devsecops-radar 0.3.10__tar.gz → 0.4.0__tar.gz

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devsecops-radar
-Version: 0.3.10
+Version: 0.4.0
 Summary: Unified CI/CD Security Dashboard — Pipeline Sentinel
 Author-email: Mehrdoost <70381337+Mehrdoost@users.noreply.github.com>
 License-Expression: MIT
@@ -32,11 +32,6 @@ Requires-Dist: mypy>=1.9; extra == "dev"
 Requires-Dist: pre-commit>=3.5; extra == "dev"
 Dynamic: license-file
 
-Here is the fully fixed, standardized, and perfectly formatted English version of your comprehensive `README.md` file. I have corrected the Markdown syntax errors, repaired the broken code blocks, properly aligned the tables, and integrated the new features (such as OPA Rego policies, What-If simulation, Codecov, and VEX support).
-
-You can copy the entire block below using the **Copy** button and paste it directly into your file:
-
-```markdown
 <div align="center">
 
 # 🛡️ Pipeline Sentinel
@@ -129,8 +124,8 @@ Pipeline Sentinel is designed to be **flexible** — you decide where it fits be
 [Gitleaks scan] ┘
 ```
 
-> **📌 Diagram Placeholder:** Add your network flow diagram here as `docs/network_flow.png`.  
-> `![Network Flow Diagram](docs/network_flow.png)`
+> **📌 Diagram Placeholder:**  
+![Network Flow Diagram](docs/network_flow.png)
 
 ---
 
@@ -490,8 +485,8 @@ devsecops_radar/
     └── sentry/     # Live webhook agent for CI/CD
 ```
 
-> **📌 Diagram Placeholder:** Add your architecture diagram here as `docs/architecture.png`.  
-> `![Architecture Diagram](docs/architecture.png)`
+> **📌 Diagram Placeholder:**  
+![Network Flow Diagram](docs/network_flow.png)
 
 ---
 
@@ -573,7 +568,7 @@ This project adheres to the Contributor Covenant Code of Conduct. By participati
 
 [![GitHub](https://img.shields.io/badge/GitHub-ReverseForge-181717?logo=github)](https://github.com/ReverseForge) 
 [![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost) 
-[![GitHub](https://img.shields.io/badge/GitHub-miora-sora?logo=github)](https://github.com/miora-sora) 
+[![GitHub](https://img.shields.io/badge/GitHub-miora-soraزمس?logo=github)](https://github.com/miora-sora) 
 
 ---
 

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/README.md

@@ -1,8 +1,3 @@
-Here is the fully fixed, standardized, and perfectly formatted English version of your comprehensive `README.md` file. I have corrected the Markdown syntax errors, repaired the broken code blocks, properly aligned the tables, and integrated the new features (such as OPA Rego policies, What-If simulation, Codecov, and VEX support).
-
-You can copy the entire block below using the **Copy** button and paste it directly into your file:
-
-```markdown
 <div align="center">
 
 # 🛡️ Pipeline Sentinel
@@ -95,8 +90,8 @@ Pipeline Sentinel is designed to be **flexible** — you decide where it fits be
 [Gitleaks scan] ┘
 ```
 
-> **📌 Diagram Placeholder:** Add your network flow diagram here as `docs/network_flow.png`.  
-> `![Network Flow Diagram](docs/network_flow.png)`
+> **📌 Diagram Placeholder:**  
+![Network Flow Diagram](docs/network_flow.png)
 
 ---
 
@@ -456,8 +451,8 @@ devsecops_radar/
     └── sentry/     # Live webhook agent for CI/CD
 ```
 
-> **📌 Diagram Placeholder:** Add your architecture diagram here as `docs/architecture.png`.  
-> `![Architecture Diagram](docs/architecture.png)`
+> **📌 Diagram Placeholder:**  
+![Network Flow Diagram](docs/network_flow.png)
 
 ---
 
@@ -539,7 +534,7 @@ This project adheres to the Contributor Covenant Code of Conduct. By participati
 
 [![GitHub](https://img.shields.io/badge/GitHub-ReverseForge-181717?logo=github)](https://github.com/ReverseForge) 
 [![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost) 
-[![GitHub](https://img.shields.io/badge/GitHub-miora-sora?logo=github)](https://github.com/miora-sora) 
+[![GitHub](https://img.shields.io/badge/GitHub-miora-soraزمس?logo=github)](https://github.com/miora-sora) 
 
