Prove what is exploitable. Ignore the rest.
Reachability-aware vulnerability triage from SBOM to SARIF—built for CI.
Most scanners flood you with every CVE that touches a dependency. NoiseCutter narrows the signal: it ties advisories to what your application can actually reach from real entry points, then outputs SARIF so you can enforce policy in GitHub and other tools—without pretending unreachable code is an imminent production risk.
| Aspect | Details |
|---|---|
| Inputs | CycloneDX SBOM, OSV-backed vulns, language-native reach data (Go today) |
| Outputs | SARIF, policy pass/fail, reproducible JSON for golden tests |
| Where it runs | Developer machines, CI, containers—beside Syft, govulncheck, and the OSV API |
flowchart LR
subgraph ingest [Ingest]
S[SBOM]
V[Vulns]
R[Reach]
end
subgraph out [Output]
F[Fuse SARIF]
P[Policy]
end
S --> F
V --> F
R --> F
F --> P
From PyPI
pip install noisecutterFrom this repository (locked deps, matches CI)
uv sync --extra dev
uv run noisecutter --helpContainer
docker run --rm ghcr.io/noisecutter/noisecutter:latest --helpThe following assumes Syft is available (PATH or SYFT_EXE on Windows). Adjust paths if you run from a different working directory.
noisecutter sbom --source . --out sbom.cdx.json
noisecutter audit --sbom sbom.cdx.json --out vulns.json
noisecutter reach --lang go --entry ./examples/go-mod-sample/cmd/server \
--vulns vulns.json --out reach.json
noisecutter fuse --sbom sbom.cdx.json --vulns vulns.json --reach reach.json --out report.sarif
noisecutter policy --sarif report.sarif --level high --fail-on reachableQuick check:
noisecutter --help| Topic | What you need |
|---|---|
| Go reachability | Go toolchain; govulncheck pinned per tool-versions.json, e.g. go install golang.org/x/vuln/cmd/govulncheck@v1.2.0; in samples run go mod tidy where a go.mod exists |
| SBOM | Syft on PATH, or checksum-based install: scripts/install-syft.sh / scripts/install-syft.ps1 |
| Windows | If the console entry point misbehaves, use python -m noisecutter; for encoding issues, PYTHONIOENCODING=utf-8 and UTF-8 code page (chcp 65001) help |
Stable, diff-friendly outputs:
- Export
NOISECUTTER_STRICT_REPRO=1(optional:SOURCE_DATE_EPOCH) - Pin Syft / govulncheck versions in
tool-versions.jsonand in CI
| Sample | Purpose |
|---|---|
examples/go-mod-sample |
Single entry point—minimal walkthrough |
examples/go-multi-entry |
Two entries, golden verification (make all_artifacts, make verify-golden) |
- CLI:
--log-level,--repo,--strict-repro - File: optional
.noisecutter.yamlat the repo root (fields innoisecutter/config.py) - Env:
NOISECUTTER_LOGGING_CONFIG,NOISECUTTER_LOG_FILE,NOISECUTTER_LOG_JSON
Workflows under .github/workflows/:
| Workflow | Role |
|---|---|
ci.yml |
Lint, types, tests, spell check, pip-audit (Python 3.9–3.13) |
pr.yml |
Go multi-entry goldens; Windows test smoke |
release.yml |
Build, attest, PyPI (OIDC), GHCR, GitHub Release |
codeql.yml |
CodeQL (Python) |
dependency-review.yml |
Dependency review on PRs |
Dependabot maintains uv.lock and GitHub Actions bumps. Workflow details are in CONTRIBUTING.md.
| Guide | What you will find |
|---|---|
| Quickstart | First-time setup and commands |
| Integrations | GitHub Actions, GitLab, Jenkins |
| Why reachability? | Concepts |
| Threat model | Risks and mitigations |
| Exceptions | Policy exceptions |
| Troubleshooting | Syft, govulncheck, OSV, Windows |
| RFC template | Design proposals |
| Contributing | Dev setup and tests |
| Releases | Version history and notes |
Report vulnerabilities privately: see SECURITY.md. Published packages include a Security project URL when built from this repository.