{"id":35731709,"url":"https://github.com/kopexa-grc/kspec","last_synced_at":"2026-02-11T21:07:13.079Z","repository":{"id":332043062,"uuid":"1128242779","full_name":"kopexa-grc/kspec","owner":"kopexa-grc","description":"A modern, extensible framework for defining and enforcing security policies across your digital infrastructure.","archived":false,"fork":false,"pushed_at":"2026-02-09T05:36:40.000Z","size":4568,"stargazers_count":39,"open_issues_count":1,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-09T11:35:39.417Z","etag":null,"topics":["audit-automation","automation","cloud-security","compliance","grc","grc-engineering","identity-security","iso27001","nis2","policy-as-code","security-as-code","security-audit"],"latest_commit_sha":null,"homepage":"https://kopexa.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kopexa-grc.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-05T10:52:24.000Z","updated_at":"2026-02-09T05:36:38.000Z","dependencies_parsed_at":"2026-01-18T16:00:59.351Z","dependency_job_id":null,"html_url":"https://github.com/kopexa-grc/kspec","commit_stats":null,"previous_names":["kopexa-grc/kspec"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/kopexa-grc/kspec","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kopexa-grc%2Fkspec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kopexa-grc%2Fkspec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kopexa-grc%2Fkspec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kopexa-grc%2Fkspec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kopexa-grc","download_url":"https://codeload.github.com/kopexa-grc/kspec/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kopexa-grc%2Fkspec/sbom","scorecard":{"id":1241332,"data":{"date":"2026-01-12T17:55:18Z","repo":{"name":"github.com/kopexa-grc/kspec","commit":"86c4502c52ffb03c78bbc0d78503271fdcbb903d"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":5.9,"checks":[{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/8 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/release-please.yml:210","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:23","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecard.yml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:16","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql.yml:17","Info: topLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:18","Warn: topLevel 'contents' permission set to 'write': .github/workflows/dependabot-automerge.yml:12","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-please.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:14","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: .github/SECURITY.md:1","Info: Found linked content: .github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: .github/SECURITY.md:1","Info: Found text in security policy: .github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:138: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:143: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:149: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/codeql.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/dependabot-automerge.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/dependabot-automerge.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/labels.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/labels.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/labels.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/labels.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-please.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/release-please.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-please.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/release-please.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-please.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/release-please.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-please.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/release-please.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-please.yml:133: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/release-please.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-please.yml:152: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/release-please.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-please.yml:155: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/release-please.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-please.yml:178: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/release-please.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-please.yml:184: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/release-please.