{"id":49888917,"url":"https://github.com/mehrdoost/devsecops-radar","last_synced_at":"2026-06-07T20:01:10.370Z","repository":{"id":357478448,"uuid":"1237070276","full_name":"Mehrdoost/devsecops-radar","owner":"Mehrdoost","description":"🛡️ Unify Trivy, Semgrep, Poutine \u0026 Zizmor scans into one AI-enhanced, offline-ready dashboard. Track CI/CD security trends, get LLM-powered analysis, and enforce policies — the open-source DevSecOps command center.","archived":false,"fork":false,"pushed_at":"2026-05-16T18:50:01.000Z","size":9917,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-16T21:03:49.986Z","etag":null,"topics":["ai","ai-discovery","ai-tools","application-security","ci-cd","cybersecurity","cybersecurity-tools","dashboard","devops-tools","devsecops","security-tools","semgrep","trivy","vulnerability-managemen"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mehrdoost.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-12T21:05:47.000Z","updated_at":"2026-05-16T18:50:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"56a7b363-c756-4601-99a8-a91896471c6f","html_url":"https://github.com/Mehrdoost/devsecops-radar","commit_stats":null,"previous_names":["mehrdoost/devsecops-radar"],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/Mehrdoost/devsecops-radar","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mehrdoost%2Fdevsecops-radar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mehrdoost%2Fdevsecops-radar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mehrdoost%2Fdevsecops-radar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mehrdoost%2Fdevsecops-radar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mehrdoost","download_url":"https://codeload.github.com/Mehrdoost/devsecops-radar/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mehrdoost%2Fdevsecops-radar/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33157229,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-17T09:28:26.183Z","status":"ssl_error","status_checked_at":"2026-05-17T09:27:52.702Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","ai-discovery","ai-tools","application-security","ci-cd","cybersecurity","cybersecurity-tools","dashboard","devops-tools","devsecops","security-tools","semgrep","trivy","vulnerability-managemen"],"created_at":"2026-05-15T20:03:40.904Z","updated_at":"2026-06-07T20:01:10.323Z","avatar_url":"https://github.com/Mehrdoost.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# 🛡️ Pipeline Sentinel\n\n### *The Open‑Source DevSecOps Command Center — Unify, Analyse, Remediate.*\n\n[![PyPI version](https://img.shields.io/pypi/v/devsecops-radar?style=for-the-badge\u0026color=2196F3)](https://pypi.org/project/devsecops-radar/)\n[![License](https://img.shields.io/github/license/Mehrdoost/devsecops-radar?style=for-the-badge\u0026color=4CAF50)](LICENSE)\n[![GitHub release](https://img.shields.io/github/v/release/Mehrdoost/devsecops-radar?include_prereleases\u0026style=for-the-badge\u0026color=FF9800)](https://github.com/Mehrdoost/devsecops-radar/releases)\n[![CI](https://img.shields.io/github/actions/workflow/status/Mehrdoost/devsecops-radar/ci.yml?branch=main\u0026style=for-the-badge\u0026color=9C27B0)](https://github.com/Mehrdoost/devsecops-radar/actions)\n[![codecov](https://codecov.io/gh/Mehrdoost/devsecops-radar/branch/main/graph/badge.svg?token=TOKEN\u0026style=for-the-badge)](https://codecov.io/gh/Mehrdoost/devsecops-radar)\n[![Stars](https://img.shields.io/github/stars/Mehrdoost/devsecops-radar?style=for-the-badge\u0026color=FFEB3B)](https://github.com/Mehrdoost/devsecops-radar/stargazers)\n\n\u003cbr\u003e\n\n\u003e 📖 **Read this in:** [Русский](README_ru.md) | [中文](README_zh.md) | [العربية](README_ar.md)\n\n\u003cbr\u003e\n\n*Severity doughnut, trend line chart, attack‑path graph (clickable nodes), topology view, executive summary, and attack simulation panel — all fully offline.