conviso-ast 3.0.1rc1__py3-none-any.whl → 3.0.1rc2__py3-none-any.whl

{conviso_ast-3.0.1rc1.dist-info → conviso_ast-3.0.1rc2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: conviso-ast
-Version: 3.0.1rc1
+Version: 3.0.1rc2
 Maintainer: Conviso
 Maintainer-email: development@convisoappsec.com
 Project-URL: Source, https://github.com/convisoappsec/convisocli/

{conviso_ast-3.0.1rc1.dist-info → conviso_ast-3.0.1rc2.dist-info}/RECORD

@@ -1,9 +1,9 @@
-conviso_ast-3.0.1rc1.data/scripts/flow_bash_completer.sh,sha256=9q3HPuXq_FCUUV3IFGcOefsOLhPWatUkLY7txiBM7Uo,624
-conviso_ast-3.0.1rc1.data/scripts/flow_fish_completer.fish,sha256=-wiuarawDJkms5N-rh99brIOzhy-ktsM1mi1ohQ3Mtg,147
-conviso_ast-3.0.1rc1.data/scripts/flow_zsh_completer.sh,sha256=cAtTDGUs5sY4NAA7AjscmLWj0dbNZ9iZhLP6BTz6dEQ,844
+conviso_ast-3.0.1rc2.data/scripts/flow_bash_completer.sh,sha256=9q3HPuXq_FCUUV3IFGcOefsOLhPWatUkLY7txiBM7Uo,624
+conviso_ast-3.0.1rc2.data/scripts/flow_fish_completer.fish,sha256=-wiuarawDJkms5N-rh99brIOzhy-ktsM1mi1ohQ3Mtg,147
+conviso_ast-3.0.1rc2.data/scripts/flow_zsh_completer.sh,sha256=cAtTDGUs5sY4NAA7AjscmLWj0dbNZ9iZhLP6BTz6dEQ,844
 convisoappsec/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 convisoappsec/logger.py,sha256=aTNebqOau9nEadBySMTXtnbGkOkJ_q2kyFlX1mzizeg,1132
-convisoappsec/version.py,sha256=Bb5rkX4OTT3aSW-flfnHp0ednpp-iyDmXsLJQoTfb98,27
+convisoappsec/version.py,sha256=Ar9UODgrsoORlQ5GGKFg77QgwYFX2i9wxLv9bnu4Srg,27
 convisoappsec/common/__init__.py,sha256=QN7tV2C_jhTiWUrJHv2jbeq6ae3MssgLUWpQZwe8O2s,105
 convisoappsec/common/box.py,sha256=WTtPF3YWxkcdblPmFTzrzQlPPPUwVsDt2zoi6xFMy1U,7561
 convisoappsec/common/cleaner.py,sha256=Iy8BWCXj_v51oovcYzI_uhaJzLL-fCUyDxrbBglfwEs,2680
@@ -66,7 +66,8 @@ convisoappsec/flowcli/assets/create.py,sha256=JDmxDH1WbyaQYLTxoi6dS_WosRm7kjvpJV
 convisoappsec/flowcli/assets/entrypoint.py,sha256=CEoev3d1ogclPNP3l31PBhGkoiZZ400kxsnnF02uxFk,310
 convisoappsec/flowcli/assets/ls.py,sha256=IYfKIca218BvZ5ecrtDgZ_T8xVg0XO3Eq1kK16BMBsc,1484
 convisoappsec/flowcli/ast/__init__.py,sha256=9SO9inH22PPm4jLlljVTJEeJKZujFKfwqTBbBo-TwFM,47
-convisoappsec/flowcli/ast/entrypoint.py,sha256=pwkXn9R1FNuUlTGrwUIMCacpklYSFR9BFDB59a_ivcU,15946
+convisoappsec/flowcli/ast/dry_run.py,sha256=pb0eM-jXE83UpWTBcw3ulVSgY0WhWvWbcb-58j2YjC4,3588
+convisoappsec/flowcli/ast/entrypoint.py,sha256=HI02I6r8v2cBYwCeOfQZLtFjGhTl3dF_83Tu2FXCM8Y,15999
 convisoappsec/flowcli/companies/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 convisoappsec/flowcli/companies/ls.py,sha256=0287VTXOkKnuXTaJh392crYjx0qank0pBvmESq3P_Bw,892
 convisoappsec/flowcli/container/__init__.py,sha256=Z666kQa4qVfbcuyLaW_hvORdAPtZ9dTQFcQb2H2Nkfg,59
@@ -96,16 +97,19 @@ convisoappsec/flowcli/findings/create/with_/version_tracker.py,sha256=NrnYx6OMQW
 convisoappsec/flowcli/findings/import_sarif/__init__.py,sha256=3iR7f9V9NdoIQTrD25EVu6OAYPPJ4RZEaM4P34BS0js,66
 convisoappsec/flowcli/findings/import_sarif/entrypoint.py,sha256=MIHi9ZWU2Jn2o7o5mDLp81xfb14gsa33aGnqh1YR7n8,13740
 convisoappsec/flowcli/iac/__init__.py,sha256=a3IZzSKpm987fMEliTECDeXO_Eduk7eg-aQzmaWvUXQ,47
-convisoappsec/flowcli/iac/entrypoint.py,sha256=vGsHdIss3KEWartTZkKl7k5w1qxhYIVqHGOJdklc3b8,241
-convisoappsec/flowcli/iac/run.py,sha256=_yNmw4L7tka6x7NnO_s56GRXrGv93RYCp0I2M22X7_M,11074
+convisoappsec/flowcli/iac/dry_run.py,sha256=xvC0Wb2Sxl37yEjFaFMGcRvLJ4Q8evrNQoUXuahHtCg,2990
+convisoappsec/flowcli/iac/entrypoint.py,sha256=WMlSwHd7cLxhUfy643OquQhUHEy4yNf7s0K5bkrXYno,295
+convisoappsec/flowcli/iac/run.py,sha256=bpE3GF-ls-kUJhcxNinxY2eNBWEamZpSj-7nreRJYIQ,11202
 convisoappsec/flowcli/sast/__init__.py,sha256=S4O78eZGhgpT2lZY3GSUIUTQJB5a62uAVirEqbf4EQY,49
-convisoappsec/flowcli/sast/entrypoint.py,sha256=7bvQ6mVLWvykGfjD-o0xbu7ybm8Hj2DTqvCv5CstIas,245
+convisoappsec/flowcli/sast/dry_run.py,sha256=lUi9LCfBlBjcAYm4v_Etl3raPZcTHVr5fVxGnB1eVSM,5787
+convisoappsec/flowcli/sast/entrypoint.py,sha256=XMu8WpZNwSujWOwbHUThk3JK_WtRWHau9kYD2ttjULY,300
 convisoappsec/flowcli/sast/run.py,sha256=7uX6K1VLASU8RnoCKNYIIqXSsNkF4JQ8OKhAG2CKjuI,16353
 convisoappsec/flowcli/sbom/__init__.py,sha256=qzwiPWniK41Y41XvJJhxtRZguHrSSenb57lhy64KnSc,49
 convisoappsec/flowcli/sbom/entrypoint.py,sha256=ax2WL5BtCu24NeZYe6zzCVZ2ujlviXkvtY7PZihlz3s,263