 ---
 

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/devsecops_radar/cli/scanner.py

@@ -4,14 +4,17 @@ import json
 import os
 import sys
 from importlib.metadata import entry_points
+
 from loguru import logger
-from devsecops_radar.scanners.adapter import ScannerAdapter
+
 from devsecops_radar.core.analyzer import get_analyzer
 from devsecops_radar.core.database import save_scan
-from devsecops_radar.core.rule_fusion import RuleFusion
 from devsecops_radar.core.remediation import auto_fix, generate_pr
 from devsecops_radar.core.reporting import generate_pdf_report
+from devsecops_radar.core.rule_fusion import RuleFusion
 from devsecops_radar.core.valuation import compute_dynamic_risk_score
+from devsecops_radar.scanners.adapter import ScannerAdapter
+
 
 def discover_plugins():
     plugins = {}
@@ -20,6 +23,7 @@ def discover_plugins():
         plugins[cls.name] = cls()
     return plugins
 
+
 def parse_args():
     parser = argparse.ArgumentParser(description='Pipeline Sentinel - Unified CI/CD Security Dashboard')
     parser.add_argument('--trivy', type=str)
@@ -42,6 +46,7 @@ def parse_args():
     parser.add_argument('--wizard', action='store_true', help='Interactive first-time setup wizard')
     return parser.parse_args()
 
+
 async def run_scanner_async(name, target, adapter):
     try:
         if os.path.isfile(target):
@@ -55,6 +60,7 @@ async def run_scanner_async(name, target, adapter):
         logger.error(f"{name} failed: {e}")
         return []
 
+
 async def run_scans(args, plugins):
     scanner_targets = {
         'trivy': args.trivy,
@@ -79,6 +85,7 @@ async def run_scans(args, plugins):
             logger.error(f"Scan task failed with exception: {res}")
     return all_findings
 
+
 def load_custom_rules(args):
     if args.rules:
         try:
@@ -90,6 +97,7 @@ def load_custom_rules(args):
             logger.error(f"Failed to load rules: {e}")
     return []
 
+
 def run_policy_check(args, findings):
     if args.policy:
         passed, msg = RuleFusion.evaluate_policy(findings, args.policy)
@@ -104,6 +112,7 @@ def run_policy_check(args, findings):
             logger.error("Rego policy check failed.")
             sys.exit(1)
 
+
 def save_results(args, findings):
     with open(args.output, 'w') as f:
         json.dump(findings, f, indent=2)
@@ -113,6 +122,7 @@ def save_results(args, findings):
     except Exception as e:
         logger.warning(f"Could not save scan history: {e}")
 
+
 def run_analysis(args, findings, topology=None):
     if not args.analyze:
         return {}
@@ -125,6 +135,7 @@ def run_analysis(args, findings, topology=None):
     logger.success(f"AI summary saved to {summary_file}")
     return analysis
 
+
 def wizard():
     print("🛡️  Welcome to Pipeline Sentinel – Quick Setup Wizard")
     print("This will install necessary components.\n")
@@ -152,6 +163,7 @@ def wizard():
     print("   devsecops-radar-web")
     print("\nThen open http://localhost:8080 in your browser.")
 
+
 def main():
     args = parse_args()
     if args.wizard:
@@ -198,5 +210,6 @@ def main():
     if args.report:
         generate_pdf_report(findings, ai_summary, args.report)
 
+
 if __name__ == '__main__':
-    main()
+    main()

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/devsecops_radar/core/analyzer.py

@@ -1,12 +1,16 @@
 import json
 import os
 import re
+from typing import Any
+
 import requests
 from requests.adapters import HTTPAdapter
 from urllib3.util.retry import Retry
-from typing import List, Dict, Any
 
-def _session_with_retries(total=3, backoff_factor=0.5, status_forcelist=[429, 500, 502, 503, 504]):
+
+def _session_with_retries(total=3, backoff_factor=0.5, status_forcelist=None):
+    if status_forcelist is None:
+        status_forcelist = [429, 500, 502, 503, 504]
     session = requests.Session()
     retries = Retry(
         total=total,
@@ -19,15 +23,24 @@ def _session_with_retries(total=3, backoff_factor=0.5, status_forcelist=[429, 50
     session.mount('https://', adapter)
     return session
 