*\n\n![Pipeline Sentinel Dashboard](docs/Demo.gif)\n\n\u003c/div\u003e\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e📑 Table of Contents (Click to expand)\u003c/b\u003e\u003c/summary\u003e\n\n1. [What Is Pipeline Sentinel? (Simple Explanation)](#-what-is-pipeline-sentinel-simple-explanation)\n2. [Why You Need It](#-why-you-need-it)\n3. [Where to Run It in Your Network](#-where-to-run-it-in-your-network)\n4. [Network Flow \u0026 Topology](#-network-flow--topology)\n5. [Dashboard Preview](#-dashboard-preview)\n6. [Quick Start](#-quick-start)\n7. [Prerequisites](#-prerequisites)\n8. [Installation](#-installation)\n9. [How to Use (Step‑by‑Step)](#-how-to-use-stepbystep)\n10. [Complete Command Reference](#-complete-command-reference)\n11. [Core Capabilities](#-core-capabilities)\n12. [Community Rules \u0026 Online Updates](#-community-rules--online-updates)\n13. [Attack Simulation \u0026 What‑If Analysis](#-attack-simulation--what‑if-analysis)\n14. [Security Improvements in v0.4.2](#-security-improvements-in-v042)\n15. [Architecture](#-architecture)\n16. [Roadmap](#-roadmap)\n17. [Testing \u0026 CI](#-testing--ci)\n18. [Security Policy](#-security-policy)\n19. [Contributing](#-contributing)\n20. [Code of Conduct](#-code-of-conduct)\n21. [Support Development](#-support-development)\n22. [Author](#-author)\n23. [License](#-license)\n\n\u003c/details\u003e\n\n---\n\n## 👨‍👩‍👧 What Is Pipeline Sentinel? (Simple Explanation)\n\n\u003e **Imagine you have several security guards**, each watching a different door of a building. They all shout their findings in different languages, and you have to run around to understand what’s going on.\n\n**Pipeline Sentinel** puts them all in one room, translates their reports, and shows you a single, clear screen with the full picture. It connects to tools like **Trivy** (checks your containers), **Semgrep** (scans your code), **Poutine** (audits your GitLab pipelines), **Zizmor** (secures your GitHub Actions), and **Gitleaks** (finds secrets). \n\nInstead of digging through multiple JSON files, you get a **beautiful, dark‑mode command‑center dashboard** that tells you what’s critical, how risks are trending, and even how an attacker might chain several small issues into a big problem.\n\n*Think of it as a **security camera system for your entire CI/CD pipeline** — it watches everything, alerts you, suggests fixes, and even lets you simulate attack chains, all without needing internet access if you want.*\n\n---\n\n## 💥 Why You Need It\n\nIn 2026, **supply chain attacks** have become the #1 threat. Tools like Trivy themselves were compromised, and attackers now inject malicious code directly into build pipelines. **You can no longer just scan your code; you must scan your pipeline.**\n\n**Pipeline Sentinel gives you:**\n* 🎯 **Unified Aggregation:** One screen for all scanners – stop juggling log files.\n* 🧠 **Graph AI Insights:** AI that understands attack chains – *\"A leaked secret + an old library = a disaster.\"*\n* ⚡ **Auto-Remediation:** Automatically patches files and opens a pull request (with automated backups) with a single flag.\n* 👥 **Human Review Mode:** Step-by-step interactive interface to inspect each fix before applying it to production.\n* 📊 **Compliance-Ready Reports:** Instantly generate beautiful, executive-ready PDF summaries for auditors or stakeholders.\n* ⚔️ **Attack Simulation:** Select security findings and automatically generate operational proof-of-concept scripts.\n* 🔒 **Air-Gapped Privacy:** 100% offline capable. Perfect for highly restricted environments where data residency is paramount.\n* 🧙 **Interactive Wizard:** A single command leads you through the entire initialization and onboarding process.\n* 🛒 **Rules Marketplace:** Dynamically fetch and update curated detection definitions directly from the community.