-convisoappsec/flowcli/sbom/generate.py,sha256=Oke4JX4vARqpsMlGC2cPye_LMapIMRDyZv2W14hoD8g,7170
+convisoappsec/flowcli/sbom/generate.py,sha256=YEhl4fVRXRscSApTMkTynyka3ygsVgJD7vhUHipUp18,7190
 convisoappsec/flowcli/sca/__init__.py,sha256=xnVoxwbpe4LrEemmWJ6svr3zdpo9S4kEIvM4HVRsLX8,47
-convisoappsec/flowcli/sca/entrypoint.py,sha256=LpFoiZ3iljhAyKzfMJ7pdBdHIUhnjh3ZguPgvWJZ-XA,241
+convisoappsec/flowcli/sca/dry_run.py,sha256=fZ_tgc1k8Mn1JMznFWyi_CExR-gpLHLHwQ2erNldnHY,3438
+convisoappsec/flowcli/sca/entrypoint.py,sha256=yEAANSG2fcD3HctUWebhx_win3CW-1Q2CO1i-ZIBUCk,295
 convisoappsec/flowcli/sca/run.py,sha256=FWnTHgMgnIRvJSpMIkFcb6YMtvWEjEpKJyXEkjAZpA4,16725
 convisoappsec/flowcli/vulnerability/__init__.py,sha256=c18E0J1KfZBBqpv8XGxF5dv7dxCDquFkjGkdnvFDSYI,67
 convisoappsec/flowcli/vulnerability/assert_security_rules.py,sha256=j7VcondMeZSRxWz118aWS9qUSGdvsq4Mg-_9UXp8Dyw,6075
@@ -116,8 +120,8 @@ convisoappsec/flowcli/vulnerability/run.py,sha256=6flmvr55cKxj-duX3w4PAFwJgC5AJ0
 convisoappsec/sast/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 convisoappsec/sast/decision.py,sha256=d7dcNr9yZMzyccpFS_peAmDo0ZtfsE1qXDdYrvCux2U,1025
 convisoappsec/sast/sastbox.py,sha256=hXZLiYh_F3f6yd1ydPYVOMKg-tNOQOZiBvKmWyedagI,11031
-conviso_ast-3.0.1rc1.dist-info/METADATA,sha256=pWFwacLO6PwSQbd1OcCihNv7HRUCyoYlr_OcqONtYA4,1078
-conviso_ast-3.0.1rc1.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
-conviso_ast-3.0.1rc1.dist-info/entry_points.txt,sha256=0IvamweR_V0uG4O5Fo9NpVHTHfpZRwUE9kn7KEVZ668,109
-conviso_ast-3.0.1rc1.dist-info/top_level.txt,sha256=ju5r0RSCF1HA7m9JOG10jrQS4SnqQEJzl6-YMCxbSl4,14
-conviso_ast-3.0.1rc1.dist-info/RECORD,,
+conviso_ast-3.0.1rc2.dist-info/METADATA,sha256=4FhXjj2DrA123b7c8QnscWGxgzgBRdDDO_gfpLkjBZs,1078
+conviso_ast-3.0.1rc2.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
+conviso_ast-3.0.1rc2.dist-info/entry_points.txt,sha256=0IvamweR_V0uG4O5Fo9NpVHTHfpZRwUE9kn7KEVZ668,109
+conviso_ast-3.0.1rc2.dist-info/top_level.txt,sha256=ju5r0RSCF1HA7m9JOG10jrQS4SnqQEJzl6-YMCxbSl4,14
+conviso_ast-3.0.1rc2.dist-info/RECORD,,

