[Automated] Update syft CLI Options

[thomhurst]

Summary

This PR contains automatically generated updates to syft CLI options classes.

The generator scraped the latest CLI help output from the installed tool.

Changes

• Updated options classes to reflect latest CLI documentation
• Added new commands if any were detected
• Updated option types and descriptions

Verification

• Solution builds successfully

---

🤖 Generated with ModularPipelines.OptionsGenerator

[claude]

Code Review

This is an automated PR generated by ModularPipelines.OptionsGenerator that updates the syft CLI options.

Change Summary

The only change is a timestamp update in AssemblyInfo.Generated.cs:

• ModularPipelines.OptionsGenerator.GeneratedAt updated from 2026-03-01T03:12:23 to 2026-03-08T03:09:47

Assessment

This is a clean, minimal automated update. The change correctly reflects that the generator re-ran on 2026-03-08 and detected no substantive changes to the syft CLI options (no new commands, options, or type changes). The metadata-only diff confirms the generator is working correctly — it re-ran and found nothing to update beyond the timestamp itself.

Design note: The pattern of tracking GeneratedAt timestamps in assembly metadata is a sound approach — it provides an audit trail for when options classes were last verified against the actual CLI tool, making it easy to identify staleness without having to inspect the full diff history.

No issues found. ✅

[claude]

Code Review

This automated PR updates the syft CLI options for ModularPipelines.Syft.

Change Summary

The only change is a timestamp update in AssemblyInfo.Generated.cs:

• ModularPipelines.OptionsGenerator.GeneratedAt: 2026-03-01T03:12:23Z → 2026-03-15T03:13:23Z

Previous Review

A prior claude review (2026-03-08 run) was dismissed. The pattern is identical — the generator re-ran, found no substantive changes to the syft CLI surface area, and updated only the timestamp.

Assessment

Clean automated update — no issues. ✅

The metadata-only diff confirms the generator is functioning correctly: it re-ran against the latest syft CLI, verified options are still accurate, and recorded the new timestamp. The absence of option/command changes means syft's CLI interface is stable since the last generation on 2026-03-01.

The GeneratedAt tracking pattern remains a sound design choice — it creates an auditable trail of when CLI options were last verified without requiring manual inspection of diffs or git history.

[claude]

Code Review

This automated PR updates the syft CLI options for ModularPipelines.Syft.

Change Summary

The only change is a timestamp update in src/ModularPipelines.Syft/AssemblyInfo.Generated.cs:

• ModularPipelines.OptionsGenerator.GeneratedAt: 2026-03-01T03:12:23Z → 2026-03-22T03:30:49Z

Context

This is the third run of the generator against this PR (previous reviews from 2026-03-08 and 2026-03-15 are visible). Each run has produced only a timestamp bump, confirming that syft's CLI surface area has been stable for at least three weeks.

Assessment

The change is correct and the generator is behaving as designed. No options, commands, or types were added, removed, or altered — this is expected when the upstream syft CLI has not changed.

One observation worth flagging for long-term maintainability: since this PR is being auto-regenerated repeatedly with only timestamp changes, it raises the question of whether a "no-op" run (where the generator detects zero substantive changes) should skip opening/updating a PR altogether. Emitting a PR solely to advance a timestamp adds noise to the review queue without delivering any consumer-visible value. A possible improvement would be for the generator workflow to diff the generated content against what is already on main and abort the PR if the only delta is the GeneratedAt timestamp — this would reduce churn and keep the PR list meaningful.

That said, this is a process/workflow concern, not a correctness issue with the current change. The change itself is safe to merge.

[claude]

Code Review

This is the fourth automated run of the syft options generator against this PR (previous reviews: 2026-03-08, 2026-03-15, 2026-03-22, all as COMMENTED). The change is again a timestamp-only bump in AssemblyInfo.Generated.cs.

Change Summary

ModularPipelines.OptionsGenerator.GeneratedAt: 2026-03-22T03:30:49Z → 2026-03-29T03:14:36Z — no options, commands, or type changes.

Previously Raised Issue — Still Unaddressed

The review from 2026-03-22 raised a concrete workflow concern: when the generator detects zero substantive changes, it should skip creating/updating the PR rather than emitting a timestamp-only diff. That observation has now been validated four times in a row. The syft CLI has been stable for at least four weeks, yet this PR keeps re-appearing in the review queue each Sunday.

Looking at the workflow in .github/workflows/generate-cli-options.yml, the Check for changes step (line 527–542) already does a git diff --staged --quiet --ignore-all-space --ignore-blank-lines check and sets has_changes=false when there are no meaningful changes, which correctly gates the Create Pull Request step. However, this check fires after git add 'src/**/*.cs', meaning the GeneratedAt timestamp change in AssemblyInfo.Generated.cs is always treated as a meaningful change — even though it carries no consumer-visible value.

Root Cause

The GeneratedAt timestamp is always different after a re-run, so has_changes will always be true even when nothing else changed. The no-op guard never fires for timestamp-only runs.