\n\n---\n\n## 📍 Where to Run It in Your Network\n\nPipeline Sentinel is designed to adapt to your setup. You decide where it fits best:\n\n| Deployment Mode | Operational Profile \u0026 Context |\n| :--- | :--- |\n| 🖥️ **Local Dev Machine** | Run the CLI and dashboard right on your laptop. Perfect for individual pentesters or developers who want instant, localized feedback. |\n| 🔧 **CI/CD Runner Pipeline** | Integrate directly into Jenkins/GitLab CI or GitHub Actions. Fail builds automatically if critical vulnerabilities exceed your security policy rules. |\n| 🏢 **Central Security Operations** | Deploy via Docker on a central server to collect scan history across multiple teams, unifying visibility into a shared security console. |\n| 🌐 **Air‑Gapped Environments** | Air-gap friendly. Deploy the standalone Docker bundle to isolated networks with zero external asset dependencies or tracker requests. |\n\n---\n\n## 🔍 Network Flow \u0026 Topology\n\n### 🔄 Logical Data Lifecycle\nThe functional flow below maps exactly how raw multi-scanner inputs route through our parsing engine to be normalized and centralized:\n\n```mermaid\ngraph LR\n    subgraph Scanners [Multi-Scanner Core Inputs]\n        T[Trivy Scan] \n        S[Semgrep Scan] \n        P[Poutine Scan] \n        Z[Zizmor Scan] \n        G[Gitleaks Scan]\n    end\n\n    Scanners ---\u003e|Raw Reports| CLI(🛡️ devsecops-radar CLI Engine)\n    CLI ---\u003e|Normalize \u0026 Deduplicate| Out[findings.json]\n    Out ---\u003e Web(📊 Flask Dashboard App)\n    Web ---\u003e UI[🌐 Modern Browser Command Center]\n\n    style CLI fill:#1e1e2e,stroke:#3b82f6,stroke-width:2px,color:#cdd6f4\n    style Web fill:#1e1e2e,stroke:#10b981,stroke-width:2px,color:#cdd6f4\n    style Out fill:#181825,stroke:#fab387,stroke-width:1px,color:#a6e3a1\n    style UI fill:#11111b,stroke:#a6e3a1,stroke-width:2px,color:#cdd6f4\n```\n\n### 🌐 Operational Infrastructure Mapping\nOnce processed, the centralized findings are rendered inside your topology mapping network boundaries, visualising the operational relationship between distinct pipeline segments:\n\n![Network Flow Diagram](docs/architecture-1.png)\n\n---\n\n## 📸 Dashboard Preview\n\n*(See the animated demo at the top of this README for a live preview of the UI in action!)*\n\n---\n\n## 🚀 Quick Start\n\nGet up and running in 3 simple steps:\n\n```bash\n# 1. Install from PyPI\npip install devsecops-radar\n\n# 2. Feed scanner data (sample data is included in the repo)\ndevsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json\n\n# 3. Launch the dashboard\ndevsecops-radar-web\n```\n\nOpen **http://localhost:8080** — your unified command center is live with sample findings.\n\n\u003e [!TIP]\n\u003e 🧙 **Want a fully guided setup?** Run the interactive wizard:\n\u003e ```bash\n\u003e devsecops-radar --wizard\n\u003e ```\n\n---\n\n## 📦 Installation\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eView All Installation Options (PyPI, Docker, Source, One-Command)\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n### Option 1 — PyPI (Recommended)\n```bash\npip install devsecops-radar\n```\n\n### Option 2 — From Source\n```bash\ngit clone https://github.com/Mehrdoost/devsecops-radar.git\ncd devsecops-radar\npip install -e \".[dev]\"\n```\n\n### Option 3 — Docker\n```bash\ndocker pull ghcr.io/mehrdoost/devsecops-radar:latest\ndocker run -p 8080:8080 ghcr.io/mehrdoost/devsecops-radar:latest\n```\n**Mount your own findings file:**\n```bash\ndocker run -p 8080:8080 -v $(pwd)/findings.json:/data/findings.json ghcr.io/mehrdoost/devsecops-radar:latest\n```\n**Or use Docker Compose:**\n```bash\ndocker compose up\n```\n\n### 🧙 One‑Command Install (curl)\n```bash\ncurl -fsSL https://raw.githubusercontent.com/Mehrdoost/devsecops-radar/main/install.sh | bash\n```\n*This script installs Python dependencies, Ollama, pulls the AI model, and starts the wizard.*\n\n\u003c/details\u003e\n\n---\n\n## 📋 Prerequisites\n\n\u003e [!IMPORTANT]\n\u003e Pipeline Sentinel relies on external security tools to produce the JSON reports it consumes. You must install these tools separately according to your needs.\n\n- **Required for offline scanning:** Trivy, Semgrep, Poutine, Zizmor, Gitleaks.\n- **Optional:** Ollama (AI analysis), Docker (Sandboxing), OPA (Rego policy).\n\n\u003e 📖 **See `PREREQUISITES.md` for full installation details of these tools.