{"id":34246503,"url":"https://github.com/msaadshabir/pci-segment","last_synced_at":"2026-04-05T22:06:06.165Z","repository":{"id":318906691,"uuid":"1073439158","full_name":"msaadshabir/pci-segment","owner":"msaadshabir","description":"Go CLI for PCI-DSS network segmentation. Validates YAML policies, enforces via eBPF (Linux) or pf (macOS), syncs to AWS/Azure, and generates compliance reports.","archived":false,"fork":false,"pushed_at":"2026-03-22T20:50:43.000Z","size":283,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-23T11:49:08.889Z","etag":null,"topics":["audit-logging","aws","azure","cli","compliance","ebpf","golang","network-policy","network-seg","pci-dss","pf","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/msaadshabir.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-10T05:49:50.000Z","updated_at":"2026-03-22T20:50:43.000Z","dependencies_parsed_at":null,"dependency_job_id":"8c92fd1e-a1a7-4ce0-88f9-a1a567173d0c","html_url":"https://github.com/msaadshabir/pci-segment","commit_stats":null,"previous_names":["msaadshabir/pci-segment"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/msaadshabir/pci-segment","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msaadshabir%2Fpci-segment","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msaadshabir%2Fpci-segment/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msaadshabir%2Fpci-segment/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msaadshabir%2Fpci-segment/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/msaadshabir","download_url":"https://codeload.github.com/msaadshabir/pci-segment/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/msaadshabir%2Fpci-segment/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31451463,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T21:22:52.476Z","status":"ssl_error","status_checked_at":"2026-04-05T21:22:51.943Z","response_time":75,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit-logging","aws","azure","cli","compliance","ebpf","golang","network-policy","network-seg","pci-dss","pf","security"],"created_at":"2025-12-16T07:08:01.624Z","updated_at":"2026-04-05T22:06:06.034Z","avatar_url":"https://github.com/msaadshabir.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pci-segment\n\nOpen-source PCI-DSS v4.0 network segmentation for fintech.\n\nAutomate compliance for Requirements 1.2 and 1.3 with policy-as-code, cloud auto-remediation, and auditor-ready reports. Free alternative to commercial tools costing $50k+/year.\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n[![Go Version](https://img.shields.io/badge/Go-1.25+-00ADD8?logo=go)](https://go.dev)\n[![PCI-DSS](https://img.shields.io/badge/PCI--DSS-v4.0-green)](https://www.pcisecuritystandards.org)\n[![Linux](https://img.shields.io/badge/Linux-eBPF-FCC624?logo=linux\u0026logoColor=black)](https://ebpf.io)\n[![AWS](https://img.shields.io/badge/AWS-Security_Groups-FF9900?logo=amazon-aws\u0026logoColor=white)](https://aws.amazon.com)\n[![Azure](https://img.shields.io/badge/Azure-NSG-0078D4?logo=microsoft-azure\u0026logoColor=white)](https://azure.microsoft.com)\n[![macOS](https://img.shields.io/badge/macOS-pf_firewall-000000?logo=apple\u0026logoColor=white)](https://www.apple.com/macos)\n\n## The Problem\n\n80% of PCI-DSS failures stem from poor network segmentation.\n\n| Challenge | pci-segment Solution |\n| ------------------------------------- | ------------------------------- |\n| Commercial tools cost $50k-$100k/year | Free, open-source (MIT license) |\n| Complex setup, vendor lock-in | Single binary, YAML policies |\n| Manual compliance validation | Automated reports for auditors |\n| No cloud integration | AWS/Azure auto-remediation |\n\n## What It Does\n\n```\n┌─────────────┐ ┌──────────────┐ ┌─────────────┐\n│ YAML Policy │─────▶│ Policy Engine│─────▶│ Enforcement │\n│ (Req 1.2/1.3│ │ Validator │ │ eBPF / Cloud│\n└─────────────┘ └──────┬───────┘ └─────────────┘\n │\n ┌──────▼───────┐\n │ Reporter │\n │ HTML / JSON │\n └──────────────┘\n```\n\n### Core Capabilities\n\n| Feature | Description | Status |\n| ------------------ | ---------------------------------------------- | ---------------- |\n| Policy Validation | Enforce PCI-DSS Req 1.2/1.3 with YAML | Production-ready |\n| Cloud Sync | Auto-update AWS Security Groups and Azure NSGs | Production-ready |\n| Drift Detection | Find non-compliant cloud resources | Production-ready |\n| Compliance Reports | Generate HTML/JSON for QSA audits | Production-ready |\n| Host Enforcement | eBPF packet filtering (Linux) | Production-ready |\n\n### Compliance Coverage\n\n| Requirement | Implementation |\n| ----------- | ---------------------------------------------- |\n| Req 1.2 | Network segmentation via default-deny policies |\n| Req 1.3 | CDE isolation with explicit allow rules only |\n| Req 10.2 | Audit logging of all enforcement events |\n| Req 12.10 | Executive summary reports for assessors |\n\n## Quick Start\n\n### Installation\n\n```bash\n# macOS (Apple Silicon)\ncurl -L https://github.com/msaadshabir/pci-segment/releases/latest/download/pci-segment-darwin-arm64 -o pci-segment\nchmod +x pci-segment \u0026\u0026 sudo mv pci-segment /usr/local/bin/\n\n# Linux (x86_64)\ncurl -L https://github.com/msaadshabir/pci-segment/releases/latest/download/pci-segment-linux-amd64 -o pci-segment\nchmod +x pci-segment \u0026\u0026 sudo mv pci-segment /usr/local/bin/\n\n# Build from source (Go 1.25+)\ngit clone https://github.com/msaadshabir/pci-segment.git\ncd pci-segment \u0026\u0026 go build -o pci-segment .