b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
63 lines
2.2 KiB
Python
63 lines
2.2 KiB
Python
"""``hermes security`` subcommand parser.
|
|
|
|
Extracted verbatim from ``hermes_cli/main.py:main()`` (god-file Phase 2).
|
|
Handler injected to avoid importing ``main``.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from typing import Callable
|
|
|
|
|
|
def build_security_parser(subparsers, *, cmd_security: Callable) -> None:
|
|
"""Attach the ``security`` subcommand to ``subparsers``."""
|
|
# =========================================================================
|
|
security_parser = subparsers.add_parser(
|
|
"security",
|
|
help="Supply-chain audit (OSV.dev) for venv, plugins, and MCP servers",
|
|
description=(
|
|
"On-demand vulnerability scan against OSV.dev. Covers the Hermes "
|
|
"venv (installed PyPI dists), Python deps declared by plugins under "
|
|
"~/.hermes/plugins/, and pinned npx/uvx MCP servers in config.yaml. "
|
|
"Does NOT scan globally-installed packages or editor/browser extensions."
|
|
),
|
|
)
|
|
security_subparsers = security_parser.add_subparsers(
|
|
dest="security_command",
|
|
metavar="<subcommand>",
|
|
)
|
|
|
|
audit_parser = security_subparsers.add_parser(
|
|
"audit",
|
|
help="Run a one-shot supply-chain audit",
|
|
description="Query OSV.dev for known vulnerabilities in installed components.",
|
|
)
|
|
audit_parser.add_argument(
|
|
"--json",
|
|
action="store_true",
|
|
help="Emit machine-readable JSON instead of human-readable text",
|
|
)
|
|
audit_parser.add_argument(
|
|
"--fail-on",
|
|
default="critical",
|
|
choices=["low", "moderate", "high", "critical"],
|
|
help="Exit non-zero when any finding meets this severity (default: critical)",
|
|
)
|
|
audit_parser.add_argument(
|
|
"--skip-venv",
|
|
action="store_true",
|
|
help="Skip scanning the Hermes Python venv",
|
|
)
|
|
audit_parser.add_argument(
|
|
"--skip-plugins",
|
|
action="store_true",
|
|
help="Skip scanning plugin requirements files",
|
|
)
|
|
audit_parser.add_argument(
|
|
"--skip-mcp",
|
|
action="store_true",
|
|
help="Skip scanning pinned MCP servers in config.yaml",
|
|
)
|
|
audit_parser.set_defaults(func=cmd_security)
|
|
security_parser.set_defaults(func=cmd_security)
|