**\n\n---\n\n## 🧭 How to Use (Step‑by‑Step)\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u003cb\u003e1. Run Your Security Scanners\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\nGenerate JSON output from your tools:\n```bash\ntrivy image --format json -o trivy.json nginx:latest\nsemgrep --config=auto --json --output semgrep.json .\npoutine scan ./repo --format json --output poutine.json\nzizmor scan ./repo --output zizmor.json --format json\ngitleaks detect --source . --report-format json --report-path gitleaks.json\n```\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u003cb\u003e2. Merge Findings with the CLI\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n```bash\ndevsecops-radar --trivy trivy.json --semgrep semgrep.json --poutine poutine.json --zizmor zizmor.json --gitleaks gitleaks.json\n```\n*This produces a single `findings.json` with all findings merged and normalised.*\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u003cb\u003e3. View the Dashboard Engine\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\nExecute the web wrapper to spin up your centralized analytics engine:\n```bash\ndevsecops-radar-web\n```\n\n### 📊 Tactical Web Console Architecture\nThe single-page real-time dashboard elegantly partitions telemetry into high-impact actionable items:\n\n| Dashboard Component | Interface Visualization Type | Core Operational Value |\n| :--- | :--- | :--- |\n| **Severity Breakdown** | Dynamic Doughnut Charts | Instant tracking of global exposure density and total counts. |\n| **Trend Over Time** | Aggregated Line Timelines | Historical trajectory graphs drawn from persistent scan logs. |\n| **Pipeline Security** | Specialized Poutine + Zizmor Matrix | Micro-telemetry analyzing supply chain health and meta-workflows. |\n| **Attack Path Graph** | Interactive D3.js Force Nodes | Clickable chain mapping demonstrating structural flaw correlations. |\n| **Executive Summary** | Context-Rich Summary \u0026 Risk Scoring | Algorithmic threat intelligence translated into executive-ready metrics. |\n| **Findings Datagrid** | Searchable Paginated Checkbox Tables | Granular configuration control built for isolating entities for target simulations. |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e4. Enable AI Analysis (Optional)\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n```bash\nollama pull llama3.2:latest\ndevsecops-radar --trivy trivy.json --analyze\ndevsecops-radar-web\n```\nThe LLM generates `findings_ai_summary.json` containing: `executive_summary`, `risk_score`, `attack_paths` (with MITRE ATT\u0026CK), `top_remediations`, and `false_positives_likely`.\n\n![AI Analysis](docs/AI_CLI.PNG)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e5. Auto‑Remediation (with Human Review)\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n```bash\n# Apply fixes automatically\ndevsecops-radar --trivy trivy.json --analyze --fix\n\n# Interactive step‑by‑step review\ndevsecops-radar --trivy trivy.json --analyze --fix --review\n```\n\u003e [!NOTE]\n\u003e All modified files are backed up to `~/.devsecops-radar/backups/`. The tool creates a new git branch `auto-fix` and pushes it for review.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e6. Policy Enforcement\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\nCreate a `policy.json` file:\n```json\n{\n  \"max_critical\": 5, \n  \"on_violation\": \"fail\"\n}\n```\n```bash\ndevsecops-radar --trivy trivy.json --policy policy.json\n```\n*If critical findings exceed 5, the command exits with code 1. You can also use OPA Rego policies (`--rego-policy`).*\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e7. Generate Compliance \u0026 Standard Reports\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n```bash\n# PDF report with compliance mapping\ndevsecops-radar --trivy trivy.json --analyze --compliance CIS --report cis-report.pdf\n\n# Export as SARIF for GitHub Code Scanning\ndevsecops-radar --trivy trivy.json --export-sarif report.sarif\n\n# Export as CycloneDX SBOM\ndevsecops-radar --trivy trivy.json --export-cyclonedx report.cdx.json\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e8. Security Badge for Your Project\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\nEmbed a dynamic security badge in your README:\n```markdown\n[![Security Status](https://your-server/badge/1.svg)](https://github.com/Mehrdoost/devsecops-radar)\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003e9. Jira / Asana Integration (New!)