\n```\n\n### Basic Usage\n\n**Validate a policy:**\n\n```bash\npci-segment validate -f examples/policies/cde-isolation.yaml\n```\n\n**Sync to cloud (AWS/Azure):**\n\n```bash\npci-segment cloud-sync -f examples/policies/*.yaml --cloud-config cloud-config.yaml --dry-run\n```\n\n### Global Configuration File\n\nYou can provide defaults (log level, cloud config path, interface, privilege overrides) via a YAML config file:\n\n```bash\npci-segment --config /etc/pci-segment/config.yaml cloud-sync -f examples/policies/*.yaml --dry-run\n```\n\nPrecedence is: flags \u003e environment variables \u003e config file \u003e defaults.\n\n**Generate compliance report:**\n\n```bash\npci-segment report -f examples/policies/*.yaml -o audit-report.html\n```\n\n### Linux Privilege Hardening\n\nFor production deployments:\n\n```bash\n# Create service account (one-time)\nsudo groupadd --system pci-segment || true\nsudo useradd --system --gid pci-segment --home-dir /var/lib/pci-segment \\\n --create-home --shell /usr/sbin/nologin pci-segment || true\n\n# Enforce with automatic privilege drop\nsudo PCI_SEGMENT_PRIVILEGE_USER=pci-segment \\\n PCI_SEGMENT_PRIVILEGE_GROUP=pci-segment \\\n pci-segment enforce -f policies/*.yaml\n```\n\nBy default the CLI drops root after attaching eBPF programs, retaining only `CAP_BPF` and `CAP_NET_ADMIN` and installing a seccomp-bpf denylist to block dangerous syscalls. See [docs/HARDENING.md](docs/HARDENING.md) for full guidance.\n\n### Example Policy\n\n```yaml\napiVersion: pci-segment/v1\nkind: NetworkPolicy\nmetadata:\n name: cde-isolation\n annotations:\n pci-dss: \"Req 1.2, Req 1.3\"\nspec:\n podSelector:\n matchLabels:\n pci-env: cde\n\n egress:\n - to:\n - ipBlock:\n cidr: 10.0.10.0/24\n ports:\n - protocol: TCP\n port: 443\n\n ingress:\n - from:\n - ipBlock:\n cidr: 10.0.20.0/24\n ports:\n - protocol: TCP\n port: 9090\n```\n\n## Command Reference\n\n```bash\npci-segment \u003ccommand\u003e [flags]\n\nCommands:\n validate Validate policies against PCI-DSS requirements\n enforce Apply policies (host-based enforcement)\n report Generate HTML/JSON compliance reports\n cloud-sync Sync policies to AWS/Azure security groups\n cloud-validate Check cloud resources for compliance\n\nGlobal Flags:\n --config Path to global config file (YAML)\n -f, --file Policy file(s) (supports globs)\n -v, --verbose Verbose output (alias for --log-level=debug)\n --log-level Log level: debug, info, warn, error (default: info)\n -h, --help Show help\n```\n\n## Production Readiness\n\n| Component | Status | Notes |\n| --------------------------- | ---------------- | ------------------------------ |\n| AWS/Azure Cloud Integration | Production-ready | Deploy today |\n| Policy Validation Engine | Production-ready | Deploy today |\n| Compliance Reporting | Production-ready | Deploy today |\n| Linux eBPF Enforcement | Production-ready | Requires Linux kernel 5.4+ |\n| Audit Logging | Production-ready | Tamper-proof, 90-day retention |\n| Prometheus Metrics | Production-ready | :9090/metrics endpoint |\n\n### Known Limitations\n\n**Host Enforcement:**\n\n- Linux eBPF: Production-ready (kernel 5.4+, IPv4 only)\n- macOS pf: Development/testing only\n- Windows: Not yet supported (planned)\n\n**Infrastructure:**\n\n- Single instance only (no HA/clustering)\n\n**Cloud Features:**\n\n- Security Groups are stateful\n- AWS/Azure only (GCP planned)\n\nSee [ROADMAP.md](ROADMAP.md) for detailed status.\n\n## Architecture\n\n| Layer | Technology | Purpose |\n| ---------------- | ------------------------ | ----------------------------------- |\n| Policy Engine | Go + YAML | Parse and validate PCI-DSS policies |\n| Enforcer | eBPF (Linux), pf (macOS) | Kernel-level packet filtering |\n| Cloud Integrator | AWS/Azure SDKs | Sync to Security Groups/NSGs |\n| Reporter | HTML templates | Generate QSA audit reports |\n| CLI | Cobra framework | User interface |\n\n### Security Model\n\n| Threat | Mitigation |\n| ------------------- | ------------------------------------------ |\n| Policy bypass | Kernel-level enforcement (eBPF) |\n| Label spoofing | Validation against trusted inventory |\n| Credential exposure | Never log secrets, use cloud IAM roles |\n| Enforcer compromise | Drop privileges, seccomp, SELinux/AppArmor |\n\n## Documentation\n\n- [Cloud Integration Guide](examples/cloud/README.md)\n- [Hardening Guide](docs/HARDENING.md)\n- [Audit Logging](pkg/audit/README.md)\n- [eBPF Implementation](pkg/enforcer/bpf/README.md)\n\n## License\n\nMIT License - see [LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmsaadshabir%2Fpci-segment","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmsaadshabir%2Fpci-segment","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmsaadshabir%2Fpci-segment/lists"}