+
 MAX_ANALYZER_FINDINGS = int(os.environ.get("ANALYZER_MAX_FINDINGS", "100"))
 
 FEW_SHOT_EXAMPLE = {
-    "executive_summary": "A leaked CI/CD credential combined with an unpatched container image creates a critical supply chain attack path. Immediate action is required.",
+    "executive_summary": (
+        "A leaked CI/CD credential combined with an unpatched container image "
+        "creates a critical supply chain attack path. Immediate action is required."
+    ),
     "risk_score": 92,
     "attack_paths": [
         {
             "name": "Supply Chain Compromise via Credential Leak",
-            "description": "An exposed GitHub Actions secret (ID: SECRET-001) allows an attacker to push malicious images to the container registry. Combined with a known RCE vulnerability in the web server (CVE-2026-1234), this chain grants full control over the production environment.",
+            "description": (
+                "An exposed GitHub Actions secret (ID: SECRET-001) allows an attacker "
+                "to push malicious images to the container registry. Combined with a known "
+                "RCE vulnerability in the web server (CVE-2026-1234), this chain grants "
+                "full control over the production environment."
+            ),
             "involved_findings": ["SECRET-001", "CVE-2026-1234"],
             "mitre_tactics": ["TA0001", "TA0042"],
             "mitre_techniques": ["T1078", "T1578"],
@@ -39,18 +52,28 @@ FEW_SHOT_EXAMPLE = {
         {
             "priority": 1,
             "finding_id": "SECRET-001",
-            "action": "Rotate the exposed secret and remove it from the workflow log. Use GitHub's masked variables.",
-            "fix_diff": "--- a/.github/workflows/deploy.yml\n+++ b/.github/workflows/deploy.yml\n- run: echo ${{ secrets.DEPLOY_KEY }}\n+ run: echo '**redacted**'"
+            "action": (
+                "Rotate the exposed secret and remove it from the workflow log. "
+                "Use GitHub's masked variables."
+            ),
+            "fix_diff": (
+                "--- a/.github/workflows/deploy.yml\n"
+                "+++ b/.github/workflows/deploy.yml\n"
+                "- run: echo ${{ secrets.DEPLOY_KEY }}\n"
+                "+ run: echo '**redacted**'"
+            )
         }
     ],
     "false_positives_likely": []
 }
 
+
 class BaseAnalyzer:
-    def analyze(self, findings: List[Dict[str, Any]], topology: Dict[str, Any] = None) -> Dict[str, Any]:
+    def analyze(self, findings: list[dict[str, Any]], topology: dict[str, Any] | None = None) -> dict[str, Any]:
         raise NotImplementedError
 
-def extract_json(text: str) -> Dict[str, Any]:
+
+def extract_json(text: str) -> dict[str, Any]:
     try:
         return json.loads(text)
     except json.JSONDecodeError:
@@ -62,7 +85,8 @@ def extract_json(text: str) -> Dict[str, Any]:
                 pass
     return {"executive_summary": text, "attack_paths": [], "top_remediations": []}
 
-def select_findings_for_llm(findings: List[Dict], max_items: int = MAX_ANALYZER_FINDINGS) -> List[Dict]:
+
+def select_findings_for_llm(findings: list[dict], max_items: int = MAX_ANALYZER_FINDINGS) -> list[dict]:
     if len(findings) <= max_items:
         return findings
     critical_high = [f for f in findings if f.get('severity') in ('CRITICAL', 'HIGH')]
@@ -73,13 +97,14 @@ def select_findings_for_llm(findings: List[Dict], max_items: int = MAX_ANALYZER_
         selected.extend(others[:remaining])
     return selected
 
+
 class OllamaAnalyzer(BaseAnalyzer):
-    def __init__(self, model: str = None, endpoint: str = None):
+    def __init__(self, model: str | None = None, endpoint: str | None = None):
         self.model = model or os.environ.get("PIPELINE_LLM_MODEL", "llama3.2:latest")
         self.endpoint = endpoint or os.environ.get("OPENAI_API_BASE", "http://localhost:11434/api/generate")
         self.session = _session_with_retries()
 
-    def analyze(self, findings: List[Dict[str, Any]], topology: Dict[str, Any] = None) -> Dict[str, Any]:
+    def analyze(self, findings: list[dict[str, Any]], topology: dict[str, Any] | None = None) -> dict[str, Any]:
         if not findings:
             return {"executive_summary": "No findings.", "attack_paths": [], "top_remediations": []}
 
