AtLongLastAnalytics
diff --git a/‎.env.example‎
Lines changed: 21 additions & 0 deletions b/‎.env.example‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎.gitgnore‎
Lines changed: 0 additions & 25 deletions b/‎.gitgnore‎
Lines changed: 0 additions & 25 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 57 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 43 additions & 0 deletions b/‎.gitignore‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 120 additions & 52 deletions b/‎README.md‎
Lines changed: 120 additions & 52 deletions
@@ -0,0 +1,21 @@
+# =============================================================================
+# Copyright (c) AtLongLast Analytics LLC
+
+# Licensed under the Apache License, Version 2.0
+
+# Project: https://github.com/AtLongLastAnalytics/visar
+# Author: Robert Long
+# Date: 2026-03
+# Version: 1.1.0
+
+# File: .env.example
+# Description: Template for environment variables. Copy this file to .env and
+#   replace the placeholder with your token. Never commit .env to version
+#   control — it is excluded by .gitignore.
+# =============================================================================
+
+# Generate a classic GitHub personal access token at:
+#   Settings > Developer Settings > Personal access tokens > Tokens (classic)
+# Required scope: public_repo
+
+VISAR_AUTH_TOKEN = "<your-github-personal-access-token>"
@@ -0,0 +1,57 @@
+# =============================================================================
+# Copyright (c) AtLongLast Analytics LLC
+
+# Licensed under the Apache License, Version 2.0
+
+# Project: https://github.com/AtLongLastAnalytics/visar
+# Author: Robert Long
+# Date: 2026-03
+# Version: 1.1.0
+
+# File: .github/workflows/ci.yml
+# Description: Continuous integration pipeline. Runs on every push and pull
+#   request to main, and can be triggered manually via workflow_dispatch.
+#   Steps: checkout → install deps (uv) → lint → format check → unit tests.
+# =============================================================================
+
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:  # allow manual runs from the GitHub Actions UI
+
+permissions:
+  contents: read  # minimum permissions — read-only access to repo contents
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up uv
+        # installs uv and the specified Python version
+        uses: astral-sh/setup-uv@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        # --frozen ensures uv.lock is respected and not updated during CI
+        run: uv sync --frozen
+
+      - name: Lint with ruff
+        run: uv run ruff check .
+
+      - name: Check formatting with ruff
+        run: uv run ruff format --check .
+
+      - name: Run tests
+        env:
+          VISAR_AUTH_TOKEN: ${{ secrets.VISAR_AUTH_TOKEN }}
+        run: uv run python -m unittest discover -s tests -v
@@ -0,0 +1,43 @@
+# =============================================================================
+# Copyright (c) AtLongLast Analytics LLC
+
+# Licensed under the Apache License, Version 2.0
+
+# Project: https://github.com/AtLongLastAnalytics/visar
+# Author: Robert Long
+# Date: 2026-03
+# Version: 1.1.0
+
+# File: .gitignore
+# Description: This file specifies files/folders that Git should not track.
+#   This includes the virtual environment directories (.venv) and environment
+#   variable file (.env).
+# =============================================================================
+
+# Exclude environment variable file
+.env
+
+# User-defined repo list — copy repos.txt.example to repos.txt and add your own
+repos.txt
+
+# Local Claude Code memory (never commit)
+.claude/
+
+# Exclude the virtual environment folder
+.venv/
+
+# Ignore Python bytecode and cache directories
+__pycache__/
+*.py[cod]
+
+# Scan outputs and generated dashboard — rebuilt locally, not committed
+data/*
+!data/example-*
+
+# Local run logs — keep only example logs in version control
+logs/visar_*.log
+
+# Local development tracking (not for repo)
+CHANGELOG.md
+
+# Note: uv.lock should be committed — it pins exact dependency versions
@@ -2,69 +2,133 @@
 
 <img src="docs/visar-logo.png" alt="VISaR logo" width="150" style="margin-top:50px"></img>
 
-# Welcome to VISaR 👋
+# Welcome to VISaR
+[![CI](https://github.com/AtLongLastAnalytics/visar/actions/workflows/ci.yml/badge.svg)](https://github.com/AtLongLastAnalytics/visar/actions/workflows/ci.yml)
+[![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE.txt)
+[![Python 3.12+](https://img.shields.io/badge/Python-3.12%2B-blue.svg)](https://www.python.org/)
 