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-please.yml:213: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/release-please.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/scorecard.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/kopexa-grc/kspec/scorecard.yml/main?enable=pin","Info:   0 out of  26 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  10 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":6,"reason":"3 out of the last 4 releases have a total of 3 signed artifacts.","details":["Info: signed release artifact: checksums.txt.sig: https://github.com/kopexa-grc/kspec/releases/tag/v0.1.6","Info: signed release artifact: checksums.txt.sig: https://github.com/kopexa-grc/kspec/releases/tag/v0.1.5","Info: signed release artifact: checksums.txt.sig: https://github.com/kopexa-grc/kspec/releases/tag/v0.1.4","Warn: release artifact v0.1.3 not signed: https://api.github.com/repos/kopexa-grc/kspec/releases/274497547","Warn: release artifact v0.1.6 does not have provenance: https://api.github.com/repos/kopexa-grc/kspec/releases/275427071","Warn: release artifact v0.1.5 does not have provenance: https://api.github.com/repos/kopexa-grc/kspec/releases/274754772","Warn: release artifact v0.1.4 does not have provenance: https://api.github.com/repos/kopexa-grc/kspec/releases/274579925","Warn: release artifact v0.1.3 does not have provenance: https://api.github.com/repos/kopexa-grc/kspec/releases/274497547"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 21 commits out of 22 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: GoBuiltInFuzzer integration found: core/credential_test.go:347","Info: GoBuiltInFuzzer integration found: core/credential_test.go:390","Info: GoBuiltInFuzzer integration found: core/credential_test.go:433","Info: GoBuiltInFuzzer integration found: core/evaluator_test.go:460","Info: GoBuiltInFuzzer integration found: core/evaluator_test.go:519","Info: GoBuiltInFuzzer integration found: core/marshal_test.go:314","Info: GoBuiltInFuzzer integration found: pkg/ptr/ptr_test.go:238","Info: GoBuiltInFuzzer integration found: pkg/ptr/ptr_test.go:260","Info: GoBuiltInFuzzer integration found: pkg/ptr/ptr_test.go:282","Info: GoBuiltInFuzzer integration found: provider/network/dns_test.go:166","Info: GoBuiltInFuzzer integration found: provider/sbom/provider_test.go:261","Info: GoBuiltInFuzzer integration found: provider/sbom/provider_test.go:298","Info: GoBuiltInFuzzer integration found: provider/scanner/policy_test.go:625","Info: GoBuiltInFuzzer integration found: provider/scanner/policy_test.go:660"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/ci.yml:133"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: found contributions from: kopexa-grc"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"CI-Tests","score":9,"reason":"21 out of 22 merged PRs checked by a CI test -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}}]},"last_synced_at":"2026-01-12T20:23:18.992Z","repository_id":332043062,"created_at":"2026-01-12T20:23:18.992Z","updated_at":"2026-01-12T20:23:18.992Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29345433,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-11T20:11:40.865Z","status":"ssl_error","status_checked_at":"2026-02-11T20:10:41.637Z","response_time":97,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit-automation","automation","cloud-security","compliance","grc","grc-engineering","identity-security","iso27001","nis2","policy-as-code","security-as-code","security-audit"],"created_at":"2026-01-06T11:20:03.311Z","updated_at":"2026-02-11T21:07:13.073Z","avatar_url":"https://github.com/kopexa-grc.png","language":"Go","readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"docs/banner.png\" alt=\"kspec banner\" width=\"100%\" /\u003e\n\n  # kspec\n\n  **The Enterprise-Grade Policy-as-Code Engine.**\n\n  [![CI](https://github.com/kopexa-grc/kspec/actions/workflows/ci.yml/badge.svg)](https://github.com/kopexa-grc/kspec/actions/workflows/ci.yml)\n  [![CodeQL](https://github.com/kopexa-grc/kspec/actions/workflows/codeql.yml/badge.svg)](https://github.com/kopexa-grc/kspec/actions/workflows/codeql.yml)\n  [![Go Report Card](https://goreportcard.com/badge/github.com/kopexa-grc/kspec)](https://goreportcard.com/report/github.com/kopexa-grc/kspec)\n  [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/kopexa-grc/kspec/badge)](https://scorecard.dev/viewer/?uri=github.com/kopexa-grc/kspec)\n  [![License](https://img.shields.io/badge/License-Elastic%202.0-blue.svg)](LICENSE)\n\n  \u003cp align=\"center\"\u003e\n    \u003cb\u003eValidate. Secure. Comply.\u003c/b\u003e\u003cbr /\u003e\n    A modern, extensible framework for defining and enforcing security policies across your digital infrastructure.