@@ -112,16 +137,17 @@ Respond ONLY with valid JSON in the same format as the example."""
         except Exception as e:
             return {"executive_summary": f"AI failed: {str(e)}", "attack_paths": [], "top_remediations": []}
 
+
 class LiteLLMAnalyzer(BaseAnalyzer):
-    def __init__(self, model: str = None):
+    def __init__(self, model: str | None = None):
         try:
             import litellm
             self.litellm = litellm
-        except ImportError:
-            raise ImportError("Install litellm: pip install litellm")
+        except ImportError as err:
+            raise ImportError("Install litellm: pip install litellm") from err
         self.model = model or os.environ.get("PIPELINE_LLM_MODEL", "gpt-4o-mini")
 
-    def analyze(self, findings: List[Dict[str, Any]], topology: Dict[str, Any] = None) -> Dict[str, Any]:
+    def analyze(self, findings: list[dict[str, Any]], topology: dict[str, Any] | None = None) -> dict[str, Any]:
         if not findings:
             return {"executive_summary": "No findings.", "attack_paths": [], "top_remediations": []}
 
@@ -150,7 +176,8 @@ Respond ONLY with JSON like the example."""
         except Exception as e:
             return {"executive_summary": f"AI failed: {str(e)}", "attack_paths": [], "top_remediations": []}
 
-def get_analyzer(backend: str = "ollama", model: str = None) -> BaseAnalyzer:
+
+def get_analyzer(backend: str = "ollama", model: str | None = None) -> BaseAnalyzer:
     if backend == "litellm":
         return LiteLLMAnalyzer(model=model)
-    return OllamaAnalyzer(model=model)
+    return OllamaAnalyzer(model=model)

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/devsecops_radar/core/attack_simulation.py

@@ -1,6 +1,7 @@
+import os
 import subprocess
 import tempfile
-import os
+
 
 def simulate_attack(finding: dict) -> str:
     script = f"#!/bin/bash\n# PoC for {finding.get('id')}\necho 'Simulating {finding.get('title')}'"
@@ -19,4 +20,4 @@ def run_sandboxed_poc(script_path: str) -> str:
         )
         return result.stdout
     except Exception as e:
-        return f"Sandbox execution failed: {e}"
+        return f"Sandbox execution failed: {e}"

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/devsecops_radar/core/auth.py

@@ -1,10 +1,13 @@
-import os
-import jwt
 import datetime
+import os
 from functools import wraps
-from flask import request, jsonify
+
+import jwt
+from flask import jsonify, request
+
 from devsecops_radar.core.settings import settings
 
+
 def create_token(user: str = "admin") -> str:
     payload = {
         "user": user,
@@ -26,4 +29,4 @@ def login_required(f):
             if key != api_key:
                 return jsonify({"error": "API key required"}), 401
         return f(*args, **kwargs)
-    return decorated
+    return decorated

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/devsecops_radar/core/database.py

@@ -1,8 +1,8 @@
 from contextlib import contextmanager
-from devsecops_radar.core.models import (
-    init_db, SessionLocal, Scan, Finding
-)
-from typing import List, Dict, Any, Optional
+from typing import Any
+
+from devsecops_radar.core.models import Finding, Scan, SessionLocal, init_db
+
 
 @contextmanager
 def get_session():
@@ -16,11 +16,11 @@ def get_session():
     finally:
         session.close()
 
-def save_scan(findings: List[Dict[str, Any]]):
+def save_scan(findings: list[dict[str, Any]]):
     from devsecops_radar.core.models import save_scan_to_db
     save_scan_to_db(findings)
 
-def get_all_scans() -> List[Dict[str, Any]]:
+def get_all_scans() -> list[dict[str, Any]]:
     init_db()
     with get_session() as session:
         scans = []
@@ -41,7 +41,7 @@ def get_all_scans() -> List[Dict[str, Any]]:
             })
     return scans
 
-def get_scan_by_id(scan_id: int) -> Optional[Dict[str, Any]]:
+def get_scan_by_id(scan_id: int) -> dict[str, Any] | None:
     with get_session() as session:
         scan = session.query(Scan).filter(Scan.id == scan_id).first()
         if not scan:
@@ -65,7 +65,7 @@ def get_scan_by_id(scan_id: int) -> Optional[Dict[str, Any]]:
             "total": len(findings_list)
         }
 
