[Automated] Update syft CLI Options

[thomhurst]

Summary

This PR contains automatically generated updates to syft CLI options classes.

The generator scraped the latest CLI help output from the installed tool.

Changes

• Updated options classes to reflect latest CLI documentation
• Added new commands if any were detected
• Updated option types and descriptions

Verification

• Solution builds successfully

---

🤖 Generated with ModularPipelines.OptionsGenerator

[claude]

Code Review

This is an automated PR generated by ModularPipelines.OptionsGenerator that updates the syft CLI options.

Change Summary

The only change is a timestamp update in AssemblyInfo.Generated.cs:

• ModularPipelines.OptionsGenerator.GeneratedAt updated from 2026-03-01T03:12:23 to 2026-03-08T03:09:47

Assessment

This is a clean, minimal automated update. The change correctly reflects that the generator re-ran on 2026-03-08 and detected no substantive changes to the syft CLI options (no new commands, options, or type changes). The metadata-only diff confirms the generator is working correctly — it re-ran and found nothing to update beyond the timestamp itself.

Design note: The pattern of tracking GeneratedAt timestamps in assembly metadata is a sound approach — it provides an audit trail for when options classes were last verified against the actual CLI tool, making it easy to identify staleness without having to inspect the full diff history.

No issues found. ✅

[claude]

Code Review

This automated PR updates the syft CLI options for ModularPipelines.Syft.

Change Summary

The only change is a timestamp update in AssemblyInfo.Generated.cs:

• ModularPipelines.OptionsGenerator.GeneratedAt: 2026-03-01T03:12:23Z → 2026-03-15T03:13:23Z

Previous Review

A prior claude review (2026-03-08 run) was dismissed. The pattern is identical — the generator re-ran, found no substantive changes to the syft CLI surface area, and updated only the timestamp.

Assessment

Clean automated update — no issues. ✅

The metadata-only diff confirms the generator is functioning correctly: it re-ran against the latest syft CLI, verified options are still accurate, and recorded the new timestamp. The absence of option/command changes means syft's CLI interface is stable since the last generation on 2026-03-01.

The GeneratedAt tracking pattern remains a sound design choice — it creates an auditable trail of when CLI options were last verified without requiring manual inspection of diffs or git history.

[claude]

Code Review

This automated PR updates the syft CLI options for ModularPipelines.Syft.

Change Summary

The only change is a timestamp update in src/ModularPipelines.Syft/AssemblyInfo.Generated.cs:

• ModularPipelines.OptionsGenerator.GeneratedAt: 2026-03-01T03:12:23Z → 2026-03-22T03:30:49Z

Context

This is the third run of the generator against this PR (previous reviews from 2026-03-08 and 2026-03-15 are visible). Each run has produced only a timestamp bump, confirming that syft's CLI surface area has been stable for at least three weeks.

Assessment

The change is correct and the generator is behaving as designed. No options, commands, or types were added, removed, or altered — this is expected when the upstream syft CLI has not changed.

One observation worth flagging for long-term maintainability: since this PR is being auto-regenerated repeatedly with only timestamp changes, it raises the question of whether a "no-op" run (where the generator detects zero substantive changes) should skip opening/updating a PR altogether. Emitting a PR solely to advance a timestamp adds noise to the review queue without delivering any consumer-visible value. A possible improvement would be for the generator workflow to diff the generated content against what is already on main and abort the PR if the only delta is the GeneratedAt timestamp — this would reduce churn and keep the PR list meaningful.

That said, this is a process/workflow concern, not a correctness issue with the current change. The change itself is safe to merge.

[claude]

Code Review

This is the fourth automated run of the syft options generator against this PR (previous reviews: 2026-03-08, 2026-03-15, 2026-03-22, all as COMMENTED). The change is again a timestamp-only bump in AssemblyInfo.Generated.cs.

Change Summary

ModularPipelines.OptionsGenerator.GeneratedAt: 2026-03-22T03:30:49Z → 2026-03-29T03:14:36Z — no options, commands, or type changes.

Previously Raised Issue — Still Unaddressed

The review from 2026-03-22 raised a concrete workflow concern: when the generator detects zero substantive changes, it should skip creating/updating the PR rather than emitting a timestamp-only diff. That observation has now been validated four times in a row. The syft CLI has been stable for at least four weeks, yet this PR keeps re-appearing in the review queue each Sunday.

Looking at the workflow in .github/workflows/generate-cli-options.yml, the Check for changes step (line 527–542) already does a git diff --staged --quiet --ignore-all-space --ignore-blank-lines check and sets has_changes=false when there are no meaningful changes, which correctly gates the Create Pull Request step. However, this check fires after git add 'src/**/*.cs', meaning the GeneratedAt timestamp change in AssemblyInfo.Generated.cs is always treated as a meaningful change — even though it carries no consumer-visible value.

Root Cause

The GeneratedAt timestamp is always different after a re-run, so has_changes will always be true even when nothing else changed. The no-op guard never fires for timestamp-only runs.

Suggested Fix

The Check for changes step should either:

1. Exclude the AssemblyInfo.Generated.cs file from the diff check — only treat structural option/command changes as "real" changes that warrant a PR. The timestamp would still be committed inside an already-open PR (if one was opened for a real change) but would not by itself trigger a new PR.

2. Alternatively, strip the GeneratedAt line from the diff before evaluating has_changes, e.g.:

   if git diff --staged -U0 | grep -v 'GeneratedAt' | grep -q '^[+-]'; then
     echo "has_changes=true" >> $GITHUB_OUTPUT
   else
     echo "has_changes=false" >> $GITHUB_OUTPUT
   fi

Either approach would prevent this PR from being regenerated weekly when syft's CLI surface area has not changed, reducing noise and keeping the automated PR list meaningful.

Assessment

The change itself is safe and correct. The generator is functioning as designed. No bugs or correctness issues. However, the workflow design means this PR will continue to recur indefinitely with no actionable content until the has_changes guard is updated to ignore timestamp-only deltas.