convisoappsec/flowcli/ast/dry_run.py

@@ -0,0 +1,99 @@
+import click
+import json
+import traceback
+import sys
+from convisoappsec.flowcli import help_option
+from convisoappsec.flowcli.context import pass_flow_context
+from convisoappsec.logger import LOGGER
+from convisoappsec.flowcli.common import on_http_error
+from convisoappsec.common.cleaner import Cleaner
+from convisoappsec.sast.sastbox import SASTBox
+from convisoappsec.flowcli.sast.dry_run import execute_dry_run as execute_sast_dry_run
+from convisoappsec.flowcli.sca.dry_run import execute_dry_run as execute_sca_dry_run
+from convisoappsec.flowcli.iac.dry_run import execute_dry_run as execute_iac_dry_run
+
+@click.command(name='dry-run')
+@click.option(
+    "-s", "--start-commit", required=False,
+    help="If no value is set so the empty tree hash commit is used."
+)
+@click.option(
+    "-e", "--end-commit", required=False,
+    help="If no value is set so the HEAD commit from the current branch is used"
+)
+@click.option(
+    "-r", "--repository-dir", default=".", show_default=True,
+    type=click.Path(exists=True, resolve_path=True), required=False,
+    help="The source code repository directory."
+)
+@click.option(
+    "--sastbox-registry", default="", required=False, hidden=True,
+    envvar=("CONVISO_SASTBOX_REGISTRY", "FLOW_SASTBOX_REGISTRY"),
+)
+@click.option(
+    "--sastbox-repository-name", default="", required=False, hidden=True,
+    envvar=("CONVISO_SASTBOX_REPOSITORY_NAME", "FLOW_SASTBOX_REPOSITORY_NAME"),
+)
+@click.option(
+    "--sastbox-tag", default=SASTBox.DEFAULT_TAG, required=False, hidden=True,
+    envvar=("CONVISO_SASTBOX_TAG", "FLOW_SASTBOX_TAG"),
+)
+@click.option(
+    "--sastbox-skip-login/--sastbox-no-skip-login", default=False, required=False, hidden=True,
+    envvar=("CONVISO_SASTBOX_SKIP_LOGIN", "FLOW_SASTBOX_SKIP_LOGIN"),
+)
+@click.option(
+    "--custom-sca-tags", hidden=True, required=False, multiple=True, type=(str, str),
+    help="It should be passed as <repository_name> <image_tag>."
+)
+@click.option(
+    "--scanner-timeout", hidden=True, required=False, default=7200, type=int,
+    help="Set timeout for each scanner"
+)
+@click.option(
+    '--cleanup', default=False, is_flag=True, show_default=True,
+    help="Clean up system resources."
+)
+@help_option
+@pass_flow_context
+def dry_run(flow_context, end_commit, start_commit, repository_dir,
+            sastbox_registry, sastbox_repository_name, sastbox_tag, sastbox_skip_login,
+            custom_sca_tags, scanner_timeout, cleanup):
+    """
+    Perform a dry-run AST analysis (SAST, SCA, IaC).
+    Checks API Key, runs the scans, and outputs the results in JSON format to stdout.
+    Does NOT create assets or deploys on Conviso Platform.
+    """
+    try:
+        results = {}
+
+        # Run SAST
+        sast_results = execute_sast_dry_run(
+            flow_context, end_commit, start_commit, repository_dir,
+            sastbox_registry, sastbox_repository_name, sastbox_tag, sastbox_skip_login
+        )
+        results['sast'] = sast_results
+
+        # Run SCA
+        sca_results = execute_sca_dry_run(
+            flow_context, repository_dir, custom_sca_tags, scanner_timeout
+        )
+        results['sca'] = sca_results
+
+        # Run IaC
+        iac_results = execute_iac_dry_run(
+            flow_context, repository_dir, scanner_timeout
+        )
+        results['iac'] = iac_results
+
+        print(json.dumps(results, indent=2))
+
+        if cleanup:
+            LOGGER.info("🧹 Cleaning up ...")
+            cleaner = Cleaner()
+            cleaner.cleanup()
+
+    except Exception as e:
+        traceback.print_exc(file=sys.stderr)
+        on_http_error(e)
+        sys.exit(1)

convisoappsec/flowcli/ast/entrypoint.py

@@ -15,7 +15,7 @@ from convisoappsec.flow import GitAdapter
 from convisoappsec.flowcli.context import pass_flow_context
 from convisoappsec.logger import LOGGER, log_and_notify_ast_event
 from convisoappsec.common.cleaner import Cleaner
-
+from .dry_run import dry_run
 
 def get_default_params_values(cmd_params):
     """ Further information in https://click.palletsprojects.com/en/8.1.x/api/?highlight=params#click.Command.params
@@ -425,3 +425,4 @@ def ast():
 
 
 ast.add_command(run)
+ast.add_command(dry_run)

