fix(gitlab-cyclonedx): emit minimal empty SBOM when no components found

[rafaelpereyra]

Summary

Fixes #342

When ASH is run against a repository with no recognizable packages (e.g., infrastructure-only repos), Syft produces no components. The GitLab CycloneDX reporter previously returned None and wrote no file, which broke GitLab pipelines that require gl-dependency-scanning-report.cdx.json to exist for policy validation.

Changes

• gitlab_cyclonedx_reporter.py: Added _build_minimal_empty_sbom() helper that returns a minimal valid CycloneDX document containing the envelope (bomFormat, specVersion, version), an empty components list, and the required gitlab:meta:schema_version metadata property. Both early-return paths (no model.cyclonedx and empty components) now emit this document instead of returning None. This matches the behavior of the generic CycloneDX reporter, which already emits a minimal valid document in this case.
• test_gitlab_cyclonedx_reporter.py: Replaced test_returns_none_when_no_components with two new tests covering both empty paths (no CycloneDX model and empty components list), asserting the minimal SBOM structure and required schema version property.

Testing

• All 120 reporter unit tests pass
• Pre-commit hooks (ruff, ruff-format, ASH self-scan) pass

Impact

GitLab pipelines that require the gl-dependency-scanning-report.cdx.json artifact for policy validation will no longer fail on repos with no software dependencies (e.g., infrastructure-only repos).

[github-actions]

ASH Security Scan Report

• Report generated: 2026-05-13T12:29:31+00:00
• Time since scan: 2 minutes

Scan Metadata

• Project: ASH
• Scan executed: 2026-05-13T12:27:25+00:00
• ASH version: 3.5.2

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

• Severity levels:
  • Suppressed (S): Findings that have been explicitly suppressed and don't affect scanner status
  • Critical (C): Highest severity findings that require immediate attention
  • High (H): Serious findings that should be addressed soon
  • Medium (M): Moderate risk findings
  • Low (L): Lower risk findings
  • Info (I): Informational findings with minimal risk
• Duration (Time): Time taken by the scanner to complete its execution
• Actionable: Number of findings at or above the threshold severity level that require attention
• Result:
  • PASSED = No findings at or above threshold
  • FAILED = Findings at or above threshold
  • MISSING = Required dependencies not available
  • SKIPPED = Scanner explicitly disabled
  • ERROR = Scanner execution error
• Threshold: The minimum severity level that will cause a scanner to fail
  • Thresholds: ALL, LOW, MEDIUM, HIGH, CRITICAL
  • Source: Values in parentheses indicate where the threshold is set:
    • global (global_settings section in the ASH_CONFIG used)
    • config (scanner config section in the ASH_CONFIG used)
    • scanner (default configuration in the plugin, if explicitly set)
• Statistics calculation:
  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold

Scanner	Suppressed	Critical	High	Medium	Low	Info	Actionable	Result	Threshold
bandit	0	0	0	0	0	0	0	PASSED	MEDIUM (global)
cdk-nag	0	0	0	0	0	0	0	MISSING	MEDIUM (global)
cfn-nag	0	0	0	0	0	0	0	MISSING	MEDIUM (global)
checkov	3	0	0	0	0	0	0	PASSED	LOW (config)
detect-secrets	17	0	0	0	0	0	0	PASSED	MEDIUM (global)
grype	0	0	0	0	0	0	0	PASSED	MEDIUM (global)
npm-audit	0	0	0	0	0	0	0	PASSED	MEDIUM (global)
opengrep	7	0	0	0	0	0	0	PASSED	MEDIUM (global)
semgrep	7	0	0	0	0	0	0	PASSED	MEDIUM (global)
syft	0	0	0	0	0	0	0	PASSED	MEDIUM (global)

---

Report generated by Automated Security Helper (ASH) at 2026-05-13T12:29:31+00:00