-**Automate vulnerability scanning and reporting using open-source components.**
+**Free, open-source vulnerability scanning and reporting for GitHub repositories.**
 
 ## What is VISaR?
 
-VISaR (Vulnerability Identification, Scanning and Reporting) is an open-source tool designed to automatically scan code repositories for vulnerabilities. VISaR generates detailed CSV reports summarizing potential issues: an ideal solution for engineers and developers to make informed decisions regarding ensure code safety.
+VISaR (Vulnerability Identification, Scanning and Reporting) is a free, open-source Python tool that automatically scans GitHub repositories for known vulnerabilities and generates detailed, actionable reports. Output is available in CSV, JSON, or as a self-contained interactive HTML dashboard, . pojyymaking it easy to review, share, and act on findings.
 
-With usability in mind, VISaR is written in Python and uses
-best-in-class open-source components; the [OSSF scorecard](https://github.com/ossf/scorecard) for vulnerability identification and the [OSV Database](https://osv.dev/) for vulnerability information.
+VISaR uses best-in-class open-source components: the [OSSF Scorecard](https://github.com/ossf/scorecard) for vulnerability identification and the [OSV Database](https://osv.dev/) for vulnerability enrichment (severity, description, and aliases).
 
 **Who is VISaR for?**
 
-- **Data Engineers:** Quickly evaluate code before integrating it into your data platform.
-- **Software Engineers:** Assess your own code for vulnerabilities before it reaches production systems.
-- **Independent Developers and Hobbyists:** Verify code generated by AI assistants or community contributions.
+- **Data Engineers:** Evaluate open-source libraries and frameworks before integrating them into your data platform.
+- **Software Engineers:** Assess your codebase for known vulnerabilities before a release or production deployment.
+- **Independent Developers and Hobbyists:** Verify code generated by AI assistants or sourced from the community.
 
 
 ## 1. Using VISaR
 
 **Pre-requisites**
 
-To use VISaR, ensure you have the following:
+To use VISaR, ensure you have the following installed and configured:
 
-- Python 3.8+ (the code was developed in Python 3.12)
-- [Docker Desktop](https://www.docker.com/products/docker-desktop/)
-- The most recent OSSF scorecard Docker image ([follow instructions here](https://github.com/ossf/scorecard?tab=readme-ov-file#installation))
-- A classic Github auth token _(settings > Developer Settings > Personal access tokens > Tokens (classic))_ and set the scope to public_repo. This needs to be included in the `.env` file.
+- [uv](https://docs.astral.sh/uv/) — Python package and environment manager. uv will automatically download Python 3.12+ if needed.
+- [Docker Desktop](https://www.docker.com/products/docker-desktop/) — required to run the OSSF Scorecard container.
+- The OSSF Scorecard Docker image, pulled locally:
+
+    ```
+    docker pull gcr.io/openssf/scorecard:stable
+    ```
+
+- A classic GitHub personal access token _(Settings > Developer Settings > Personal access tokens > Tokens (classic))_ with the `public_repo` scope. This is stored in a `.env` file at the project root (never committed to version control).
+
+**System Requirements**
+
+- Python 3.12+ (managed automatically by uv)
+- Docker Desktop with at least 2 GB of available memory
+- Network access to the GitHub API (`api.github.com`) and the OSV API (`api.osv.dev`)
+- Approximately 1 GB of free disk space for the OSSF Scorecard Docker image
+
+**Install uv** (skip if already installed):
+
+   **Windows (PowerShell):**
+   ```
+   powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
+   ```
+
+   **Mac / Linux:**
+   ```
+   curl -LsSf https://astral.sh/uv/install.sh | sh
+   ```
 
 **Step-by-Step Instructions**
 
-These instructions are for Windows users only.
-1. Clone this repository
+1. Clone this repository.
 