\n  \u003c/p\u003e\n\n  \u003cimg src=\"docs/demo.gif\" alt=\"kspec demo\" width=\"100%\" /\u003e\n\u003c/div\u003e\n\n---\n\n## Overview\n\n**kspec** is a powerful policy engine designed to bridge the gap between complex security requirements and automated validation. Built for cloud-native environments, it allows organizations to define security posture as code, ensuring consistent enforcement across cloud platforms, SaaS applications, networks, and infrastructure.\n\nWhether you are auditing cloud configurations, verifying GitHub repository security, enforcing Microsoft 365 compliance, or validating TLS settings, **kspec** provides the primitives to build, test, and run policies at scale.\n\n## Key Features\n\n- **Multi-Cloud Support**: Scan AWS accounts, Azure subscriptions, Microsoft 365 tenants, and GitHub organizations from a single tool\n- **Policy-as-Code**: Define your security expectations in clear, version-controlled YAML with CEL expressions\n- **Extensible Provider Architecture**: Modular design with providers for Azure, MS365, GitHub, Network, and more\n- **Resource Discovery**: Inventory resources across providers without policy evaluation using `kspec discover`\n- **Interactive TUI**: Beautiful terminal UI showing real-time scan progress and results\n- **High Performance**: Built in Go for speed, portability, and minimal overhead\n- **CI/CD Ready**: Non-interactive mode with structured logging (`--no-ui`) and multiple export formats\n- **Export Reports**: Generate compliance reports in CSV, XLSX, JSON, or interactive HTML format\n\n## Supported Providers\n\n| Provider | Description | Documentation |\n|----------|-------------|---------------|\n| **AWS** | Scan AWS accounts for security compliance (IAM, S3, EC2, RDS, Lambda, EKS, and 50+ services) | [Provider Guide](docs/providers/aws.md) |\n| **Azure** | Scan Azure subscriptions for security compliance | [Provider Guide](docs/providers/azure.md) |\n| **Microsoft 365** | Scan M365 tenants for identity and security settings | [Provider Guide](docs/providers/ms365.md) |\n| **GitHub** | Scan organizations and repositories for security best practices | [Provider Guide](docs/providers/github.md) |\n| **Hetzner Cloud** | Scan Hetzner Cloud projects for infrastructure security | [Provider Guide](docs/providers/hetzner.md) |\n| **Cloudflare** | Scan DNS, WAF, Zero Trust, and security settings | [Provider Guide](docs/providers/cloudflare.md) |\n| **Atlassian** | Scan Jira, Confluence, and admin settings | [Provider Guide](docs/providers/atlassian.md) |\n| **Factorial HR** | Scan HR data for compliance (employees, contracts, documents) | [Provider Guide](docs/providers/factorial.md) |\n| **Network** | Validate TLS, DNS, and HTTP security configurations | [Provider Guide](docs/providers/network.md) |\n| **OS** | Scan local system services, packages, and files | [Provider Guide](docs/providers/os.md) |\n| **SBOM** | Scan Software Bill of Materials for vulnerabilities and licenses | [Provider Guide](docs/providers/sbom.md) |\n\n## Installation\n\n### From Source\n\n```bash\n# Clone the repository\ngit clone https://github.com/kopexa-grc/kspec.git\ncd kspec\n\n# Build\ngo build -o kspec ./cmd/kspec\n\n# Verify installation\n./kspec --help\n```\n\n## Quick Start\n\n### Scan AWS Account\n\n```bash\n# Set your AWS credentials\nexport AWS_ACCESS_KEY_ID=\"your-access-key\"\nexport AWS_SECRET_ACCESS_KEY=\"your-secret-key\"\nexport AWS_REGION=\"us-east-1\"\n\n# Scan an AWS account\nkspec scan aws account -f policies/aws-security.yml\n```\n\n### Scan GitHub Organization\n\n```bash\n# Set your GitHub token\nexport GITHUB_TOKEN=\"ghp_xxxxxxxxxxxx\"\n\n# Scan an organization\nkspec scan github org \u003corganization-name\u003e -f policies/github-security.yml\n```\n\n### Scan Azure Subscription\n\n```bash\n# Set Azure credentials (or use `az login` for CLI auth)\nexport AZURE_TENANT_ID=\"your-tenant-id\"\nexport AZURE_CLIENT_ID=\"your-client-id\"\nexport AZURE_CLIENT_SECRET=\"your-client-secret\"\n\n# Scan a subscription\nkspec scan azure subscription \u003csubscription-id\u003e -f policies/azure-security.yml\n```\n\n### Scan Microsoft 365 Tenant\n\n```bash\n# Scan M365 tenant\nkspec scan ms365 tenant \u003ctenant-id\u003e \\\n  --client-id \u003cclient-id\u003e \\\n  --client-secret \u003cclient-secret\u003e \\\n  -f policies/ms365-security.yml\n```\n\n### Scan Network Host\n\n```bash\n# Scan TLS and HTTP security (both variants work)\nkspec scan host example.com -f policies/tls-security.yml\n# or: kspec scan network host example.com -f policies/tls-security.yml\n```\n\n### Scan Hetzner Cloud Project\n\n```bash\n# Set your Hetzner Cloud API token\nexport