convisoappsec/flowcli/iac/dry_run.py

@@ -0,0 +1,94 @@
+import click
+import click_log
+import json
+import traceback
+import sys
+from convisoappsec.common.box import ContainerWrapper
+from convisoappsec.flowcli import help_option
+from convisoappsec.flowcli.context import pass_flow_context
+from convisoappsec.logger import LOGGER
+from convisoappsec.flowcli.common import on_http_error
+from convisoappsec.common.cleaner import Cleaner
+
+def execute_dry_run(flow_context, repository_dir, scanner_timeout):
+    REQUIRED_CODEBASE_PATH = '/code'
+    IAC_IMAGE_NAME = 'iac_scanner_checkov'
+    IAC_SCAN_FILENAME = '/{}.json'.format(IAC_IMAGE_NAME)
+    containers_map = {
+        IAC_IMAGE_NAME: {
+            'repository_dir': repository_dir,
+            'repository_name': IAC_IMAGE_NAME,
+            'tag': 'unstable',
+            'command': [
+                '-c', REQUIRED_CODEBASE_PATH,
+                '-o', IAC_SCAN_FILENAME,
+            ],
+        },
+    }
+
+    conviso_rest_api = flow_context.create_conviso_rest_api_client()
+    token = conviso_rest_api.docker_registry.get_sast_token()
+    
+    LOGGER.info('💬 Preparing Environment...')
+    scanners_wrapper = ContainerWrapper(
+        token=token,
+        containers_map=containers_map,
+        logger=LOGGER,
+        timeout=scanner_timeout
+    )
+
+    LOGGER.info('💬 Starting IaC...')
+    scanners_wrapper.run()
+
+    results_list = []
+    for r in scanners_wrapper.scanners:
+        report_filepath = r.results
+        if report_filepath:
+             try:
+                with open(report_filepath, 'r') as f:
+                    results_list.append(json.load(f))
+             except Exception as e:
+                click.echo(f"Error reading result file {report_filepath}: {e}", file=sys.stderr)
+
+    if len(results_list) == 1:
+        return results_list[0]
+    return results_list
+
+@click.command(name='dry-run')
+@click.option(
+    '-r', '--repository-dir', default=".", show_default=True,
+    type=click.Path(exists=True, resolve_path=True), required=False,
+    help="The source code repository directory."
+)
+@click.option(
+    "--scanner-timeout", hidden=True, required=False, default=7200, type=int,
+    help="Set timeout for each scanner"
+)
+@click.option(
+    '--cleanup', default=False, is_flag=True, show_default=True,
+    help="Clean up system resources."
+)
+@help_option
+@pass_flow_context
+def dry_run(flow_context, repository_dir, scanner_timeout, cleanup):
+    """
+    Perform a dry-run IAC analysis.
+    Checks API Key, runs the scan, and outputs the results in JSON format to stdout.
+    Does NOT create assets or deploys on Conviso Platform.
+    """
+    try:
+        results = execute_dry_run(flow_context, repository_dir, scanner_timeout)
+
+        if results:
+            print(json.dumps(results, indent=2))
+        else:
+            print(json.dumps({}, indent=2))
+
+        if cleanup:
+            LOGGER.info("🧹 Cleaning up ...")
+            cleaner = Cleaner()
+            cleaner.cleanup()
+
+    except Exception as e:
+        on_http_error(e)
+        sys.exit(1)

convisoappsec/flowcli/iac/entrypoint.py

@@ -2,6 +2,7 @@ import click
 
 from convisoappsec.flowcli import help_option
 from .run import run
+from .dry_run import dry_run
 
 
 @click.group()
@@ -11,6 +12,7 @@ def iac():
 
 
 iac.add_command(run)
+iac.add_command(dry_run)
 
 iac.epilog = '''
   Run flow iac COMMAND --help for more information on a command.