-def compare_scans(scan_id_1: int, scan_id_2: int) -> Dict[str, Any]:
+def compare_scans(scan_id_1: int, scan_id_2: int) -> dict[str, Any]:
     scan1 = get_scan_by_id(scan_id_1)
     scan2 = get_scan_by_id(scan_id_2)
     if not scan1 or not scan2:
@@ -84,7 +84,7 @@ def compare_scans(scan_id_1: int, scan_id_2: int) -> Dict[str, Any]:
         "removed_findings": removed,
     }
 
-def get_findings_paginated(page: int = 1, per_page: int = 50) -> Dict[str, Any]:
+def get_findings_paginated(page: int = 1, per_page: int = 50) -> dict[str, Any]:
     with get_session() as session:
         total = session.query(Finding).count()
         findings = session.query(Finding).order_by(Finding.id.desc()).offset(
@@ -101,4 +101,4 @@ def get_findings_paginated(page: int = 1, per_page: int = 50) -> Dict[str, Any]:
                 "description": f.description,
                 "line": f.line
             })
-        return {"items": items, "total": total, "page": page, "per_page": per_page}
+        return {"items": items, "total": total, "page": page, "per_page": per_page}

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/devsecops_radar/core/models.py

@@ -1,10 +1,10 @@
-from sqlalchemy import create_engine, Column, Integer, String, DateTime, JSON, ForeignKey
-from sqlalchemy.orm import declarative_base, sessionmaker, relationship
-from pydantic import BaseModel, field_validator
-from typing import Optional
 import datetime
 import os
 
+from pydantic import BaseModel, field_validator
+from sqlalchemy import JSON, Column, DateTime, ForeignKey, Integer, String, create_engine
+from sqlalchemy.orm import declarative_base, relationship, sessionmaker
+
 Base = declarative_base()
 
 class FindingSchema(BaseModel):
@@ -13,8 +13,8 @@ class FindingSchema(BaseModel):
     severity: str
     target: str
     title: str
-    description: Optional[str] = ""
-    line: Optional[int] = None
+    description: str | None = ""
+    line: int | None = None
 
     @field_validator('severity')
     @classmethod
@@ -70,4 +70,4 @@ def save_scan_to_db(findings: list):
         session.rollback()
         raise
     finally:
-        session.close()
+        session.close()

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/devsecops_radar/core/parser.py

@@ -1,6 +1,6 @@
 import json
 import warnings
-from typing import List, Dict, Any
+from typing import Any
 
 warnings.warn(
     "devsecops_radar.core.parser is deprecated and will be removed in v0.3.0. "
@@ -9,7 +9,7 @@ warnings.warn(
     stacklevel=2,
 )
 
-def parse_trivy_json(file_path: str) -> List[Dict[str, Any]]:
+def parse_trivy_json(file_path: str) -> list[dict[str, Any]]:
     with open(file_path) as f:
         data = json.load(f)
     findings = []
@@ -32,7 +32,7 @@ def parse_trivy_json(file_path: str) -> List[Dict[str, Any]]:
     return findings
 
 
-def parse_semgrep_json(file_path: str) -> List[Dict[str, Any]]:
+def parse_semgrep_json(file_path: str) -> list[dict[str, Any]]:
     with open(file_path) as f:
         data = json.load(f)
     findings = []
@@ -53,8 +53,8 @@ def parse_semgrep_json(file_path: str) -> List[Dict[str, Any]]:
     return findings
 
 
-def merge_findings(*finding_lists) -> List[Dict[str, Any]]:
+def merge_findings(*finding_lists) -> list[dict[str, Any]]:
     merged = []
     for lst in finding_lists:
         merged.extend(lst)
-    return merged
+    return merged

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/devsecops_radar/core/rag.py

@@ -1,7 +1,9 @@
-from devsecops_radar.core.models import SessionLocal, Finding
-from typing import List, Dict, Any
+from typing import Any
 