Suggested Fix

The Check for changes step should either:

1. Exclude the AssemblyInfo.Generated.cs file from the diff check — only treat structural option/command changes as "real" changes that warrant a PR. The timestamp would still be committed inside an already-open PR (if one was opened for a real change) but would not by itself trigger a new PR.

2. Alternatively, strip the GeneratedAt line from the diff before evaluating has_changes, e.g.:

   if git diff --staged -U0 | grep -v 'GeneratedAt' | grep -q '^[+-]'; then
     echo "has_changes=true" >> $GITHUB_OUTPUT
   else
     echo "has_changes=false" >> $GITHUB_OUTPUT
   fi

Either approach would prevent this PR from being regenerated weekly when syft's CLI surface area has not changed, reducing noise and keeping the automated PR list meaningful.

Assessment

The change itself is safe and correct. The generator is functioning as designed. No bugs or correctness issues. However, the workflow design means this PR will continue to recur indefinitely with no actionable content until the has_changes guard is updated to ignore timestamp-only deltas.

[claude]

Code Review — Fifth Automated Run

This is the fifth run of the syft options generator against this PR (previous reviews: 2026-03-08, 2026-03-15, 2026-03-22, 2026-03-29). The change is again a timestamp-only bump in AssemblyInfo.Generated.cs.

Change Summary

ModularPipelines.OptionsGenerator.GeneratedAt: 2026-03-29T03:14:36Z → 2026-04-05T03:14:57Z — no options, commands, or type changes.

Previously Raised Issue — Still Unaddressed (Fifth Week Running)

The review from 2026-03-22 identified a concrete workflow problem: when the generator detects zero substantive changes to a tool's CLI surface, it should not create or update the PR. That issue has now been validated five weeks in a row. The syft CLI has been stable for at least five weeks, yet this PR continues to reappear in the review queue every Saturday.

The root cause, identified in the 2026-03-29 review, is that the GeneratedAt timestamp in AssemblyInfo.Generated.cs is always different after a re-run, so the git diff --staged --quiet guard in the Check for changes step always sees a diff and sets has_changes=true — even when the generator detected no meaningful changes.

Recommended Fix (Unchanged from Previous Review)

In the Check for changes step of .github/workflows/generate-cli-options.yml, filter the GeneratedAt line out of the diff evaluation:

if git diff --staged -U0 | grep -v 'GeneratedAt' | grep -q '^[+-]'; then
  echo "has_changes=true" >> $GITHUB_OUTPUT
else
  echo "has_changes=false" >> $GITHUB_OUTPUT
fi

This single change would stop timestamp-only runs from creating or refreshing PRs, keeping the automated PR queue meaningful and reducing reviewer fatigue.

Assessment

The change is correct and safe to merge. The generator is functioning as designed. There are no bugs, no correctness issues, and no option/command regressions. However, until the has_changes guard is updated to ignore GeneratedAt-only deltas, this PR will continue to recur weekly with no actionable content.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity

Metric	Results
Complexity	✅ 0 (≤ 20 complexity)

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[claude]

Code Review — Sixth Automated Run

This is the sixth run of the syft options generator against this PR (previous reviews: 2026-03-08, 2026-03-15, 2026-03-22, 2026-03-29, 2026-04-05). The change is again a timestamp-only bump in AssemblyInfo.Generated.cs.

Change Summary

ModularPipelines.OptionsGenerator.GeneratedAt: 2026-04-05T03:14:57Z → 2026-04-12T03:34:25Z — no options, commands, or type changes.

Previously Raised Issue — Still Unaddressed (Six Weeks Running)

The same workflow concern has been flagged in every review since 2026-03-22. The root cause is unchanged: the GeneratedAt timestamp in AssemblyInfo.Generated.cs always differs after a re-run, so the git diff --staged --quiet guard in the Check for changes CI step always evaluates has_changes=true — even when the generator found zero substantive changes to syft's CLI surface area.

Six weeks of consecutive timestamp-only PRs with no option/command changes is strong evidence that the upstream syft CLI is stable, and equally strong evidence that the guard is not working as intended.

Recommended Fix (Unchanged from Previous Reviews)

In the Check for changes step of .github/workflows/generate-cli-options.yml, exclude GeneratedAt from the meaningful-change evaluation:

if git diff --staged -U0 | grep -v 'GeneratedAt' | grep -q '^[+-]'; then
  echo "has_changes=true" >> $GITHUB_OUTPUT
else
  echo "has_changes=false" >> $GITHUB_OUTPUT
fi

This single-line fix would stop timestamp-only runs from opening or refreshing PRs, keeping the automated PR queue actionable and eliminating ongoing reviewer fatigue for PRs that carry no consumer-visible value.

Assessment

The change is correct and safe to merge. No bugs, no correctness issues, no regressions. Until the has_changes guard is updated to ignore GeneratedAt-only deltas, this PR will continue to recur weekly indefinitely.