill of materials\n- **Vulnerability scanning** — matches packages against known CVEs with severity scoring, enriched with EPSS exploit probability and CISA KEV (Known Exploited Vulnerabilities) data\n- **License compliance** — detects and evaluates open-source licenses\n- **HTML dashboard** — beautiful out-of-the-box light and dark mode report ready to share, with severity bars, risk heatmap, and print-friendly layout\n- **Single binary** — no external tools required on PATH; Syft, Grype, and license checking are embedded as Go libraries\n\n## Installation\n\n### Homebrew (recommended)\n\n```bash\nbrew install rebaze/tap/scat\n```\n\n### Go install\n\n```bash\ngo install github.com/rebaze/scat@latest\n```\n\n### From source\n\n```bash\ngit clone https://github.com/rebaze/scat.git\ncd scat\nmake build    # injects version, commit, and build date via ldflags\n```\n\n## Verifying releases\n\nEvery published release is signed via [Sigstore](https://www.sigstore.dev/) and ships with a [SLSA v1.0 Build Level 3](https://slsa.dev/spec/v1.0/levels#build-l3) provenance attestation plus a CycloneDX SBOM attestation, both produced by the [release workflow](.github/workflows/release.yaml) using GitHub Artifact Attestations.\n\nVerify a downloaded archive came from this repository's release pipeline:\n\n```bash\n# With the GitHub CLI (recommended — no extra tools to install)\ngh attestation verify scat_\u003cversion\u003e_\u003cos\u003e_\u003carch\u003e.tar.gz --repo rebaze/scat\n\n# With cosign (download the attestation bundle first; archives are blobs,\n# not OCI images, so use verify-blob-attestation)\ngh attestation download scat_\u003cversion\u003e_\u003cos\u003e_\u003carch\u003e.tar.gz --repo rebaze/scat\n# The downloaded .jsonl holds both attestations (provenance + SBOM) — one\n# per line. Split them by inspecting each bundle's predicate type.\njq -c 'select((.dsseEnvelope.payload | @base64d | fromjson | .predicateType) | startswith(\"https://slsa.dev/provenance\"))' \\\n  sha256:*.jsonl \u003e bundle.provenance.json\njq -c 'select((.dsseEnvelope.payload | @base64d | fromjson | .predicateType) == \"https://cyclonedx.org/bom\")' \\\n  sha256:*.jsonl \u003e bundle.sbom.json\ncosign verify-blob-attestation \\\n  --bundle bundle.provenance.json \\\n  --new-bundle-format \\\n  --type slsaprovenance1 \\\n  --certificate-oidc-issuer https://token.actions.githubusercontent.com \\\n  --certificate-identity-regexp \"^https://github\\.com/rebaze/scat/\\.github/workflows/release\\.yaml@refs/tags/\" \\\n  scat_\u003cversion\u003e_\u003cos\u003e_\u003carch\u003e.tar.gz\n```\n\nThe CycloneDX SBOM (`scat-v\u003cversion\u003e-source.cdx.json`) is attested against the release archives as subjects (not against the SBOM file itself). To verify the SBOM attestation, point the verifier at a release **archive** with the CycloneDX predicate type:\n\n```bash\n# With the GitHub CLI\ngh attestation verify scat_\u003cversion\u003e_\u003cos\u003e_\u003carch\u003e.tar.gz \\\n  --repo rebaze/scat \\\n  --predicate-type https://cyclonedx.org/bom\n\n# With cosign (reuses bundle.sbom.json extracted above)\ncosign verify-blob-attestation \\\n  --bundle bundle.sbom.json \\\n  --new-bundle-format \\\n  --type cyclonedx \\\n  --certificate-oidc-issuer https://token.actions.githubusercontent.com \\\n  --certificate-identity-regexp \"^https://github\\.com/rebaze/scat/\\.github/workflows/release\\.yaml@refs/tags/\" \\\n  scat_\u003cversion\u003e_\u003cos\u003e_\u003carch\u003e.tar.gz\n```\n\n## CLI Reference\n\n```\nscat \u003cpath\u003e\n```\n\nThere are no subcommands. Just point `scat` at a directory or PURL file.\n\n### Flags\n\n| Flag | Short | Default | Description |\n|------|-------|---------|-------------|\n| `--output-dir` | `-o` | `.` | Directory for output files |\n| `--format` | `-f` | `html` | Output format: `html` (file), `markdown` (stdout) |\n| `--verbose` | `-v` | `false` | Verbose output |\n| `--quiet` | `-q` | `false` | Suppress non-error output |\n| `--clear-cache` | | `false` | Delete the cached Grype vulnerability database before scanning |\n| `--version` | | | Print version information |\n\n## Output\n\nEach invocation produces **one output** — the format flag determines both the shape and the destination:\n\n| Format | Destination | TUI progress | Files created |\n|--------|-------------|--------------|---------------|\n| `html` (default) | `\u003cprefix\u003e-summary.html` in `--output-dir` | stdout | `\u003cprefix\u003e-summary.html` |\n| `markdown` | stdout | stderr | none |\n\nThe `\u003cprefix\u003e` is the basename of the scanned folder (e.g. `my-project` for `/path/to/my-project`).\n\n`--output-dir` only applies to HTML output. For Markdown, use shell redirection (`\u003e file.md`) to write to a file — this is simpler and more composable than a dedicated flag.\n\nWhen using `-f markdown`, the TUI progress bar is routed to stderr so it stays visible in the terminal while stdout carries clean Markdown suitable for piping.\n\n### Examples\n\n```bash\n# Default: HTML dashboard\nscat myproject\n# → writes ./myproject-summary.html, TUI progress on terminal\n\n# HTML to a specific directory\nscat -o /tmp myproject\n# → writes /tmp/myproject-summary.html\n\n# Markdown to terminal\nscat -f markdown myproject\n# → TUI on stderr, Markdown on stdout\n\n# Pipe to an LLM\nscat -f markdown myproject | llm \"summarize critical vulnerabilities\"\n\n# Save Markdown to a file\nscat -f markdown myproject \u003e report.md\n\n# Quiet mode (no TUI)\nscat -q myproject\nscat -f markdown -q myproject\n\n# Re-download vulnerability database\nscat --clear-cache myproject\n\n# Print version\nscat --version\n```\n\n## Pipeline\n\n```\n  source folder\n       │\n       ▼\n  scat \u003cfolder\u003e              → \u003cprefix\u003e-summary.html   (default)\n  scat -f markdown \u003cfolder\u003e  → stdout                   (pipe-friendly)\n```\n\n## License\n\n[Apache-2.0](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frebaze%2Fscat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frebaze%2Fscat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frebaze%2Fscat/lists"}