// Scaffold a new vulnerability scanner implementation with tests following the project's existing pattern. Use when adding support for a new scanner tool.
Run the project's tox linting and test suite and present a concise pass/fail summary. Use when asked to lint, test, check, or validate the project.
Check version consistency, git tag status, and test results before cutting a release. Use when asked to prepare, validate, or check readiness for a release.
| name | new-scanner |
| description | Scaffold a new vulnerability scanner implementation with tests following the project's existing pattern. Use when adding support for a new scanner tool. |
| allowed-tools | Bash Read Write Edit |
| arguments | ["name","cli","example_image","example_sbom"] |
| argument-hint | <scanner-name> <cli-executable> "<image scan command>" "<sbom scan command>" |
Scaffold a complete scanner implementation for $name using the $cli CLI tool.
Validate $name first: it must be a valid Python identifier (lowercase letters, numbers, underscores only). If it contains dashes, spaces, or other invalid characters, normalize it (e.g., my-scanner becomes my_scanner) and use the normalized form for file names, class names, and method names throughout.
Run $cli --help to learn available subcommands and flags. Identify:
--version, version)Run both example commands provided by the user:
Image scan:
$example_image
SBOM scan:
$example_sbom
Inspect the JSON output from each and identify:
Read these files to understand the conventions:
diffused/diffused/scanners/base.py — abstract base class with 4 required methodsdiffused/diffused/scanners/trivy.py — reference implementationdiffused/tests/scanners/test_trivy.py — reference test structurediffused/tests/conftest.py — shared fixtures (test_image, test_sbom_path)Create diffused/diffused/scanners/$name.py:
BaseScannerscan_sbom() — run the scanner on self.sbom, parse JSON into self.raw_resultscan_image() — run the scanner on self.image, parse JSON into self.raw_resultprocess_result() — parse self.raw_result into self.processed_result (a defaultdict[str, set[Package]] mapping CVE IDs to sets of Package objects)get_version() — static method, return the scanner version string_run_$name_command(self, cmd, operation) helper with 120s timeoutself.error, do not raise from scan/process methodslogging for all log messagesCreate diffused/tests/scanners/test_$name.py:
unittest.mock (patch, MagicMock) for subprocess mockingconftest.py (test_image, test_sbom_path)test_trivy.pyEdit diffused/diffused/differ.py:
scanner_map dict in VulnerabilityDiffer._get_scanner_class()Edit diffusedcli/diffusedcli/cli.py:
$name to the click.Choice list in the --scanner optionRun tox -e py39-pytest,py39-pytest-cli and fix any failures until tests pass with 100% code coverage on the new scanner file.
Present a summary: