{"id":45933605,"url":"https://github.com/huntridge-labs/argus","last_synced_at":"2026-04-01T23:43:34.600Z","repository":{"id":339776982,"uuid":"1156655511","full_name":"huntridge-labs/argus","owner":"huntridge-labs","description":"Argus brings “a hundred eyes” to your project, combining leading open source security tools into a scalable, automated, continuous security pipeline.","archived":false,"fork":false,"pushed_at":"2026-03-30T15:06:36.000Z","size":5710,"stargazers_count":9,"open_issues_count":8,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-30T15:11:34.181Z","etag":null,"topics":["container-security","dast","devsecops","fedramp","hardening","iac-security","malware-detection","sast","secret-detection","security-automation","security-scanning","security-tools","vulnerability-scanning"],"latest_commit_sha":null,"homepage":"https://huntridge-labs.github.io/argus/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/huntridge-labs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-02-12T22:34:52.000Z","updated_at":"2026-03-30T15:04:50.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/huntridge-labs/argus","commit_stats":null,"previous_names":["huntridge-labs/argus"],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/huntridge-labs/argus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/huntridge-labs%2Fargus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/huntridge-labs%2Fargus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/huntridge-labs%2Fargus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/huntridge-labs%2Fargus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/huntridge-labs","download_url":"https://codeload.github.com/huntridge-labs/argus/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/huntridge-labs%2Fargus/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31293062,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T21:15:39.731Z","status":"ssl_error","status_checked_at":"2026-04-01T21:15:34.046Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container-security","dast","devsecops","fedramp","hardening","iac-security","malware-detection","sast","secret-detection","security-automation","security-scanning","security-tools","vulnerability-scanning"],"created_at":"2026-02-28T09:43:54.890Z","updated_at":"2026-04-01T23:43:34.593Z","avatar_url":"https://github.com/huntridge-labs.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"img/argus-no-bg.png\" alt=\"Argus - Perception is Protection\" width=\"250\"\u003e\n\n\u003cbr\u003e\n\n![GitHub Release](https://img.shields.io/github/v/release/huntridge-labs/argus?style=flat-square)\n![Unit Tests](https://img.shields.io/github/actions/workflow/status/huntridge-labs/argus/test-unit.yml?label=unit%20tests\u0026style=flat-square)\n![Integration Tests](https://img.shields.io/github/actions/workflow/status/huntridge-labs/argus/test-actions.yml?label=integration%20tests\u0026style=flat-square)\n[![codecov](https://img.shields.io/codecov/c/github/huntridge-labs/argus?token=SZDF9J8UGX\u0026style=flat-square)](https://codecov.io/gh/huntridge-labs/argus)\n\n[![License: AGPL v3](https://img.shields.io/badge/License-AGPL_v3-blue.svg?style=flat-square)](https://www.gnu.org/licenses/agpl-3.0)\n[![AICaC](https://img.shields.io/badge/AICaC-Comprehensive-success.svg)](https://github.com/eFAILution/AICaC)\n\n\u003cbr\u003e\n\nUnified security scanning for GitHub Actions — SAST, containers, IaC, secrets, and DAST in a single workflow.\n\n\u003c/div\u003e\n\n---\n\n## Table of Contents\n\n- [Quick Start](#quick-start)\n- [Supported Scanners](#supported-scanners)\n- [Features](#features)\n- [GitHub Enterprise Server (GHES)](#github-enterprise-server-ghes)\n- [Documentation](#documentation)\n- [Usage Examples](#usage-examples)\n- [Configuration](#configuration)\n- [Contributing](#contributing)\n\n## Quick Start\n\nCreate `.github/workflows/security.yml`:\n\n```yaml\nname: Security Scan\non: [pull_request, push]\n\njobs:\n  security:\n    uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7\n    with:\n      scanners: all\n      enable_code_security: true\n      post_pr_comment: true\n      fail_on_severity: high\n    secrets: inherit\n```\n\n## Supported Scanners\n\n| Category | Scanner | Description |\n|----------|---------|-------------|\n| **SAST** | CodeQL | GitHub semantic code analysis |\n| | Gitleaks | Secret detection in git history |\n| | Bandit | Python security linter |\n| | OpenGrep | Fast multi-language static analysis |\n| **Container** | Trivy Container | Comprehensive vulnerability scanner |\n| | Grype | Fast, accurate CVE detection |\n| | Syft | Software Bill of Materials (SBOM) |\n| **Infrastructure** | Trivy IaC | Infrastructure as Code scanner |\n| | Checkov | Policy as Code for cloud configs |\n| **Malware** | ClamAV | Open-source antivirus engine |\n| **DAST** | ZAP | Dynamic testing of running web/API endpoints (opt-in) |\n\nFor detailed scanner configuration, see [Scanner Reference](docs/scanners.md).