[BUG] SkillSpector adapter fails without LLM API key -- needs --no-llm support

[sergio-sisternes-epam]

Describe the bug
The SkillSpector CLI adapter (src/apm_cli/security/external/skillspector.py) fails with "SkillSpector output is not valid JSON SARIF" when no LLM API key (e.g. OPENAI_API_KEY) is configured. The adapter builds the command without --no-llm, and SkillSpector writes its error to stdout (not stderr), which APM tries to parse as SARIF JSON.

To Reproduce

1. Install SkillSpector v2.0.0 (pip install -e . from github.com/NVIDIA/SkillSpector)
2. Enable the feature flag: apm experimental enable external-scanners
3. Unset all LLM keys: unset OPENAI_API_KEY NVIDIA_INFERENCE_KEY ANTHROPIC_API_KEY
4. Run: apm audit --external skillspector
5. See error: [x] External scanner 'skillspector' failed: SkillSpector output is not valid JSON SARIF

Expected behavior
The adapter should either pass --no-llm by default (for headless/CI use) or gracefully handle stdout containing non-JSON content by checking stderr and exit code first.

Environment (please complete the following information):

• OS: macOS (Darwin), also affects Linux
• Python Version: 3.12+
• APM Version: 0.16.1 (post PR feat(audit): vendor-agnostic external SARIF scanner ingestion (experimental) #1579 merge)
• SkillSpector Version: 2.0.0

Logs

[i] Running external scanner: skillspector
[x] External scanner 'skillspector' failed: SkillSpector output is not valid JSON SARIF: Expecting value: line 1 column 1 (char 0)

Additional context

• Root cause: skillspector.py line 61 builds [binary, "scan", "--format", "sarif", *targets] without --no-llm
• SkillSpector writing errors to stdout is arguably an upstream bug, but APM should be resilient
• Workaround: generate SARIF separately with skillspector scan --format sarif --no-llm . > report.sarif then apm audit --external sarif --external-sarif report.sarif
• Found during E2E testing of PR feat(audit): vendor-agnostic external SARIF scanner ingestion (experimental) #1579 (external scanners feature)

[github-actions]

Triage decision

accept

Proposed labels

theme/security
area/audit-policy
area/content-security
type/bug
status/accepted
priority/high

Milestone

null

Suggested next action

Add --no-llm to the SkillSpector command builder as the default for headless/CI use, and improve the error message to distinguish "no LLM key" from "invalid SARIF output."

Suggested issue comment

Thanks for the clear bug report and for identifying the root cause. This is accepted as a bug.

The SkillSpector adapter at `src/apm_cli/security/external/skillspector.py` builds its command without `--no-llm`, which causes SkillSpector to require an LLM API key and write its error to stdout. APM then tries to parse that error text as SARIF JSON, producing the unhelpful "SkillSpector output is not valid JSON SARIF" message.

The fix is straightforward: pass `--no-llm` by default in the command builder (line 61), so the adapter works in headless and CI environments without requiring an LLM key. Optionally, before attempting JSON parsing, the adapter should check the process exit code and stderr first so that any remaining non-JSON stdout produces a more actionable error (e.g., "SkillSpector exited with code N -- check stderr for details").

Note on the existing `area/security` label: the APM label taxonomy uses `area/audit-policy` and `area/content-security` for security-scanning surfaces. The `area/security` label is not in the current taxonomy; the correct taxonomy labels are being added in this triage. The existing label is preserved.

No milestone is assigned since the only open milestone (0.14.0) appears stale relative to the current 0.16.x version.

If you have a fix ready, a PR against `src/apm_cli/security/external/skillspector.py` would be welcome.

Per-lens notes (collapsed)

DevX UX Expert -- User-Need Reviewer

The bug prevents CI and headless use of the SkillSpector integration, which is a core use case for security scanning. The error message ("not valid JSON SARIF") is misleading -- the real error is "LLM API key not configured." The fix (default --no-llm) is low-risk and directly improves the headless developer experience. Maps to area/audit-policy (external scanners feature) and area/content-security.

Supply Chain Security Expert -- Risk-Surface Reviewer

This is in the security scanning surface. The bug does not introduce a vulnerability, but it silently disables security scanning in CI environments where no LLM key is configured -- which means teams may believe they are running security scans but are not. theme/security is required. area/audit-policy covers the external scanners feature; area/content-security covers the SARIF ingestion pipeline.

OSS Growth Hacker -- Contributor-Tone Reviewer

Not activated -- sergio-sisternes-epam is a collaborator with established context; standard technical tone is appropriate.

Python Architect -- Architecture Reviewer

Not activated -- this is a targeted one-line fix in the command builder plus optional error-handling improvement. No cross-cutting design decisions required.

Doc Writer -- Documentation Reviewer

Not activated -- no new doc pages needed. If any documentation references SkillSpector setup requirements, it should be updated to note that --no-llm is now the default for headless use.

APM CEO -- Triage Arbiter

Clear, targeted bug fix in the security scanning integration. Accepting with priority/high since it blocks CI use of a security feature. The existing area/security label is not in the APM taxonomy; area/audit-policy and area/content-security are the correct taxonomy labels and are added in this triage. Note this in the comment so the maintainer can decide whether to retire the non-taxonomy label.

{
  "decision": "accept",
  "decision_detail": "",
  "theme": "theme/security",
  "areas": ["area/audit-policy", "area/content-security"],
  "type": "type/bug",
  "status": "status/accepted",
  "priority": "priority/high",
  "preserved_labels": [],
  "milestone": null,
  "next_action": "Add --no-llm to the SkillSpector command builder as the default for headless/CI use, and improve the error message to distinguish no-LLM-key from invalid-SARIF.",
  "comment_markdown": "Thanks for the clear bug report and for identifying the root cause. This is accepted as a bug."
}

---

Triage status: agentic proposal pending human ratification.
Silence is approval. Maintainers can:

• Override any label or milestone above by editing it directly --
  human edits are authoritative and will not be reverted on
  subsequent runs.
• Re-trigger triage by applying the status/needs-triage label, or
  by removing status/triaged to enroll the issue in the next
  daily sweep.

Posted by the Triage Panel workflow. See .apm/skills/apm-triage-panel for the panel skill.

Generated by Triage Panel · sonnet46 3.8M · ◷