Spectra CLI is a Rust command-line tool that automates container image security scanning and software bill of materials generation in a single pass. Point it at any OCI-compliant image — local or remote — and it produces a vulnerability report alongside a machine-readable SBOM in SPDX or CycloneDX format, ready for compliance pipelines.
Motivation
Most teams bolt Trivy or Grype into their CI as an afterthought — a script that runs, dumps a JSON blob, and gets ignored until audit season. I wanted a single binary that combines SBOM generation (what’s in the image) with vulnerability matching (what’s wrong with it) and outputs both in formats that procurement and legal teams can actually ingest.
Rust was the obvious choice: zero-dependency static binaries that run anywhere, fast enough to scan a 2GB image in under 8 seconds, and memory-safe enough that I’m comfortable running it in production pipelines without sandboxing.
Pipeline Integration
Spectra ships as a single static binary — drop it into any CI runner image. GitHub Actions, GitLab CI, and Jenkins examples are included in the repo. Exit codes map directly to severity thresholds: 0 for clean, 1 for medium+, 2 for critical, so your pipeline gates work without parsing JSON.
SBOM output supports SPDX 2.3 and CycloneDX 1.5. Vulnerability data pulls from the same feeds Grype uses (NVD, GitHub Advisories, Alpine SecDB, etc.) with a local cache that refreshes on a configurable interval — no network call per scan in air-gapped environments.
Features
- Single-binary, zero-dependency — compiles to a 12MB static ELF
- Scans OCI images from registries, tarballs, or local Docker daemon
- Dual output: vulnerability report + SBOM in one invocation
- Severity-gated exit codes for CI pipeline integration
- Offline mode with pre-cached vulnerability databases
- JSON, table, and SARIF output formats
Security scanning that takes longer than the build it’s scanning isn’t security — it’s a checkbox.
Spectra CLI is released under the MIT license. Pre-built binaries for Linux (amd64, arm64) and macOS are published on every tagged release. Windows support is experimental but functional under WSL2.