\n\n## Features\n\n- **Unified interface** - One workflow for all scanners\n- **Flexible scanner selection** - Use `all`, scanner groups, or specific scanners\n- **GitHub Security tab integration** - Upload SARIF results to Code Scanning\n- **PR comments** - Inline feedback on pull requests\n- **Severity-based failure control** - Set thresholds for workflow failures\n- **Container configuration** - Scan multiple containers from a single config file\n- **Matrix execution** - Parallel scanning for multiple targets\n- **Private registry support** - Authenticate to container registries\n- **Environment variable expansion** - Dynamic configuration values\n\n## GitHub Enterprise Server (GHES)\n\nGHES users can use our composite actions directly from github.com - no mirroring required.\n\n**Architecture**: This project uses an actions-first architecture where all scanner logic lives in composite actions. The reusable workflows are thin wrappers for backwards compatibility on github.com.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eGHES Quick Start\u003c/strong\u003e\u003c/summary\u003e\n\n```yaml\nname: Security Scan (GHES)\n\non: [pull_request, push]\n\npermissions:\n  contents: read\n  security-events: write\n  pull-requests: write\n\njobs:\n  sast:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v6\n\n      # Use composite actions directly from github.com\n      - uses: huntridge-labs/argus/.github/actions/scanner-gitleaks@0.6.7\n        with:\n          enable_code_security: true\n          fail_on_severity: high\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}\n\n      - uses: huntridge-labs/argus/.github/actions/scanner-bandit@0.6.7\n        with:\n          enable_code_security: true\n          fail_on_severity: high\n```\n\n\u003c/details\u003e\n\nSee [examples/github-enterprise/](examples/github-enterprise/) for complete GHES workflow templates:\n- [SAST Scanning](examples/github-enterprise/sast-only.yml)\n- [Container Scanning](examples/github-enterprise/container-scanning.yml)\n- [Infrastructure Scanning](examples/github-enterprise/infrastructure-scanning.yml)\n- [DAST Scanning](examples/github-enterprise/dast-scanning.yml)\n\n## Documentation\n\n**Full documentation:** [huntridge-labs.github.io/argus](https://huntridge-labs.github.io/argus/)\n\n### User Guides\n\n- [Scanner Reference](docs/scanners.md) - Complete configuration for all scanners\n- [Container Scanning](docs/container-scanning.md) - Config-driven matrix container scanning\n- [Failure Control](docs/failure-control.md) - Severity-based workflow failure configuration\n\n### Developer Docs\n\n- [Contributing Guide](CONTRIBUTING.md) - How to add scanners and actions\n- [Testing Guide](tests/CONTRIBUTING.md) - How to add and run tests\n- [Release Management](docs/developer/release-management.md) - Release process and versioning\n- [Enhanced PR Comments](docs/developer/enhanced-pr-comments.md) - PR comment implementation\n\n## Usage Examples\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eAll Scanners with GitHub Security\u003c/strong\u003e\u003c/summary\u003e\n\n```yaml\nname: Complete Security Scan\n\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n  schedule:\n    - cron: '0 2 * * 1'  # Weekly Monday at 2 AM\n\npermissions:\n  contents: read\n  security-events: write\n  pull-requests: write\n\njobs:\n  security:\n    uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7\n    with:\n      scanners: all\n      enable_code_security: true\n      post_pr_comment: true\n      fail_on_severity: high\n    secrets: inherit\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eSAST Scanners Only\u003c/strong\u003e\u003c/summary\u003e\n\n```yaml\nname: SAST Security Scan\n\non: [pull_request]\n\njobs:\n  sast:\n    uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7\n    with:\n      scanners: codeql,bandit,opengrep,gitleaks\n      codeql_languages: 'python,javascript'\n      enable_code_security: true\n      fail_on_severity: medium\n    secrets:\n      GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eContainer Scanning\u003c/strong\u003e\u003c/summary\u003e\n\n```yaml\nname: Container Security\n\non:\n  push:\n    tags: ['v*']\n\njobs:\n  scan-image:\n    uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7\n    with:\n      scanners: trivy-container,grype,sbom\n      image_ref: 'ghcr.io/myorg/myapp:${{ github.ref_name }}'\n      enable_code_security: true\n      fail_on_severity: critical\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eConfig-Driven Multiple Containers\u003c/strong\u003e\u003c/summary\u003e\n\n```yaml\nname: Multi-Container Scan\n\non:\n  push:\n    paths: ['container-config.yml']\n\njobs:\n  scan:\n    uses: huntridge-labs/argus/.github/workflows/container-scan-from-config.yml@0.6.7\n    with:\n      config_file: container-config.yml\n      enable_code_security: true\n      fail_on_severity: high\n    secrets: inherit\n```\n\n**container-config.yml:**\n\n```yaml\ncontainers:\n  - name: frontend\n    registry:\n      host: ghcr.io\n      username: ${GITHUB_TRIGGERING_ACTOR}\n      auth_secret: GITHUB_TOKEN\n    image:\n      repository: myorg\n      name: frontend\n      tag: latest\n    scanners:\n      - trivy-container\n      - grype\n\n  - name: backend\n    image: myorg/backend:latest\n    scanners:\n      - trivy-container\n      - sbom\n```\n\nSee [Container Scanning Guide](docs/container-scanning.md) for complete documentation.