-2. Create a _.env_ file in the root directory and populate with:
+2. Create a `.env` file in the root directory and add your GitHub token:
 
     ```
-    GITHUB_AUTH_TOKEN = "<github-auth-token>"
+    GITHUB_AUTH_TOKEN = "<your-github-personal-access-token>"
     ```
-    
-3. Run the _setup_ PowerShell script from the root directory to create a virtual environment, install dependencies, and activate it:
 
-   ```
-   ./scripts/setup.ps1
-   ```
+    A `.env.example` template is included at the project root for reference.
+
+3. From the root directory, install dependencies. This creates `.venv` and installs everything from `pyproject.toml` in one step:
 
-4. From the root directory, run the test suite using: 
+    ```
+    uv sync
+    ```
+
+4. From the root directory, run the test suite to verify everything is working:
 
-    ``` 
-    python -m unittest discover -s tests
     ```
+    uv run python -m unittest discover -s tests
+    ```
+
+   All tests should pass. If any fail, check the error message and ensure Docker Desktop is running and the OSSF Scorecard image has been pulled.
 
-   You should see that all tests have passed. If not, the error message should guide you to the problem.
-   
-5. Now you are ready to run the pipeline. From the root directory, move into the src folder, and run the application:
-  
+5. Move into the `src/` folder and run the application:
+
+   **Single repository scan (default CSV output):**
     ```
     cd src/
-    python main.py <full-github-repo>
+    uv run python main.py <full-github-repo-url>
+    ```
+
+   **Single repository scan with JSON output:**
+    ```
+    uv run python main.py <full-github-repo-url> --output-format json
+    ```
+
+   **Batch scan — scan multiple repositories from a text file:**
+    ```
+    uv run python main.py --batch ../repos.txt
+    uv run python main.py --batch ../repos.txt --output-format json
+    ```
+
+   The batch file should contain one GitHub repository URL per line. Lines starting with `#` and blank lines are ignored. A `repos.txt.example` file is provided as a template — copy it to `repos.txt` and replace the contents with your own repos (`repos.txt` is gitignored).
+
+   **Generate an HTML dashboard from all scan outputs in a directory:**
+    ```
+    uv run python dashboard.py
     ```
 
+   Or point to a specific data directory:
+    ```
+    uv run python dashboard.py <path-to-data-dir>
+    ```
+
+   The dashboard is an ad-hoc step — run scans as many times as needed first, then generate the HTML report when you are ready to review. A single self-contained `dashboard.html` is written to the `data/` directory, embedding all scan datasets. Use the dropdown to switch between scans, the date filter to narrow by scan date, and the severity pills to focus on the most critical findings. Rows can be expanded to read the full vulnerability detail.
+
+**CLI Reference**
+
+| Argument | Type | Default | Description |
+|---|---|---|---|
+| `repo_url` | positional | — | Full GitHub repository URL. Required unless `--batch` is used. |
+| `--batch FILE` | optional | — | Path to a text file containing one URL per line. Use instead of `repo_url`. |
+| `--output-format FORMAT` | optional | `csv` | Output format: `csv` or `json`. |
+| `-h` / `--help` | flag | — | Display help message and exit. |
+
+**Exit codes:** `0` — completed successfully (including when no vulnerabilities are found). `1` — scan failed; see the `logs/` directory for details.
+
 <br>
-The CSV file generated by a successful run is ready to consume in a tool like Microsoft Excel, see Figure 1. The key columns for decision making are the Severity and Details which together describe a given vulnerability.
+The output file generated by a successful run is placed in the `data/` directory. The default CSV format is ready to open in Microsoft Excel or any spreadsheet tool — see Figure 1. The key columns for decision-making are **Severity** and **Details**, which together describe each finding.
 
 <br>
 <br>
@@ -77,21 +141,21 @@ The CSV file generated by a successful run is ready to consume in a tool like Mi
      <p><strong>Figure 1:</strong> Example VISaR Output</p>
 </div>
 
-Example logs for a successful run and a failed run are provided in the [logs directory](./logs/).
+Example logs for a successful run and a failed run are provided in the [logs directory](./logs/). Example scan output files (CSV and JSON) are provided in the [data directory](./data/); these show the format a real scan produces and can be used to generate a dashboard without running a full scan.
 
 ## 2. Technical Overview
-The user provides a GitHub code repository URL to VISaR which then automatically performs a code scan, sends requests to the OSV API and enriches the data before writing vulnerability information to a CSV file. 
+The user provides a GitHub repository URL to VISaR, which automatically performs a vulnerability scan, queries the OSV API to enrich findings, and writes a structured report in the chosen format.
 
