> ## Documentation Index
> Fetch the complete documentation index at: https://docs.praison.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Features

> SBOM generation, signing, auditing, and PII redaction

# Security Features CLI

Security features for recipes including SBOM generation, bundle signing, dependency auditing, and PII redaction.

## Quick Start

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
# Generate SBOM
praisonai recipe sbom ./my-recipe -o sbom.json

# Audit dependencies
praisonai recipe audit ./my-recipe

# Sign a bundle
praisonai recipe sign my-recipe.praison --key private.pem

# Verify signature
praisonai recipe verify my-recipe.praison --key public.pem
```

## Commands

### sbom

Generate Software Bill of Materials (SBOM).

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
praisonai recipe sbom <recipe> [options]
```

**Options:**

| Option                | Description                                         |
| --------------------- | --------------------------------------------------- |
| `--format <type>`     | Output format: cyclonedx, spdx (default: cyclonedx) |
| `-o, --output <path>` | Output file path                                    |
| `--json`              | Output JSON to stdout                               |

**Examples:**

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
# Generate CycloneDX SBOM
praisonai recipe sbom ./my-recipe --format cyclonedx -o sbom.json

# Generate SPDX SBOM
praisonai recipe sbom ./my-recipe --format spdx -o sbom.spdx.json

# Output to stdout
praisonai recipe sbom ./my-recipe --json
```

### audit

Audit recipe dependencies for vulnerabilities.

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
praisonai recipe audit <recipe> [options]
```

**Options:**

| Option     | Description        |
| ---------- | ------------------ |
| `--strict` | Fail on any issues |
| `--json`   | Output JSON format |

**Examples:**

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
# Basic audit
praisonai recipe audit ./my-recipe

# Strict mode (fail on issues)
praisonai recipe audit ./my-recipe --strict

# JSON output
praisonai recipe audit ./my-recipe --json
```

**Output:**

```
Audit Report: my-recipe
  Lockfile: lock/requirements.lock
  Dependencies: 15
  Vulnerabilities: 0
  Warnings: 1
    - Outdated: requests (2.28.0 -> 2.31.0)
✓ Audit passed
```

### sign

Sign a recipe bundle with a private key.

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
praisonai recipe sign <bundle> --key <private.pem> [options]
```

**Options:**

| Option                | Description                      |
| --------------------- | -------------------------------- |
| `--key <path>`        | Path to private key (PEM format) |
| `-o, --output <path>` | Output signature path            |
| `--json`              | Output JSON format               |

**Examples:**

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
# Sign a bundle
praisonai recipe sign my-recipe.praison --key private.pem

# Custom signature output
praisonai recipe sign my-recipe.praison --key private.pem -o my-recipe.sig
```

### verify

Verify a signed bundle.

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
praisonai recipe verify <bundle> --key <public.pem> [options]
```

**Options:**

| Option               | Description                     |
| -------------------- | ------------------------------- |
| `--key <path>`       | Path to public key (PEM format) |
| `--signature <path>` | Path to signature file          |
| `--json`             | Output JSON format              |

**Examples:**

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
# Verify signature
praisonai recipe verify my-recipe.praison --key public.pem

# Custom signature path
praisonai recipe verify my-recipe.praison --key public.pem --signature my-recipe.sig
```

## SBOM Format

### CycloneDX

```json theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "metadata": {
    "component": {
      "name": "my-recipe",
      "version": "1.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "openai",
      "version": "1.0.0",
      "purl": "pkg:pypi/openai@1.0.0"
    }
  ]
}
```

## Lockfile Validation

Validate that recipes have proper lockfiles:

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
# Validate with lockfile requirement
praisonai recipe validate ./my-recipe --require-lockfile
```

Supported lockfile formats:

* `lock/requirements.lock` (pip-compile)
* `lock/uv.lock` (uv)
* `lock/poetry.lock` (poetry)

## PII Redaction

Configure PII redaction in `TEMPLATE.yaml`:

```yaml theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
data_policy:
  pii:
    mode: redact  # allow, deny, redact
    fields:
      - email
      - phone
      - ssn
      - credit_card
```

## Python API

```python theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
from praisonai.recipe.security import (
    generate_sbom,
    audit_dependencies,
    sign_bundle,
    verify_bundle,
    validate_lockfile,
    redact_pii,
    detect_pii,
)

# Generate SBOM
sbom = generate_sbom("./my-recipe", format="cyclonedx")

# Audit dependencies
report = audit_dependencies("./my-recipe")
if not report["passed"]:
    print(f"Vulnerabilities: {report['vulnerabilities']}")

# Validate lockfile
result = validate_lockfile("./my-recipe", strict=True)

# Sign bundle
sig_path = sign_bundle("my-recipe.praison", "private.pem")

# Verify bundle
valid, message = verify_bundle("my-recipe.praison", "public.pem")

# Redact PII
data = {"email": "test@example.com"}
policy = {"pii": {"mode": "redact", "fields": ["email"]}}
redacted = redact_pii(data, policy)

# Detect PII
detections = detect_pii(data)
```

## Key Generation

Generate RSA keys for signing:

```bash theme={"theme":{"light":"vitesse-light","dark":"vitesse-dark"}}
# Generate private key
openssl genrsa -out private.pem 2048

# Extract public key
openssl rsa -in private.pem -pubout -out public.pem
```

## Exit Codes

| Code | Meaning                             |
| ---- | ----------------------------------- |
| 0    | Success                             |
| 2    | Validation error                    |
| 6    | Missing dependencies (cryptography) |

## Next Steps

* [Recipe Registry](/docs/cli/recipe-registry) - Publish and pull recipes
* [Run History](/docs/cli/recipe-runs) - Store and export runs
* [Policy Packs](/docs/cli/recipe-policy) - Manage tool permissions