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eInfrastructure as Code\u003c/strong\u003e\u003c/summary\u003e\n\n```yaml\nname: Infrastructure Security\n\non:\n  pull_request:\n    paths:\n      - 'terraform/**'\n      - 'infrastructure/**'\n\njobs:\n  iac:\n    uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7\n    with:\n      scanners: trivy-iac,checkov\n      iac_path: 'terraform/'\n      enable_code_security: true\n      fail_on_severity: high\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eBranch-Specific Thresholds\u003c/strong\u003e\u003c/summary\u003e\n\n```yaml\nname: Security with Branch Rules\n\non:\n  pull_request:\n    branches: ['**']\n\njobs:\n  security:\n    uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7\n    with:\n      scanners: all\n      enable_code_security: true\n      post_pr_comment: true\n      fail_on_severity: ${{ github.base_ref == 'main' \u0026\u0026 'high' || 'critical' }}\n    secrets: inherit\n```\n\n\u003c/details\u003e\n\n## Configuration\n\n### Scanner Selection\n\n- **All scanners:** `scanners: all`\n- **By category:** `scanners: sast`, `scanners: container`, `scanners: infrastructure`\n- **Specific scanners:** `scanners: codeql,trivy-container,gitleaks`\n- **Multiple categories:** `scanners: sast,container`\n\n### Common Inputs\n\n| Input | Description | Default |\n|-------|-------------|---------|\n| `scanners` | Scanners to run (comma-separated or category) | Required |\n| `enable_code_security` | Upload SARIF to GitHub Security tab | `false` |\n| `post_pr_comment` | Post findings as PR comments | `true` |\n| `fail_on_severity` | Fail workflow on severity threshold | `none` |\n\n**Severity levels:** `none`, `low`, `medium`, `high`, `critical`\n\nSee [Failure Control Guide](docs/failure-control.md) for detailed threshold configuration.\n\n### Permissions Required\n\n```yaml\npermissions:\n  contents: read           # Read repository content\n  security-events: write   # Upload to GitHub Security tab\n  pull-requests: write     # Post PR comments\n  actions: read           # Read Actions artifacts\n```\n\n### Secrets\n\nMost secrets are optional and inherited via `secrets: inherit`. Scanner-specific secrets:\n\n| Secret | Required For | Description |\n|--------|-------------|-------------|\n| `GITLEAKS_LICENSE` | Gitleaks (organizations) | License from [gitleaks.io](https://gitleaks.io) |\n| `GITHUB_TOKEN` | PR comments, Security tab | Automatically provided |\n| Registry secrets | Private containers | Token for authentication |\n\n## Contributing\n\nContributions welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n### Development Setup\n\n**Quick Start with Dev Container (Recommended):**\n\n[![Open in Dev Containers](https://img.shields.io/static/v1?label=Dev%20Containers\u0026message=Open\u0026color=blue\u0026logo=visualstudiocode)](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/huntridge-labs/argus)\n\n1. Install [VS Code](https://code.visualstudio.com/) + [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers)\n2. Open repository → \"Reopen in Container\"\n3. All dependencies ready! Run `npm test`\n\nSee [.devcontainer/README.md](.devcontainer/README.md) for details.\n\n- Code of Conduct\n- Development setup\n- Pull request process\n- Commit message format\n\n### Development Setup\n\n```bash\n# Install dependencies\nnpm install\npip install -r .devcontainer/requirements.txt\n\n# Run tests\nnpm test\n\n# See tests/CONTRIBUTING.md for detailed testing guide\n```\n\n## License\n\nAGPL v3 License - see [LICENSE.md](LICENSE.md) for details.\n\n## Support\n\n- **Documentation:** [huntridge-labs.github.io/argus](https://huntridge-labs.github.io/argus/)\n- **Issues:** [GitHub Issues](https://github.com/huntridge-labs/argusissues)\n- **Discussions:** [GitHub Discussions](https://github.com/huntridge-labs/argusdiscussions)\n- **Security:** See [SECURITY.md](SECURITY.md) for vulnerability reporting\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhuntridge-labs%2Fargus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhuntridge-labs%2Fargus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhuntridge-labs%2Fargus/lists"}