\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\nSet environment variables to create issues automatically:\n```bash\nexport JIRA_URL=\"https://your-domain.atlassian.net\"\nexport JIRA_TOKEN=\"your-api-token\"\ndevsecops-radar --trivy trivy.json --analyze --notify-jira\n\nexport ASANA_TOKEN=\"your-asana-token\"\nexport ASANA_WORKSPACE=\"your-workspace-gid\"\ndevsecops-radar --trivy trivy.json --analyze --notify-asana\n```\n\u003c/details\u003e\n\n---\n\n## 📋 Complete Command Reference\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u003cb\u003eClick to Expand Command Categories\u003c/b\u003e\u003c/summary\u003e\n\u003cbr\u003e\n\n### 🔎 Scanners \u0026 Inputs\n| Flag | Description | Example |\n| :--- | :--- | :--- |\n| `--trivy` | Trivy JSON file or image name | `--trivy` \u003ckbd\u003eresults.json\u003c/kbd\u003e or \u003ckbd\u003enginx:latest\u003c/kbd\u003e |\n| `--semgrep` | Semgrep JSON file or directory | `--semgrep` \u003ckbd\u003eresults.json\u003c/kbd\u003e or \u003ckbd\u003e./src\u003c/kbd\u003e |\n| `--poutine` | Poutine JSON file or repo path | `--poutine` \u003ckbd\u003eresults.json\u003c/kbd\u003e or \u003ckbd\u003e./repo\u003c/kbd\u003e |\n| `--zizmor` | Zizmor JSON file or repo path | `--zizmor` \u003ckbd\u003eresults.json\u003c/kbd\u003e or \u003ckbd\u003e./repo\u003c/kbd\u003e |\n| `--gitleaks`| Gitleaks JSON file or repo path | `--gitleaks` \u003ckbd\u003eresults.json\u003c/kbd\u003e or \u003ckbd\u003e./repo\u003c/kbd\u003e |\n| `--rules` | Directory with custom JSON rules | `--rules` \u003ckbd\u003e~/my-rules/\u003c/kbd\u003e |\n| `--topology`| Path to topology JSON file | `--topology` \u003ckbd\u003etopology.json\u003c/kbd\u003e |\n\n### 🧠 AI, Policies \u0026 Remediation\n| Flag | Description | Example |\n| :--- | :--- | :--- |\n| `--analyze` | Enable async LLM analysis (Ollama required) | `--analyze` |\n| `--llm-backend`| `ollama` (default) or `litellm` | `--llm-backend` \u003ckbd\u003elitellm\u003c/kbd\u003e |\n| `--llm-model` | Model name | `--llm-model` \u003ckbd\u003egpt-4o-mini\u003c/kbd\u003e |\n| `--fix` | Auto‑apply AI‑suggested fixes (with backup) | `--fix` |\n| `--review` | Interactive step‑by‑step remediation | `--review` |\n| `--policy` | Policy JSON file for gating | `--policy` \u003ckbd\u003epolicy.json\u003c/kbd\u003e |\n| `--rego-policy`| OPA Rego policy file | `--rego-policy` \u003ckbd\u003epolicy.rego\u003c/kbd\u003e |\n\n### 📊 Reports \u0026 Exports\n| Flag | Description | Example |\n| :--- | :--- | :--- |\n| `--output` | Output JSON file (default: findings.json)| `--output` \u003ckbd\u003emerged.json\u003c/kbd\u003e |\n| `--report` | Generate PDF/JSON/HTML report | `--report` \u003ckbd\u003ereport.pdf\u003c/kbd\u003e |\n| `--export-sarif`| Export findings as SARIF | `--export-sarif` \u003ckbd\u003ereport.sarif\u003c/kbd\u003e |\n| `--export-cyclonedx`| Export findings as CycloneDX | `--export-cyclonedx` \u003ckbd\u003ereport.cdx\u003c/kbd\u003e |\n| `--compliance`| Framework: `CIS`, `PCI-DSS`, `ISO27001` | `--compliance` \u003ckbd\u003eCIS\u003c/kbd\u003e |\n\n### ⚙️ Integrations \u0026 Setup\n| Flag | Description | Example |\n| :--- | :--- | :--- |\n| `--notify-jira` | Create Jira issues for criticals | `--notify-jira` |\n| `--notify-asana`| Create Asana tasks for criticals | `--notify-asana` |\n| `--wizard` | Interactive first‑time setup wizard | `--wizard` |\n| `--update-rules`| Download/update community rules | `--update-rules` |\n\n\u003cbr\u003e\n\n\u003e [!TIP]\n\u003e **`devsecops-radar-web` — Web Server Options**\n\n```bash\ndevsecops-radar-web                         # Launch on http://localhost:8080\nFINDINGS_FILE=my.json devsecops-radar-web   # Use a custom findings file\nPIPELINE_API_KEY=secret devsecops-radar-web # Enable API authentication\n```\n\n\u003c/details\u003e\n\n---\n\n## ✨ Core Capabilities\n\n### 🔌 Multi-Scanner Ingestion Engine\n* **Pluggable Architecture:** Native modular decoders ingest structured data seamlessly from Trivy, Semgrep, Poutine, Zizmor, and Gitleaks.