Commands

analyze

harden analyze <path>

What it does:

• Detects framework + entry command
• Scans secrets (regex + entropy)
• Discovers dependencies and enriches with OSV CVEs

Primary output:

• .harden/state/harden-report.json

lock

harden lock <path> [--strategy auto|uv|pip-compile|pip-freeze] [--python-version 3.12]

What it does:

• Pins all dependencies to exact versions
• Infers dependencies from bare imports when no manifest exists

Outputs:

• requirements.lock
• build_report.json
• .harden/state/requirements.inferred.txt (only if inferred)

generate

harden generate <path> [--fail-on-critical]

What it does:

• Writes .harden/Dockerfile (lockfile-aware)
• Writes .harden/sbom.json (CycloneDX)
• Writes .dockerignore in project root if missing

Optional behavior:

• --fail-on-critical exits non-zero if critical CVEs are detected.