https://github.com/rebaze/scat
AI-native SBOM reporter
https://github.com/rebaze/scat
sbom security vulnerability
Last synced: about 2 months ago
JSON representation
AI-native SBOM reporter
- Host: GitHub
- URL: https://github.com/rebaze/scat
- Owner: rebaze
- License: apache-2.0
- Created: 2026-02-19T13:33:01.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2026-05-12T20:30:15.000Z (about 2 months ago)
- Last Synced: 2026-05-12T20:30:37.973Z (about 2 months ago)
- Topics: sbom, security, vulnerability
- Language: Go
- Homepage: https://www.rebaze.de
- Size: 768 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# scat
[](https://github.com/rebaze/scat/actions/workflows/ci.yaml)
[](https://github.com/rebaze/scat/actions/workflows/release.yaml)
[](https://github.com/rebaze/scat/releases/latest)
[](LICENSE)
[](go.mod)
[](https://scorecard.dev/viewer/?uri=github.com/rebaze/scat)
**Software Composition Analysis Tool** — that's what scat stands for.
One command that answers three questions: what's in your software, what's vulnerable, and what are the license obligations? Built for two audiences — AI agents that need structured data on stdout, and humans who want a visual dashboard. Both are first-class.
## For machines
AI agent? Run this:
scat --quiet -f markdown
Full SCA report — SBOM, vulnerabilities, licenses — as structured Markdown on stdout. No files written, no TUI, just data. Pipe it, parse it, feed it to your next step.
## For humans
scat
Opens an HTML dashboard with severity bars, risk heatmap, and license overview. One file, ready to share.


## For AI agents
Install the [Claude Code](https://claude.ai/code) skill to let AI agents use scat:
```bash
mkdir -p ~/.claude/skills/scat
curl -fsSL https://raw.githubusercontent.com/rebaze/scat/main/skill/SKILL.md \
-o ~/.claude/skills/scat/SKILL.md
```
Once installed, Claude knows when and how to run scat on your projects.
## Features
- **CycloneDX SBOM** — industry-standard software bill of materials
- **Vulnerability scanning** — matches packages against known CVEs with severity scoring, enriched with EPSS exploit probability and CISA KEV (Known Exploited Vulnerabilities) data
- **License compliance** — detects and evaluates open-source licenses
- **HTML dashboard** — beautiful out-of-the-box light and dark mode report ready to share, with severity bars, risk heatmap, and print-friendly layout
- **Single binary** — no external tools required on PATH; Syft, Grype, and license checking are embedded as Go libraries
## Installation
### Homebrew (recommended)
```bash
brew install rebaze/tap/scat
```
### Go install
```bash
go install github.com/rebaze/scat@latest
```
### From source
```bash
git clone https://github.com/rebaze/scat.git
cd scat
make build # injects version, commit, and build date via ldflags
```
## Verifying releases
Every published release is signed via [Sigstore](https://www.sigstore.dev/) and ships with a [SLSA v1.0 Build Level 3](https://slsa.dev/spec/v1.0/levels#build-l3) provenance attestation plus a CycloneDX SBOM attestation, both produced by the [release workflow](.github/workflows/release.yaml) using GitHub Artifact Attestations.
Verify a downloaded archive came from this repository's release pipeline:
```bash
# With the GitHub CLI (recommended — no extra tools to install)
gh attestation verify scat___.tar.gz --repo rebaze/scat
# With cosign (download the attestation bundle first; archives are blobs,
# not OCI images, so use verify-blob-attestation)
gh attestation download scat___.tar.gz --repo rebaze/scat
# The downloaded .jsonl holds both attestations (provenance + SBOM) — one
# per line. Split them by inspecting each bundle's predicate type.
jq -c 'select((.dsseEnvelope.payload | @base64d | fromjson | .predicateType) | startswith("https://slsa.dev/provenance"))' \
sha256:*.jsonl > bundle.provenance.json
jq -c 'select((.dsseEnvelope.payload | @base64d | fromjson | .predicateType) == "https://cyclonedx.org/bom")' \
sha256:*.jsonl > bundle.sbom.json
cosign verify-blob-attestation \
--bundle bundle.provenance.json \
--new-bundle-format \
--type slsaprovenance1 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp "^https://github\.com/rebaze/scat/\.github/workflows/release\.yaml@refs/tags/" \
scat___.tar.gz
```
The CycloneDX SBOM (`scat-v-source.cdx.json`) is attested against the release archives as subjects (not against the SBOM file itself). To verify the SBOM attestation, point the verifier at a release **archive** with the CycloneDX predicate type:
```bash
# With the GitHub CLI
gh attestation verify scat___.tar.gz \
--repo rebaze/scat \
--predicate-type https://cyclonedx.org/bom
# With cosign (reuses bundle.sbom.json extracted above)
cosign verify-blob-attestation \
--bundle bundle.sbom.json \
--new-bundle-format \
--type cyclonedx \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp "^https://github\.com/rebaze/scat/\.github/workflows/release\.yaml@refs/tags/" \
scat___.tar.gz
```
## CLI Reference
```
scat
```
There are no subcommands. Just point `scat` at a directory or PURL file.
### Flags
| Flag | Short | Default | Description |
|------|-------|---------|-------------|
| `--output-dir` | `-o` | `.` | Directory for output files |
| `--format` | `-f` | `html` | Output format: `html` (file), `markdown` (stdout) |
| `--verbose` | `-v` | `false` | Verbose output |
| `--quiet` | `-q` | `false` | Suppress non-error output |
| `--clear-cache` | | `false` | Delete the cached Grype vulnerability database before scanning |
| `--version` | | | Print version information |
## Output
Each invocation produces **one output** — the format flag determines both the shape and the destination:
| Format | Destination | TUI progress | Files created |
|--------|-------------|--------------|---------------|
| `html` (default) | `-summary.html` in `--output-dir` | stdout | `-summary.html` |
| `markdown` | stdout | stderr | none |
The `` is the basename of the scanned folder (e.g. `my-project` for `/path/to/my-project`).
`--output-dir` only applies to HTML output. For Markdown, use shell redirection (`> file.md`) to write to a file — this is simpler and more composable than a dedicated flag.
When using `-f markdown`, the TUI progress bar is routed to stderr so it stays visible in the terminal while stdout carries clean Markdown suitable for piping.
### Examples
```bash
# Default: HTML dashboard
scat myproject
# → writes ./myproject-summary.html, TUI progress on terminal
# HTML to a specific directory
scat -o /tmp myproject
# → writes /tmp/myproject-summary.html
# Markdown to terminal
scat -f markdown myproject
# → TUI on stderr, Markdown on stdout
# Pipe to an LLM
scat -f markdown myproject | llm "summarize critical vulnerabilities"
# Save Markdown to a file
scat -f markdown myproject > report.md
# Quiet mode (no TUI)
scat -q myproject
scat -f markdown -q myproject
# Re-download vulnerability database
scat --clear-cache myproject
# Print version
scat --version
```
## Pipeline
```
source folder
│
▼
scat → -summary.html (default)
scat -f markdown → stdout (pipe-friendly)
```
## License
[Apache-2.0](LICENSE)