\n* **Hybrid RuleFusion Layer:** Dynamically evaluation of custom local JSON policies mapped on top of live community-driven git feeds.\n* **Scan History Optimization:** Persistent historical compilation powered by SQLAlchemy featuring sub-second result slicing.\n\n### 🧠 Advanced Intelligence \u0026 Active Remediation\n* **Asynchronous Context Enriched LLM:** Multi-backend integration hooks (Ollama/LiteLLM) mapping structural CVE configurations to real-world MITRE ATT\u0026CK vectors.\n* **Interactive Remediation Tracks:** Intelligent mutation options applying autonomous hotfixes (`--fix`) balanced by modular human verification checklines (`--review`).\n* **Exploit-Aware Scoring:** Modern analytical calculations analyzing vector severities alongside real-time asset exposure and dynamic surface reachability.\n\n### 🛡️ Enterprise Policy \u0026 Supply-Chain Governance\n* **Policy-as-Code Frameworks:** Advanced control assertions parsing validation rules via strict local JSON constraints or distributed Open Policy Agent (OPA) Rego scripts.\n* **Supply Chain Verification:** Comprehensive CycloneDX SBOM data compilation complete with proactive VEX vulnerability masking layers.\n* **Air-Gapped Absolute Confidentiality:** Complete dependency localization guaranteeing data processing loops execute with zero external request callbacks.\n\n---\n\n## 🌍 Community Rules \u0026 Online Updates\n\nPipeline Sentinel features a community‑driven rule marketplace housed in a separate repository: `devsecops-radar-rules`.\n\n**How It Works:**\nThe repository contains curated JSON rule files for all supported scanners. You can pull the latest rules with a single command:\n```bash\ndevsecops-radar --update-rules\n```\nRules are stored locally in `~/.devsecops-radar/community-rules/`. To use them alongside your scanner results:\n```bash\ndevsecops-radar --trivy scan.json --rules ~/.devsecops-radar/community-rules/\n```\n\n\u003e [!NOTE]\n\u003e You can even point to your own private repository via `COMMUNITY_RULES_REPO`!\n\n---\n\n## ⚔️ Attack Simulation \u0026 What‑If Analysis\n\n**Interactive attack simulation directly from the dashboard:**\n1. Tick the checkboxes next to the findings you want to investigate.\n2. Click **“⚡ Simulate Selected”**.\n3. A modal displays a generated attack script (`bash`), attack chain description, and (if Docker is available) the sandbox output.\n\n*(You can also click any node in the Attack Path Graph and press **“Simulate this attack”**)*.\n\n![Attack Simulation](docs/Simulation.PNG)\n\n---\n\n## 🔐 Security Improvements in v0.4.2\n\n- **Path Traversal Prevention:** All file operations (rules, manifests, SBOM, backups) now strictly validate that paths remain within the allowed base directory.\n- **Input Sanitization for Attack Simulation:** Bash script generation now safely escapes all user-controlled data, eliminating command injection risks in sandboxed PoCs.\n- **Hardened Docker Sandbox:** Attack simulation containers run with `--cap-drop=ALL`, `--read-only` filesystem, `--network=none`, and as non-root user `nobody`.\n- **Constant-time API Key Comparison:** Login and API key verification use `hmac.compare_digest` to prevent timing attacks.\n- **Database Connection Security:** SQLite WAL mode enabled, foreign keys enforced, and `pool_pre_ping` configured for connection health checks.\n- **Input Size Limits:** Payload size restricted (1MB), database field lengths truncated to prevent DoS and log bloat.\n- **Safe Community Rule Updates:** Git operations are restricted to whitelisted `https://github.com` URLs only, with strict argument validation.\n- **Secrets Redaction:** PDF reports and logs automatically redact passwords, tokens, and keys.