-def rag_search(query: str, limit: int = 5) -> List[Dict[str, Any]]:
+from devsecops_radar.core.models import Finding, SessionLocal
+
+
+def rag_search(query: str, limit: int = 5) -> list[dict[str, Any]]:
     session = SessionLocal()
     results = session.query(Finding).filter(
         Finding.title.ilike(f'%{query}%') | Finding.description.ilike(f'%{query}%')
@@ -18,4 +20,4 @@ def rag_search(query: str, limit: int = 5) -> List[Dict[str, Any]]:
             "line": f.line
         })
     session.close()
-    return findings
+    return findings

{devsecops_radar-0.3.10 → devsecops_radar-0.4.0}/devsecops_radar/core/remediation.py

@@ -2,23 +2,24 @@ import os
 import shutil
 import subprocess
 from pathlib import Path
-from typing import List, Dict, Any
+from typing import Any
 
 BACKUP_DIR = Path.home() / ".devsecops-radar" / "backups"
 
+
 def _backup_file(target_file: str):
-    """Create a backup of the file before modifying it."""
     backup_path = BACKUP_DIR / (Path(target_file).name + ".bak")
     BACKUP_DIR.mkdir(parents=True, exist_ok=True)
     shutil.copy2(target_file, backup_path)
 
-def apply_remediation(finding: Dict[str, Any], ai_fix: str) -> bool:
+
+def apply_remediation(finding: dict[str, Any], ai_fix: str) -> bool:
     print(f"[FIX] Applying fix for {finding['id']}...")
     target_file = finding.get('target', '')
     line = finding.get('line')
     if target_file and line and os.path.exists(target_file):
         _backup_file(target_file)
-        with open(target_file, 'r') as f:
+        with open(target_file) as f:
             lines = f.readlines()
         line_index = line - 1
         if 0 <= line_index < len(lines):
@@ -28,7 +29,8 @@ def apply_remediation(finding: Dict[str, Any], ai_fix: str) -> bool:
             return True
     return False
 
-def auto_fix(findings: List[Dict[str, Any]], ai_summary: Dict[str, Any]) -> List[str]:
+
+def auto_fix(findings: list[dict[str, Any]], ai_summary: dict[str, Any]) -> list[str]:
     fixed = []
     remediations = ai_summary.get('top_remediations', [])
     for rem in remediations:
@@ -41,7 +43,8 @@ def auto_fix(findings: List[Dict[str, Any]], ai_summary: Dict[str, Any]) -> List
                 fixed.append(fid)
     return fixed
 
-def generate_fix_commands(findings: List[Dict[str, Any]], ai_summary: Dict[str, Any]) -> str:
+
+def generate_fix_commands(findings: list[dict[str, Any]], ai_summary: dict[str, Any]) -> str:
     commands = []
     for rem in ai_summary.get('top_remediations', []):
         fid = rem.get('finding_id')
@@ -50,15 +53,23 @@ def generate_fix_commands(findings: List[Dict[str, Any]], ai_summary: Dict[str,
         if finding:
             target = finding.get('target', '')
             if 'requirements.txt' in target:
-                commands.append(f"# Update {target}\npip install --upgrade {finding.get('package', '')}")
+                commands.append(
+                    f"# Update {target}\npip install --upgrade {finding.get('package', '')}"
+                )
             elif 'package.json' in target:
-                commands.append(f"# Update {target}\nnpm update {finding.get('package', '')}")
+                commands.append(
+                    f"# Update {target}\nnpm update {finding.get('package', '')}"
+                )
             elif 'dockerfile' in target.lower():
-                commands.append(f"# Fix {target}\nsed -i 's/{finding.get('installed_version')}/{finding.get('fixed_version')}/' {target}")
+                commands.append(
+                    f"# Fix {target}\nsed -i "
+                    f"'s/{finding.get('installed_version')}/{finding.get('fixed_version')}/' {target}"
+                )
             else:
                 commands.append(f"# Manual fix for {fid}: {action}")
     return '\n'.join(commands)
 
+
 def generate_pr(findings_file: str, branch: str = "auto-fix"):
     try:
         subprocess.run(['git', 'checkout', '-b', branch], check=True)
@@ -67,4 +78,4 @@ def generate_pr(findings_file: str, branch: str = "auto-fix"):
         subprocess.run(['git', 'push', 'origin', branch], check=True)
         print(f"[FIX] Branch '{branch}' pushed. Create a PR manually or via GitHub CLI.")
     except Exception as e:
-        print(f"[FIX] Failed to create PR: {e}")
+        print(f"[FIX] Failed to create PR: {e}")