 **How VISaR works:**
 
-The workflow below aligns with the architecture diagram shown Figure 2.
+The workflow below aligns with the architecture diagram shown in Figure 2.
 
   1. OSSF Scorecard scans the repository and generates a summary file.
-  2. A second OSSF Scorecard scan generates a file of known vulnerabilties (saved temporarily).
-  3. A list of vulnerability IDs are harvested from the temporary data file.
-  4. Vulnerability IDs are sent to the OSV API with severity and summary description requested.
-  5. Key vulnerability information is extracted from the JSON payload. 
-  6. The vulnerability IDs, severity, and plain-text summary are compiled into a structured CSV file.
+  2. A second OSSF Scorecard scan generates a file of known vulnerabilities (saved temporarily).
+  3. A list of vulnerability IDs is extracted from the temporary file.
+  4. Vulnerability IDs are sent to the OSV API to retrieve severity ratings and plain-text descriptions.
+  5. Key vulnerability information is extracted from the API response.
+  6. The vulnerability IDs, severity, and descriptions are compiled into a structured report (CSV or JSON, depending on the `--output-format` flag).
 
 <br>
 
@@ -103,31 +167,35 @@ The workflow below aligns with the architecture diagram shown Figure 2.
      <p><strong>Figure 2:</strong> VISaR Architecture Diagram</p>
 </div>
 
-   
-**Overview of the Project Structure** 
 
-The VISaR codebase follows a typical src structure.
+**Overview of the Project Structure**
+
+The VISaR codebase follows a standard `src/` layout.
+
+- The application code is in `src/`. `main.py` is the scan entry point and `dashboard.py` is the HTML report entry point.
+
+- The `helpers/` package is a collection of modules, each containing a logical grouping of functions used in the main pipeline. `dashboard_funcs.py` handles all HTML generation and is intentionally separate from the scan pipeline.
 
-- The application code is stored in the `src/` directory, with `main.py` being the entry point.
+- Each module in `helpers/` has an associated test file in `tests/`. Within each test script, all tests for a given function are grouped into their own class. We aim for close to 100% test coverage.
 
-- The `helpers/` package is a collection of modules, each containing a logical grouping of functions used in the main application.
+- Run details are captured in a `.log` file in the `logs/` directory. If a run fails, this is the first place to look.
 
-- Each module within the `helpers` package has an associated test file in the `tests/` directory. Within each test script, all of the tests for a given function are grouped into their own class. We aim to have close to 100% test coverage!
+- The `data/` directory contains scan output files, named by date and repository (e.g. `20260320-owner-repo_vulnids.csv`). The suffix depends on the chosen format: `_vulnids.csv` (default) or `_vulnids.json`. Running `dashboard.py` writes a single `dashboard.html` to this directory, embedding all scan datasets.
 
-- Run details are captured in a `.log` file found within the `logs/` directory. If a run fails, this is where you should start troubleshooting.
+- Project dependencies are declared in `pyproject.toml` at the root. Running `uv sync` creates `.venv` and installs everything. The `scripts/` directory contains `setup.ps1` (Windows) and `setup.sh` (Mac/Linux) as convenience wrappers around `uv sync`.
 
-- The `data/` directory is where you can find the output of completed runs. The files ending with `_vulnids.csv` are the main output containing the vulnerability information.
 
-- A PowerShell script, `setup.ps1`, is provided in the `scripts/` directory. This script should be ran the first time using VISaR, it creates the virtual environment and installs all dependencies for you.
+## 3. Roadmap
 
+See [docs/ROADMAP.md](./docs/ROADMAP.md) for planned features and future direction.
 
-## 3. Contribute
-Thank you for wanting to contribute and improve VISaR! We welcome contributions from the community and are grateful for your support.
+## 4. Contribute
+Thank you for wanting to contribute to VISaR! We welcome contributions from the community.
 
-Before contributing, please read our guidelines which describe our code style and testing approach: [/docs/Contributing.md](./docs/Contributing.md).
+Before contributing, please read our guidelines covering code style, linting, and testing: [docs/Contributing.md](./docs/Contributing.md).
 
 By contributing to this project, you agree that your contributions will be licensed under the [Apache-2.0 License](LICENSE.txt).
 
-## 4. License
+## 5. License
 
 VISaR is completely free, open-source, and licensed under the [Apache-2.0 License](LICENSE.txt).