convisoappsec/flowcli/iac/run.py

@@ -181,6 +181,8 @@ def deploy_results_to_conviso(
                 except ResponseError as error:
                     if error.code == 'RECORD_NOT_UNIQUE':
                         continue
+                    elif error.code == "Record not found" or "Record not found" in str(error):
+                        continue
                     else:
                         retry_handler = RetryHandler(
                             flow_context=flow_context, company_id=company_id, asset_id=asset_id

convisoappsec/flowcli/sast/dry_run.py

@@ -0,0 +1,159 @@
+import sys
+import click
+import traceback
+import json
+from convisoappsec.sast.sastbox import SASTBox
+from docker.errors import APIError
+import time
+from convisoappsec.flow import GitAdapter
+from convisoappsec.flowcli import help_option
+from convisoappsec.flowcli.context import pass_flow_context
+from convisoappsec.logger import LOGGER
+from convisoappsec.common.cleaner import Cleaner
+from convisoappsec.flowcli.common import on_http_error
+
+class DryRunSASTBox(SASTBox):
+    def recovery_technologies_file(self):
+        # Skip technology recovery and update for dry-run
+        pass
+
+def perform_dry_run_sastbox_scan(
+    conviso_rest_api, sastbox_registry, sastbox_repository_name, sastbox_tag, sastbox_skip_login, repository_dir, end_commit, start_commit, logger
+):
+    max_retries = 5
+    retries = 0
+    sastbox = DryRunSASTBox(registry=sastbox_registry, repository_name=sastbox_repository_name, tag=sastbox_tag)
+    pull_progress_bar = click.progressbar(length=sastbox.size, label="Performing SAST download...")
+
+    while retries < max_retries:
+        try:
+            if not sastbox_skip_login:
+                logger("Checking SASTBox authorization...")
+                token = conviso_rest_api.docker_registry.get_sast_token()
+                sastbox.login(token)
+
+            with pull_progress_bar as progressbar:
+                for downloaded_chunk in sastbox.pull():
+                    progressbar.update(downloaded_chunk)
+            break
+        except APIError as e:
+            retries += 1
+            logger(f"Retrying {retries}/{max_retries}...")
+            time.sleep(1)
+
+            if retries == max_retries:
+                logger("Max retries reached. Failed to perform SAST download.")
+                raise Exception(f"Max retries reached. Could not complete the SAST download. Error: {str(e)}")
+
+    logger("Starting SAST scan diff...")
+
+    reports = sastbox.run_scan_diff(repository_dir, end_commit, start_commit, log=logger)
+
+    logger("SAST scan diff done.")
+
+    results_filepaths = []
+    for r in reports:
+        try:
+            file_path = str(r)
+            results_filepaths.append(file_path)
+        except Exception as e:
+            click.echo(f"Error decoding file path: {r} with error {e}.", file=sys.stderr)
+
+    return results_filepaths
+
+def log_func(msg, new_line=True):
+    click.echo(msg, nl=new_line, err=True)
+
+def execute_dry_run(flow_context, end_commit, start_commit, repository_dir,
+                    sastbox_registry, sastbox_repository_name, sastbox_tag, sastbox_skip_login):
+    git_adapter = GitAdapter(repository_dir)