HCLOUD_TOKEN=\"your-api-token\"\n\n# Scan all resources in a project\nkspec scan hetzner project -f policies/hetzner-security.yml\n```\n\n### Discover Resources (Without Policy Evaluation)\n\nUse `discover` to inventory resources without running policy checks:\n\n```bash\n# Discover AWS resources\nkspec discover aws account\n\n# Discover GitHub organization resources\nkspec discover github org \u003corganization-name\u003e\n\n# Output as JSON for integration with other tools\nkspec discover azure subscription \u003csub-id\u003e -o json\n\n# Output as tree view\nkspec discover hetzner project -o tree\n```\n\n## Output Options\n\n### Export Results\n\nExport scan results to CSV, XLSX, JSON, or HTML for compliance reporting:\n\n```bash\n# Export to CSV\nkspec scan aws account -f policies/aws-security.yml -o report.csv\n\n# Export to Excel\nkspec scan azure subscription \u003csub-id\u003e -f policies/azure-security.yml -o report.xlsx\n\n# Export to JSON\nkspec scan github org \u003corg-name\u003e -f policies/github-security.yml -o report.json\n\n# Export to HTML (visual report)\nkspec scan aws account -f policies/aws-security.yml -o report.html\n\n# Specify format explicitly\nkspec scan aws account -f policies/aws-security.yml -o report --export-format xlsx\n```\n\n### HTML Reports\n\nShare scan results with stakeholders who don't have CLI access. HTML reports are self-contained files you can email, upload to Confluence, or attach to audit documentation.\n\n```bash\nkspec scan aws account -f policies/aws-security.yml -o compliance-report.html\n```\n\n\u003ca href=\"https://kopexa.com\" rel=\"noopener noreferrer nofollow\"\u003e\n  \u003cimg src=\"docs/kspec_html_report.png\" alt=\"kspec HTML Report\" width=\"100%\" /\u003e\n\u003c/a\u003e\n\n### Non-Interactive Mode (CI/CD)\n\nUse `--no-ui` for CI/CD pipelines with structured logging via zerolog:\n\n```bash\n# Run without interactive UI\nkspec scan aws account -f policies/aws-security.yml --no-ui\n\n# Combine with export\nkspec scan azure subscription \u003csub-id\u003e -f policies/azure-security.yml --no-ui -o results.csv\n```\n\nOutput example:\n```\n12:34:56 INF Scan initialized target=my-subscription\n12:34:57 INF Discovery started\n12:34:58 INF Discovery complete\n12:34:58 INF Scan started\n12:34:59 INF Storage encryption enabled id=azure-storage-encryption status=PASS\n12:34:59 WRN Public blob access disabled id=azure-storage-public-access status=FAIL severity=high details=\"Public access is enabled\"\n12:35:00 INF Scan complete\n12:35:00 INF Scan summary total=10 passed=8 failed=1 skipped=1\n```\n\n### Concurrency Control\n\nkspec uses adaptive concurrency to parallelize resource discovery and scanning. By default, it automatically scales workers based on your system's CPU cores.\n\n```bash\n# Auto concurrency (default) - scales based on available CPUs\nkspec scan aws account -f policies/aws-security.yml\n\n# Limit maximum concurrent workers\nkspec scan aws account -f policies/aws-security.yml --max-workers 10\n\n# Disable concurrency (run sequentially for debugging)\nkspec scan aws account -f policies/aws-security.yml --sequential\n```\n\nThe scanner parallelizes:\n- **Resource discovery** - Multiple resource types discovered concurrently\n- **Resource fetching** - Instances fetched in parallel with rate limiting\n- **Policy evaluation** - CPU-bound checks run concurrently\n\nBuilt-in rate limiting prevents API throttling for each provider (AWS, Azure, GitHub, etc.).\n\n## Policy Library\n\nThe repository includes pre-built security policies:\n\n| Policy | Provider | Description |\n|--------|----------|-------------|\n| [Azure Security](policies/azure-security.yml) | Azure | Storage encryption, SQL auditing, Key Vault protection, NSG rules |\n| [MS365 Security](policies/ms365-security.yml) | MS365 | MFA enforcement, Conditional Access, identity protection, Teams security |\n| [GitHub Security](policies/github-security.yml) | GitHub | Branch protection, 2FA, repository security settings |\n| [Hetzner Security](policies/hetzner-security.yml) | Hetzner | Server protection, firewall rules, SSH key security, network isolation |\n| [TLS Security](policies/tls_security.yaml) | Network | TLS versions, cipher suites, PFS, AEAD ciphers |\n| [Certificate Security](policies/certificate_security.yaml) | Network | Expiration, validity period, signature algorithms |\n| [HTTP Security](policies/http_security.yaml) | Network | Security headers (HSTS, CSP, X-Frame-Options) |\n| [DNS Security](policies/dns_security.yaml) | Network | DNS record validation |\n| [Email Security](policies/email-security.policy.yaml) | Network | SPF records, DMARC enforcement |\n\n## Writing Policies\n\nPolicies are defined in YAML with CEL (Common Expression Language) queries:\n\n```yaml\npolicies:\n  - uid: my-security-policy\n    name: My Security Policy\n    version: 1.0.0\n    require:\n      - provider: azure\n    groups:\n      - title: Storage Security\n        checks:\n          - uid: storage-https-required\n\nqueries:\n  - uid: storage-https-required\n    title: Ensure HTTPS is required for storage accounts\n    resource: azure_storage_account\n    impact: 90\n    query: |\n      has(resource.properties) \u0026\u0026\n      resource.properties.supportsHttpsTrafficOnly == true\n    docs:\n      desc: |\n        Storage accounts should require HTTPS to encrypt data in transit.