Shift-left Scanning (SBOM + CI gate)

Category

Supply-chain / DevSecOps

Module

python -m nexus_tools sbom · scan

Mode

Offline-first

Ships

GitHub Action · pre-commit hook

What it does

Two commands cover the workflow. sbom inventories your dependencies and writes a CycloneDX-lite SBOM alongside dependency-risk findings; scan is the CI gate — it runs the same analysis and exits non-zero when it finds a high or critical issue, failing the build.

# Emit an SBOM + dependency-risk findings
python -m nexus_tools sbom --path . --emit-sbom

# CI gate: exits non-zero on high/critical findings
python -m nexus_tools scan --path .

What it parses

It understands the lockfiles and manifests of the major ecosystems:

• Python — requirements.txt, pyproject.toml
• Node — package.json + package-lock.json
• Go — go.mod
• Rust — Cargo.lock
• Java — pom.xml

Wire it into CI

name: Nexus Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Nexus dependency scan
        uses: ./.github/actions/nexus-scan

repos:
  - repo: local
    hooks:
      - id: nexus-sbom
        name: Nexus SBOM + dependency scan
        entry: python -m nexus_tools scan --path .
        language: system
        pass_filenames: false

What you get

A CycloneDX-lite SBOM that documents exactly what your project depends on, plus a prioritized list of dependency-risk findings. In CI, the scan gate turns those findings into a pass/fail signal so high and critical issues block the merge instead of reaching production.

Tips

• Commit the generated SBOM — it is your point-in-time record of what shipped.
• Run scan in CI and sbom --emit-sbom on release builds.
• Because it is offline-first, no secrets or registry tokens are needed to run the gate.