+    end_commit = end_commit or git_adapter.head_commit
+    start_commit = start_commit or git_adapter.empty_repository_tree_commit
+
+    if start_commit == end_commit:
+        return {}
+
+    conviso_rest_api = flow_context.create_conviso_rest_api_client()
+
+    results_filepaths = perform_dry_run_sastbox_scan(
+        conviso_rest_api, sastbox_registry, sastbox_repository_name, sastbox_tag,
+        sastbox_skip_login, repository_dir, end_commit, start_commit, log_func
+    )
+    
+    results_list = []
+    for path in results_filepaths:
+        try:
+            with open(path, 'r') as f:
+                results_list.append(json.load(f))
+        except Exception as e:
+            click.echo(f"Error reading result file {path}: {e}", file=sys.stderr)
+
+    if len(results_list) == 1:
+        return results_list[0]
+    return results_list
+
+@click.command(name='dry-run')
+@click.option(
+    "-s", "--start-commit", required=False,
+    help="If no value is set so the empty tree hash commit is used."
+)
+@click.option(
+    "-e", "--end-commit", required=False,
+    help="If no value is set so the HEAD commit from the current branch is used"
+)
+@click.option(
+    "-r", "--repository-dir", default=".", show_default=True,
+    type=click.Path(exists=True, resolve_path=True), required=False,
+    help="The source code repository directory."
+)
+@click.option(
+    "--sastbox-registry", default="", required=False, hidden=True,
+    envvar=("CONVISO_SASTBOX_REGISTRY", "FLOW_SASTBOX_REGISTRY"),
+)
+@click.option(
+    "--sastbox-repository-name", default="", required=False, hidden=True,
+    envvar=("CONVISO_SASTBOX_REPOSITORY_NAME", "FLOW_SASTBOX_REPOSITORY_NAME"),
+)
+@click.option(
+    "--sastbox-tag", default=SASTBox.DEFAULT_TAG, required=False, hidden=True,
+    envvar=("CONVISO_SASTBOX_TAG", "FLOW_SASTBOX_TAG"),
+)
+@click.option(
+    "--sastbox-skip-login/--sastbox-no-skip-login", default=False, required=False, hidden=True,
+    envvar=("CONVISO_SASTBOX_SKIP_LOGIN", "FLOW_SASTBOX_SKIP_LOGIN"),
+)
+@click.option(
+    '--cleanup', default=False, is_flag=True, show_default=True,
+    help="Clean up system resources."
+)
+@click.option(
+    "-o", "--output", required=False, help="Output the results to a JSON file."
+)
+@help_option
+@pass_flow_context
+def dry_run(flow_context, end_commit, start_commit, repository_dir,
+            sastbox_registry, sastbox_repository_name, sastbox_tag, sastbox_skip_login, cleanup, output):
+    try:
+        results = execute_dry_run(
+            flow_context, end_commit, start_commit, repository_dir,
+            sastbox_registry, sastbox_repository_name, sastbox_tag, sastbox_skip_login
+        )
+
+        if output:
+            with open(output, "w") as f:
+                json.dump(results if results else {}, f, indent=2)
+            LOGGER.info(f"Results saved to {output}")
+        elif results:
+            print(json.dumps(results, indent=2))
+        else:
+            print(json.dumps({}, indent=2))
+            
+        if cleanup:
+            LOGGER.info("🧹 Cleaning up ...")
+            cleaner = Cleaner()
+            cleaner.cleanup()
+
+    except Exception as e:
+        traceback.print_exc(file=sys.stderr)
+        on_http_error(e)
+        sys.exit(1)

