Skip to content

Expose SRI analysis as an importable library API (#18)#22

Merged
CallMarcus merged 1 commit into
mainfrom
claude/issues-status-review-ll7hil
Jun 25, 2026
Merged

Expose SRI analysis as an importable library API (#18)#22
CallMarcus merged 1 commit into
mainfrom
claude/issues-status-review-ll7hil

Conversation

@CallMarcus

Copy link
Copy Markdown
Owner

Summary

Closes the in-repo portion of #18: lift the SRI scanning logic out of the standalone scripts/sri_parser.py and into the published package as domain_security_analyzer.sri, so consumers (e.g. tpcrm-findings-scanner) can pip install domain-security-analyzer and reuse it instead of reimplementing Subresource Integrity parsing.

Changes

  • New module domain_security_analyzer/sri.pySRIParser, the UnsafeResource dataclass, and the convenience function named in the issue:
    from domain_security_analyzer.sri import scan_url
    report = scan_url("https://example.com")          # single page
    report = scan_url("https://example.com", crawl=True)  # follow same-origin links
    The report captures everything the findings-scanner needs for evidence: per-resource integrity/crossorigin values, machine-readable reasons (missing-integrity, invalid-integrity-hash, mixed-invalid-hashes, non-https-resource, missing-crossorigin), observed Content-Security-Policy headers, and whether a restrictive one is present as a compensating control.
  • scripts/sri_parser.py → thin CLI wrapper that imports the core logic from the package. python scripts/sri_parser.py <url> and all its flags are unchanged (verified --help).
  • Package re-exports SRIParser / UnsafeResource / scan_url from domain_security_analyzer.
  • tests/test_sri.py — 14 network-free tests covering each reason code, the CSP compensating-control logic, scheme normalization, and the public API surface.
  • README — new "Use as a library" subsection under the SRI Parser docs.

Verification

  • Full suite: 37 passed (14 new).
  • Built the wheel and confirmed domain_security_analyzer/sri.py ships inside it.
  • from domain_security_analyzer.sri import scan_url and the package-level re-export resolve to the same object.
  • Backward-compat CLI shim runs and re-exports SRIParser from the new module.

Out of scope (stays tracked on #18)

The remaining checkboxes need the other repo, which isn't in this session's scope:

  • Have tpcrm-findings-scanner depend on this package.
  • Document the detect-vs-dispute boundary in both READMEs.

So #18 stays open for that cross-repo wiring; this PR delivers the importable API it depends on.

🤖 Generated with Claude Code


Generated by Claude Code

Lift the SRI scanning logic out of the standalone scripts/sri_parser.py
script and into the published package as domain_security_analyzer.sri,
so consumers (e.g. tpcrm-findings-scanner) can reuse it instead of
reimplementing Subresource Integrity parsing.

- Add domain_security_analyzer/sri.py with SRIParser, UnsafeResource, and
  a scan_url() convenience function returning the structured report
  (per-resource integrity/crossorigin values, machine-readable reason
  codes, observed CSP headers, and compensating-control detection).
- Re-export SRIParser/UnsafeResource/scan_url from the package __init__.
- Reduce scripts/sri_parser.py to a thin CLI wrapper that imports the
  core logic, preserving `python scripts/sri_parser.py <url>`.
- Add tests/test_sri.py (network-free) covering each reason code, CSP
  compensating-control logic, and the public API surface.
- Document the importable API in the README SRI section.

Closes the in-repo portion of #18; cross-repo wiring (having
tpcrm-findings-scanner depend on this package and documenting the
detect-vs-dispute boundary in both READMEs) remains tracked there.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XYvSCw1sjoG2AHbLPCsX7S
@CallMarcus
CallMarcus merged commit 73b9462 into main Jun 25, 2026
17 checks passed
@CallMarcus
CallMarcus deleted the claude/issues-status-review-ll7hil branch June 25, 2026 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants