{"id":42141180,"url":"https://github.com/cfengine/cf-remote","last_synced_at":"2026-04-06T15:02:46.221Z","repository":{"id":37451568,"uuid":"332749955","full_name":"cfengine/cf-remote","owner":"cfengine","description":"Deploy CFEngine to remote hosts","archived":false,"fork":false,"pushed_at":"2026-04-03T21:46:16.000Z","size":515,"stargazers_count":9,"open_issues_count":2,"forks_count":20,"subscribers_count":6,"default_branch":"master","last_synced_at":"2026-04-03T23:18:26.689Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cfengine.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-01-25T13:06:31.000Z","updated_at":"2026-04-03T21:46:20.000Z","dependencies_parsed_at":"2023-11-16T16:42:44.865Z","dependency_job_id":"65583fc2-f342-4328-a163-029dc1c58fa7","html_url":"https://github.com/cfengine/cf-remote","commit_stats":{"total_commits":98,"total_committers":12,"mean_commits":8.166666666666666,"dds":0.6020408163265306,"last_synced_commit":"83d35b35f3ca4e1f9f9080ce0ed91cfe3f8fb6e4"},"previous_names":[],"tags_count":82,"template":false,"template_full_name":null,"purl":"pkg:github/cfengine/cf-remote","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cfengine%2Fcf-remote","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cfengine%2Fcf-remote/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cfengine%2Fcf-remote/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cfengine%2Fcf-remote/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cfengine","download_url":"https://codeload.github.com/cfengine/cf-remote/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cfengine%2Fcf-remote/sbom","scorecard":{"id":271884,"data":{"date":"2025-08-11","repo":{"name":"github.com/cfengine/cf-remote","commit":"6b1e0456f550365d15ea450b14cdb36fb3bd3eff"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.8,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":8,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/black-format.yml:13","Info: jobLevel 'contents' permission set to 'read': .github/workflows/black.yml:16","Info: jobLevel 'contents' permission set to 'read': .github/workflows/python-publish.yml:14","Info: jobLevel 'contents' permission set to 'read': .github/workflows/tests.yml:16","Info: jobLevel 'contents' permission set to 'read': .github/workflows/tests.yml:61","Warn: no topLevel permission defined: .github/workflows/black-format.yml:1","Warn: no topLevel permission defined: .github/workflows/black.yml:1","Warn: no topLevel permission defined: .github/workflows/python-publish.yml:1","Warn: no topLevel permission defined: .github/workflows/tests.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/black-format.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/cfengine/cf-remote/black-format.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/black-format.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/cfengine/cf-remote/black-format.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/black-format.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/cfengine/cf-remote/black-format.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/black.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/cfengine/cf-remote/black.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/black.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/cfengine/cf-remote/black.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/cfengine/cf-remote/python-publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-publish.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/cfengine/cf-remote/python-publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/cfengine/cf-remote/tests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/cfengine/cf-remote/tests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/cfengine/cf-remote/tests.yml/master?enable=pin","Warn: containerImage not pinned by hash: tests/docker/Dockerfile:1: pin your Docker image by updating debian:12-slim to debian:12-slim@sha256:b1a741487078b369e78119849663d7f1a5341ef2768798f7b7406c4240f86aef","Warn: pipCommand not pinned by hash: .github/workflows/black-format.yml:24","Warn: pipCommand not pinned by hash: .github/workflows/black-format.yml:25","Warn: pipCommand not pinned by hash: .github/workflows/black.yml:29","Warn: pipCommand not pinned by hash: .github/workflows/black.