convisoappsec/flowcli/sast/entrypoint.py

@@ -2,6 +2,7 @@ import click
 
 from convisoappsec.flowcli import help_option
 from .run import run
+from .dry_run import dry_run
 
 
 @click.group()
@@ -11,6 +12,7 @@ def sast():
 
 
 sast.add_command(run)
+sast.add_command(dry_run)
 
 sast.epilog = '''
   Run flow sast COMMAND --help for more information on a command.

convisoappsec/flowcli/sbom/generate.py

@@ -182,7 +182,7 @@ def generate(context, flow_context, asset_id, company_id, repository_dir, send_t
                 stderr=subprocess.DEVNULL
             )
             command = [f"./conviso/syft scan {repository_dir} -o cyclonedx-json={file_name} "
-                       f"--select-catalogers '{','.join(catalogers)}'"]
+                       f"--select-catalogers '{','.join(catalogers)}' --exclude ./conviso"]
 
             subprocess.run(command, shell=True, check=True, capture_output=True)
 

convisoappsec/flowcli/sca/dry_run.py

@@ -0,0 +1,108 @@
+import click
+import click_log
+import traceback
+import json
+import sys
+from convisoappsec.common.box import ContainerWrapper
+from convisoappsec.flowcli import help_option
+from convisoappsec.flowcli.context import pass_flow_context
+from convisoappsec.logger import LOGGER
+from convisoappsec.flowcli.common import on_http_error
+from convisoappsec.common.cleaner import Cleaner
+
+def log_func(msg, new_line=True):
+    click.echo(msg, nl=new_line, err=True)
+
+def execute_dry_run(flow_context, repository_dir, custom_sca_tags, scanner_timeout):
+    REQUIRED_CODEBASE_PATH = '/code'
+    OSV_SCANNER_IMAGE_NAME = 'osv_scanner'
+
+    scanners = {
+        OSV_SCANNER_IMAGE_NAME: {
+            'repository_name': OSV_SCANNER_IMAGE_NAME,
+            'tag': 'latest',
+            'command': [
+                '-c', REQUIRED_CODEBASE_PATH,
+                '-f', 'json',
+                '-o', '/{}.json'.format(OSV_SCANNER_IMAGE_NAME)
+            ],
+            'repository_dir': repository_dir
+        },
+    }
+
+    if custom_sca_tags:
+        for custom_tag in custom_sca_tags:
+            scan_name, tag = custom_tag
+            if scan_name in scanners.keys():
+                scanners[scan_name]['tag'] = tag
+
+    conviso_rest_api = flow_context.create_conviso_rest_api_client()
+    token = conviso_rest_api.docker_registry.get_sast_token()
+    
+    LOGGER.info('💬 Preparing Environment...')
+    scabox = ContainerWrapper(
+        token=token,
+        containers_map=scanners,
+        logger=LOGGER,
+        timeout=scanner_timeout
+    )
+    LOGGER.info('💬 Starting SCA...')
+    scabox.run()
+
+    results_list = []
+    for unit in scabox.scanners:
+        file_path = unit.results
+        if file_path:
+            try:
+                with open(file_path, 'r') as f:
+                    results_list.append(json.load(f))
+            except Exception as e:
+                click.echo(f"Error reading result file {file_path}: {e}", file=sys.stderr)
+
+    if len(results_list) == 1:
+        return results_list[0]
+    return results_list
+
+
+@click.command(name='dry-run')
+@click.option(
+    '-r', '--repository-dir', default=".", show_default=True,
+    type=click.Path(exists=True, resolve_path=True), required=False,
+    help="The source code repository directory."
+)
+@click.option(
+    "--custom-sca-tags", hidden=True, required=False, multiple=True, type=(str, str),
+    help="It should be passed as <repository_name> <image_tag>."
+)
+@click.option(
+    "--scanner-timeout", hidden=True, required=False, default=7200, type=int,
+    help="Set timeout for each scanner"
+)
+@click.option(
+    '--cleanup', default=False, is_flag=True, show_default=True,
+    help="Clean up system resources."
+)
+@help_option
+@pass_flow_context
+def dry_run(flow_context, repository_dir, custom_sca_tags, scanner_timeout, cleanup):
+    """
+    Perform a dry-run SCA analysis.
+    Checks API Key, runs the scan, and outputs the results in JSON format to stdout.
+    Does NOT create assets or deploys on Conviso Platform.
+    """
+    try:
+        results = execute_dry_run(flow_context, repository_dir, custom_sca_tags, scanner_timeout)
+
+        if results:
+             print(json.dumps(results, indent=2))
+        else:
+             print(json.dumps({}, indent=2))
+
+        if cleanup:
+            LOGGER.info("🧹 Cleaning up ...")
+            cleaner = Cleaner()
+            cleaner.cleanup()
+
+    except Exception as e:
+        on_http_error(e)
+        sys.exit(1)

convisoappsec/flowcli/sca/entrypoint.py

@@ -2,6 +2,7 @@ import click
 
 from convisoappsec.flowcli import help_option
 from .run import run
+from .dry_run import dry_run
 
 
 @click.group()
@@ -11,6 +12,7 @@ def sca():
 
 
 sca.add_command(run)
+sca.add_command(dry_run)
 
 sca.epilog = '''
   Run flow sca COMMAND --help for more information on a command.

convisoappsec/version.py

@@ -1 +1 @@
-__version__ = '3.0.1-rc.1'
+__version__ = '3.0.1-rc.2'