\n- **Mandatory Environment Secrets:** JWT secret and API key must be provided; the server fails fast if they are missing or weak.\n\n---\n\n## 🏗️ Architecture\n\n```text\ndevsecops_radar/\n├── cli/            # CLI entry point – plugin discovery, policy, remediation\n├── core/           # RuleFusion engine, DB (SQLAlchemy), async LLM analysers\n├── scanners/       # Pluggable scanner classes (extend ScannerPlugin)\n├── plugins/        # ScannerPlugin abstract base class \u0026 entry points\n└── web/            # Flask dashboard (modular Blueprints, WCAG 2.1 AA)\n    ├── dashboard/  # Main dashboard routes \u0026 embedded HTML\n    ├── attack_paths/\n    ├── topology/\n    ├── summary/\n    └── sentry/     # Live webhook agent for CI/CD\n```\n\n![Architecture Diagram](docs/architecture-2.png)\n\n---\n\n## 🗺️ Roadmap\n\n| Phase | Feature | Status |\n| :--- | :--- | :--- |\n| ✅ **Phase 1** | Multi‑scanner engine (Trivy, Semgrep, Poutine, Zizmor), LLM analysis, GH Actions | Done |\n| ✅ **Phase 2** | Attack‑path visualization, Policy‑as‑Code, Auto‑remediation, Compliance reports | Done |\n| ✅ **Phase 3** | Web dashboard Blueprint, ORM pagination, SBOM, Dynamic Risk Scoring, Gitleaks | Done |\n| ✅ **Phase 4** | Advanced attack simulation, VEX filtering, Async LLM, SARIF/CycloneDX | Done |\n| 🔲 **Phase 5** | eBPF runtime security agent | Planned |\n| 🔲 **Phase 5** | Rule marketplace with YAML | Planned |\n| 🔲 **Phase 5** | Pull Request assistant (GitHub App) | Planned |\n\n\u003e [!NOTE]\n\u003e See the [open issues](https://github.com/Mehrdoost/devsecops-radar/issues) for a full list of proposed features.\n\n---\n\n## 🧪 Testing \u0026 CI\n\nPipeline Sentinel is thoroughly tested to ensure reliability for production use.\n* **Unit \u0026 Integration Tests:** 23+ tests covering scanners, rule engine, database, analyzer, API, and CLI.\n* **CI Pipeline:** Every push and pull request triggers automated testing (`pytest` with coverage) and linting (`ruff`, `mypy`) via GitHub Actions.\n\nRun tests locally:\n```bash\npip install -e \".[dev]\"\npip install pytest pytest-flask ruff\npytest tests/ -v --cov=devsecops_radar --cov-report=term-missing\nruff check .\nmypy .\n```\n\n---\n\n## 🤝 Community \u0026 Support\n\n* **Security Policy:** We take security seriously. If you discover a vulnerability, please report it privately. See our full Security Policy for details.\n* **Contributing:** We welcome contributions of all kinds! Please read our Contributing Guide. For adding new rules, see the Community Rules section.\n* **Code of Conduct:** This project adheres to the Contributor Covenant Code of Conduct. By participating, you are expected to uphold this code.\n\n---\n\n## ⚡ Support Development\n\nSponsor this project with a crypto donation.  \nAll funds go directly to the developer.\n\n**[🔗 Donate USDC (Polygon)](https://polygonscan.com/address/0x6b7c1c572D45575Fa5409CB52F25B750B3097c8b)** \u003csub\u003e`0x1234...5678`\u003c/sub\u003e · \u003csub\u003e\u003cimg src=\"docs/donate-qr.png\" width=\"90\" alt=\"QR\" valign=\"middle\" /\u003e\u003c/sub\u003e\n\n---\n\n## 👨‍💻 Author\n\n**ReverseForge** — ( Mehrdoost And Mi0r4 )  \n\n[![GitHub](https://img.shields.io/badge/GitHub-ReverseForge-181717?style=for-the-badge\u0026logo=github)](https://github.com/ReverseForge) \n[![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?style=for-the-badge\u0026logo=github)](https://github.com/Mehrdoost) \n[![GitHub](https://img.shields.io/badge/GitHub-miora--sora-181717?style=for-the-badge\u0026logo=github)](https://github.com/miora-sora) \n\n---\n\n## 📜 License\n\nMIT — see [LICENSE](LICENSE).\n\n\u003cdiv align=\"center\"\u003e\n\u003cbr\u003e\n\n⭐ **If this project helps your team ship safer software, drop a star — it makes a real difference.**\n\n\u003c/div\u003e","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmehrdoost%2Fdevsecops-radar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmehrdoost%2Fdevsecops-radar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmehrdoost%2Fdevsecops-radar/lists"}