Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.praison.ai/llms.txt

Use this file to discover all available pages before exploring further.

Security Features CLI

Security features for recipes including SBOM generation, bundle signing, dependency auditing, and PII redaction.

Quick Start

# Generate SBOM
praisonai recipe sbom ./my-recipe -o sbom.json

# Audit dependencies
praisonai recipe audit ./my-recipe

# Sign a bundle
praisonai recipe sign my-recipe.praison --key private.pem

# Verify signature
praisonai recipe verify my-recipe.praison --key public.pem

Commands

sbom

Generate Software Bill of Materials (SBOM). 
praisonai recipe sbom <recipe> [options]
Options:
OptionDescription
--format <type>Output format: cyclonedx, spdx (default: cyclonedx)
-o, --output <path>Output file path
--jsonOutput JSON to stdout
Examples: 
# Generate CycloneDX SBOM
praisonai recipe sbom ./my-recipe --format cyclonedx -o sbom.json

# Generate SPDX SBOM
praisonai recipe sbom ./my-recipe --format spdx -o sbom.spdx.json

# Output to stdout
praisonai recipe sbom ./my-recipe --json

audit

Audit recipe dependencies for vulnerabilities. 
praisonai recipe audit <recipe> [options]
Options:
OptionDescription
--strictFail on any issues
--jsonOutput JSON format
Examples: 
# Basic audit
praisonai recipe audit ./my-recipe

# Strict mode (fail on issues)
praisonai recipe audit ./my-recipe --strict

# JSON output
praisonai recipe audit ./my-recipe --json
Output: 
Audit Report: my-recipe
  Lockfile: lock/requirements.lock
  Dependencies: 15
  Vulnerabilities: 0
  Warnings: 1
    - Outdated: requests (2.28.0 -> 2.31.0)
✓ Audit passed

sign

Sign a recipe bundle with a private key. 
praisonai recipe sign <bundle> --key <private.pem> [options]
Options:
OptionDescription
--key <path>Path to private key (PEM format)
-o, --output <path>Output signature path
--jsonOutput JSON format
Examples: 
# Sign a bundle
praisonai recipe sign my-recipe.praison --key private.pem

# Custom signature output
praisonai recipe sign my-recipe.praison --key private.pem -o my-recipe.sig

verify

Verify a signed bundle. 
praisonai recipe verify <bundle> --key <public.pem> [options]
Options:
OptionDescription
--key <path>Path to public key (PEM format)
--signature <path>Path to signature file
--jsonOutput JSON format
Examples: 
# Verify signature
praisonai recipe verify my-recipe.praison --key public.pem

# Custom signature path
praisonai recipe verify my-recipe.praison --key public.pem --signature my-recipe.sig

SBOM Format

CycloneDX

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "metadata": {
    "component": {
      "name": "my-recipe",
      "version": "1.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "openai",
      "version": "1.0.0",
      "purl": "pkg:pypi/openai@1.0.0"
    }
  ]
}

Lockfile Validation

Validate that recipes have proper lockfiles: 
# Validate with lockfile requirement
praisonai recipe validate ./my-recipe --require-lockfile
Supported lockfile formats:
  • lock/requirements.lock (pip-compile)
  • lock/uv.lock (uv)
  • lock/poetry.lock (poetry)

PII Redaction

Configure PII redaction in TEMPLATE.yaml: 
data_policy:
  pii:
    mode: redact  # allow, deny, redact
    fields:
      - email
      - phone
      - ssn
      - credit_card

Python API

from praisonai.recipe.security import (
    generate_sbom,
    audit_dependencies,
    sign_bundle,
    verify_bundle,
    validate_lockfile,
    redact_pii,
    detect_pii,
)

# Generate SBOM
sbom = generate_sbom("./my-recipe", format="cyclonedx")

# Audit dependencies
report = audit_dependencies("./my-recipe")
if not report["passed"]:
    print(f"Vulnerabilities: {report['vulnerabilities']}")

# Validate lockfile
result = validate_lockfile("./my-recipe", strict=True)

# Sign bundle
sig_path = sign_bundle("my-recipe.praison", "private.pem")

# Verify bundle
valid, message = verify_bundle("my-recipe.praison", "public.pem")

# Redact PII
data = {"email": "test@example.com"}
policy = {"pii": {"mode": "redact", "fields": ["email"]}}
redacted = redact_pii(data, policy)

# Detect PII
detections = detect_pii(data)

Key Generation

Generate RSA keys for signing: 
# Generate private key
openssl genrsa -out private.pem 2048

# Extract public key
openssl rsa -in private.pem -pubout -out public.pem

Exit Codes

CodeMeaning
0Success
2Validation error
6Missing dependencies (cryptography)

Next Steps