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/black.yml:31","Warn: pipCommand not pinned by hash: .github/workflows/python-publish.yml:23","Warn: pipCommand not pinned by hash: .github/workflows/python-publish.yml:24","Warn: pipCommand not pinned by hash: .github/workflows/tests.yml:31","Warn: pipCommand not pinned by hash: .github/workflows/tests.yml:32","Warn: pipCommand not pinned by hash: .github/workflows/tests.yml:33","Info:   0 out of   9 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned","Info:   2 out of  12 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T13:36:20.826Z","repository_id":37451568,"created_at":"2025-08-17T13:36:20.826Z","updated_at":"2025-08-17T13:36:20.826Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31477013,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-06T14:34:32.243Z","status":"ssl_error","status_checked_at":"2026-04-06T14:34:31.723Z","response_time":112,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-26T17:08:02.932Z","updated_at":"2026-04-06T15:02:46.214Z","avatar_url":"https://github.com/cfengine.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cf-remote\n\n`cf-remote` is a tool to deploy CFEngine.\nIt works by contacting remote hosts with SSH and using `ssh` / `scp` to copy files and run commands.\nCommands for provisioning hosts in the cloud (AWS or GCP) are also available.\n\n## Requirements\n\n- cf-remote requires python 3.6 or greater.\n- SSH must be configured in such a way that cf-remote can login without a password.\n- An sftp server for transferring files on UNIX hosts. e.g. openssh-sftp-server for debian-based distributions.\n\n## Installation\n\nInstall with [pipx](https://pipx.pypa.io/):\n\n```bash\npipx install cf-remote\n```\n\nOr pip3:\n\n```bash\npip3 install cf-remote\n```\n\nOr pip:\n\n```bash\npip install cf-remote\n```\n\n## Examples\n\n### See information about remote host\n\nThe `info` command can be used to check basic information about a system.\nThe --hosts/-H option accepts [user@]hostname[:port] for the hostname.\nIn the case that hostname is an ipv6 address use literal square brackets as described in RFC-3986 (https://www.ietf.org/rfc/rfc3986.txt)\n\ne.g. user@[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]:8022\n\n```\n$ cf-remote info -H 34.241.203.218\n\nubuntu@34.241.203.218\nOS            : ubuntu (debian)\nArchitecture  : x86_64\nCFEngine      : 3.12.1\nPolicy server : 172.31.42.192\nBinaries      : dpkg, apt\n```\n\n(You must have ssh access).\n\n### Installing and bootstrapping CFEngine Enterprise Hub\n\nThe `install` command can automatically download and install packages as well as bootstrap both hubs and clients.\n\n```\n$ cf-remote install --hub 34.247.181.100 --bootstrap 172.31.44.146 --demo\n\nubuntu@34.247.181.100\nOS            : ubuntu (debian)\nArchitecture  : x86_64\nCFEngine      : Not installed\nPolicy server : None\nBinaries      : dpkg, apt\n\nPackage already downloaded: '/Users/olehermanse/.cfengine/cf-remote/packages/cfengine-nova-hub_3.12.1-1_amd64.deb'\nCopying: '/Users/olehermanse/.cfengine/cf-remote/packages/cfengine-nova-hub_3.12.1-1_amd64.deb' to '34.247.181.100'\nInstalling: 'cfengine-nova-hub_3.12.1-1_amd64.deb' on '34.247.181.100'\nCFEngine 3.12.1 was successfully installed on '34.247.181.100'\nBootstrapping: '34.247.181.100' -\u003e '172.31.44.146'\nBootstrap successful: '34.247.181.100' -\u003e '172.31.44.146'\nTransferring def.json to hub: '34.247.181.100'\nCopying: '/Users/olehermanse/.cfengine/cf-remote/json/def.json' to '34.247.181.100'\nTriggering an agent run on: '34.247.181.100'\nDisabling password change on hub: '34.247.181.100'\nTriggering an agent run on: '34.247.181.100'\nYour demo hub is ready: https://34.247.181.100/ (Username: admin, Password: password)\n```\n\nNote that this demo setup (`--demo`) is notoriously insecure.\nIt has default passwords and open access controls.\nDon't use it in a production environment.\n\n### Spawning instances in AWS EC2\n\n`cf-remote spawn` can create cloud instances on demand, for example in AWS EC2, but you'll have to add some credentials and settings:\n\n```\n$ cf-remote spawn --init-config\nConfig file /home/olehermanse/.cfengine/cf-remote/cloud_config.json created, please complete the configuration in it.\n$ cat /home/olehermanse/.cfengine/cf-remote/cloud_config.json\n{\n  \"aws\": {\n    \"key\": \"TBD\",\n    \"secret\": \"TBD\",\n    \"key_pair\": \"TBD\",\n    \"security_groups\": [\n      \"TBD\"\n    ],\n    \"region\": \"OPTIONAL (DEFAULT: eu-west-1)\"\n  },\n  \"gcp\": {\n    \"project_id\": \"TBD\",\n    \"service_account_id\": \"TBD\",\n    \"key_path\": \"TBD\",\n    \"region\": \"OPTIONAL (DEFAULT: europe-west1-b)\"\n  }\n}\n```\n\nYou can skip the `gcp` values if you will only be using AWS. After filling out those 4, it should just work:\n\n```\n$ cf-remote spawn --count 1 --platform ubuntu-20-04-x64 --role hub --name hub\nSpawning VMs....DONE\nWaiting for VMs to get IP addresses..........DONE\nDetails about the spawned VMs can be found in /home/olehermanse/.cfengine/cf-remote/cloud_state.json\n```\n\nYou can now install nightlies, and use the `--demo` to make testing easier (**Not** secure for production use).