\n      remediation: |\n        Enable \"Secure transfer required\" in the storage account settings.\n```\n\n## Architecture\n\nkspec operates on a **Provider-Resource-Policy** model:\n\n1. **Providers** (AWS, Azure, MS365, GitHub, Network, etc.) connect to target assets\n2. **Resources** expose structured data from the target (storage accounts, users, repos)\n3. **Policies** define expected security state using CEL expressions\n4. **Scanner** orchestrates discovery, fetching, and policy evaluation\n5. **TUI** displays real-time progress and results\n\n```\n┌─────────────┐     ┌──────────────┐     ┌─────────────┐\n│   Provider  │────▶│   Resources  │────▶│   Scanner   │\n│  (Azure)    │     │  (Storage,   │     │  (Evaluate  │\n│             │     │   SQL, etc)  │     │   Policies) │\n└─────────────┘     └──────────────┘     └──────┬──────┘\n                                                │\n                                                ▼\n                                         ┌─────────────┐\n                                         │     TUI     │\n                                         │  (Results)  │\n                                         └─────────────┘\n```\n\n## Documentation\n\n- **[Documentation Index](docs/README.md)** - Complete documentation\n- **[Quickstart Guide](docs/QUICKSTART.md)** - Scan a host in 5 minutes\n- **[Installation](docs/installation.md)** - Installation instructions\n- **[Writing Policies](docs/policies.md)** - Create custom security policies\n- **[CLI Reference](docs/reference/cli.md)** - Command line options\n- **[CEL Expressions](docs/concepts/cel-expressions.md)** - Writing policy queries\n\n## CI/CD Integration\n\n### GitHub Actions\n\n```yaml\nname: Security Scan\n\non:\n  schedule:\n    - cron: '0 6 * * *'\n  workflow_dispatch:\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Setup Go\n        uses: actions/setup-go@v5\n        with:\n          go-version: '1.21'\n\n      - name: Build kspec\n        run: go build -o kspec ./cmd/kspec\n\n      - name: Run Security Scan\n        env:\n          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}\n          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}\n          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}\n        run: |\n          ./kspec scan azure subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} \\\n            -f policies/azure-security.yml \\\n            --no-ui \\\n            -o scan-results.csv\n\n      - name: Upload Scan Results\n        uses: actions/upload-artifact@v4\n        if: always()\n        with:\n          name: security-scan-results\n          path: scan-results.csv\n```\n\n## Contributing\n\nContributions are welcome! Please read the license terms before contributing.\n\n## License\n\nThis project is licensed under the **Elastic License 2.0 (ELv2)**.\n\n- **Commercial use**: You are free to use this software commercially, including for auditing, consulting, and security assessments\n- **Managed Service**: You may **not** provide this software as a hosted or managed service to third parties\n- **Modifications**: You may modify and distribute the software, subject to the license terms\n\nSee [LICENSE](LICENSE) for the full license text.\n\n### What's Allowed\n\n- Using kspec internally at your company\n- Using kspec to audit or assess client infrastructure (consultants, auditors)\n- Modifying kspec for your own use\n- Distributing kspec with your modifications (with license notices)\n\n### What's Not Allowed\n\n- Offering kspec as a hosted/managed service (SaaS)\n- Removing or circumventing license functionality\n\n---\n\n\u003cdiv align=\"center\"\u003e\n  \u003cp\u003eBuilt with care by \u003ca href=\"https://github.com/kopexa-grc\"\u003eKopexa GRC\u003c/a\u003e\u003c/p\u003e\n\u003c/div\u003e\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkopexa-grc%2Fkspec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkopexa-grc%2Fkspec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkopexa-grc%2Fkspec/lists"}