Outputs
Report
The analysis report is written to:
.harden/state/harden-report.json
It includes the inferred entry_command, risk score, dependency list, and vulnerability metadata when available.
Dockerfile
Generated at:
.harden/Dockerfile
Behavior:
- Prefers
requirements.lock - Falls back to
requirements.txt - Supports
pyproject.toml-only projects (pip install .)
SBOM
Generated at:
.harden/sbom.json
Format:
- CycloneDX 1.5 JSON
- Includes OSV CVE metadata when present
- Derived from
requirements.lockwhen available