\nReferring to the group names set by spawn, makes the commands a lot shorter and easier to script:\n\n```\n$ cf-remote --version master install --hub hub --bootstrap hub --demo\n\nubuntu@52.214.209.170\nOS            : ubuntu (debian)\nArchitecture  : x86_64\nCFEngine      : Not installed\nPolicy server : None\nBinaries      : dpkg, apt\n\nDownloading package: '/home/olehermanse/.cfengine/cf-remote/packages/cfengine-nova-hub_3.18.0a.a24173342~12762.ubuntu18_amd64.deb'\nCopying: '/home/olehermanse/.cfengine/cf-remote/packages/cfengine-nova-hub_3.18.0a.a24173342~12762.ubuntu18_amd64.deb' to 'ubuntu@52.214.209.170'\nInstalling: 'cfengine-nova-hub_3.18.0a.a24173342~12762.ubuntu18_amd64.deb' on 'ubuntu@52.214.209.170'\nCFEngine 3.18.0a.a24173342 (Enterprise) was successfully installed on 'ubuntu@52.214.209.170'\nBootstrapping: '52.214.209.170' -\u003e '172.31.5.84'\nBootstrap successful: '52.214.209.170' -\u003e '172.31.5.84'\nTransferring def.json to hub: 'ubuntu@52.214.209.170'\nCopying: '/home/olehermanse/.cfengine/cf-remote/json/def.json' to 'ubuntu@52.214.209.170'\nTriggering an agent run on: '52.214.209.170'\nDisabling password change on hub: 'ubuntu@52.214.209.170'\nTriggering an agent run on: '52.214.209.170'\nYour demo hub is ready: https://52.214.209.170/ (Username: admin, Password: password)\n```\n\nMission portal will be available at that IP, using the username and password from the last log message.\n\nWhen you are done, you can decommision your spawned instance(s) using:\n\n```\n$ cf-remote destroy --all\nDestroying all hosts\n```\n\n### Deploying a version of masterfiles you're working on locally\n\nThe `deploy` command allows you to deploy your local checkout of masterfiles, to test policy while working on it:\n\n```\n$ cf-remote deploy --hub hub ~/code/northern.tech/cfengine/masterfiles\n\nubuntu@18.202.238.128\nOS            : ubuntu (debian)\nArchitecture  : x86_64\nCFEngine      : 3.18.0a.a24173342 (Enterprise)\nPolicy server : None\nBinaries      : dpkg, apt\n\nCopying: '/home/olehermanse/.cfengine/cf-remote/masterfiles.tgz' to 'ubuntu@18.202.238.128'\nRunning: 'systemctl stop cfengine3 \u0026\u0026 rm -rf /var/cfengine/masterfiles \u0026\u0026 mv masterfiles /var/cfengine/masterfiles \u0026\u0026 systemctl start cfengine3 \u0026\u0026 cf-agent -Kf update.cf \u0026\u0026 cf-agent -K'\n$\n```\n\n### Specify an SSH key\n\nIf you have more than one key in `~/.ssh` you may need to specify which key `cf-remote` is to use.\n\n```\n$ export CF_REMOTE_SSH_KEY=\"~/.ssh/id_rsa.pub\"\n```\n\n### Working on the local host\n\n`cf-remote` can work on the local host when the target host is `localhost`. In this case, it executes commands locally without connecting over SSH.\n\n```\n$ cf-remote info -H localhost\n\nubuntu@localhost\nOS            : ubuntu (debian)\nArchitecture  : x86_64\nCFEngine      : 3.12.1\nPolicy server : 172.31.42.192\nBinaries      : dpkg, apt\n```\n\nWhen performing actions locally, `cf-remote` may require your password to run commands with `sudo`:\n\n```\n$ cf-remote install --clients localhost\nubuntu@localhost\nOS            : debian\nArchitecture  : x86_64\nCFEngine      : Not installed\nPolicy server :\nBinaries      : dpkg, apt\nInstalling: '/home/ubuntu/.cfengine/cf-remote/packages/cfengine-nova_3.15.3-1.debian10_amd64.deb' on 'localhost'\n[sudo] password for ubuntu:\nCFEngine 3.15.3 (Enterprise) was successfully installed on 'localhost'\n```\n\n## Contribute\n\nFeel free to open pull requests to expand this documentation, add features or fix problems.\nYou can also pick up an existing task or file an issue in [our bug tracker](https://northerntech.atlassian.net/issues/?filter=10068).\n\n## Development\n\nTo install `cf-remote` so that it reflects any changes in this source directory use:\n\n```\n$ pip install --editable .\n```\n\n## cloud_data.py tips\n\nIn order to find AWS images for a particular owner to work on cloud_data.py name_pattern list the names for an owner with the following `aws` command:\n\naws ec2 describe-images --region us-east-2 --owners 801119661308 --query 'Images[*].[Name]' --output text\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcfengine%2Fcf-remote","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcfengine%2Fcf-remote","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcfengine%2Fcf-remote/lists"}