{"id":47733034,"url":"https://github.com/richonn/shieldci","last_synced_at":"2026-05-30T09:01:14.395Z","repository":{"id":347181617,"uuid":"1189030439","full_name":"Richonn/ShieldCI","owner":"Richonn","description":"GitHub Action that auto-generates hardened CI/CD DevSecOps pipelines — lint, tests, Trivy, Gitleaks, SAST and more — and   opens a PR with the generated workflows.","archived":false,"fork":false,"pushed_at":"2026-05-30T07:12:37.000Z","size":232,"stargazers_count":5,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-30T08:10:31.538Z","etag":null,"topics":["automation","ci-cd","devops","devsecops","github-actions","gitleaks","golang","pipeline","sast","security","trivy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Richonn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-22T22:34:48.000Z","updated_at":"2026-05-30T07:08:58.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Richonn/ShieldCI","commit_stats":null,"previous_names":["richonn/shieldci"],"tags_count":27,"template":false,"template_full_name":null,"purl":"pkg:github/Richonn/ShieldCI","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Richonn%2FShieldCI","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Richonn%2FShieldCI/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Richonn%2FShieldCI/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Richonn%2FShieldCI/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Richonn","download_url":"https://codeload.github.com/Richonn/ShieldCI/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Richonn%2FShieldCI/sbom","scorecard":{"id":1246134,"data":{"date":"2026-04-16T18:52:59Z","repo":{"name":"github.com/Richonn/ShieldCI","commit":"74802053a16df2bcc336a45daaab5d7df2db4d1f"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":7,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Code-Review","score":0,"reason":"Found 0/22 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'packages' permission set to 'write': .github/workflows/ci.yml:30","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/ci.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:29","Info: jobLevel 'actions' permission set to 'read': .github/workflows/ci.yml:39","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/ci.yml:41","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:52","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/ci.yml:53","Info: jobLevel 'contents' permission set to 'read': .github/workflows/docker.yml:21","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/docker.yml:22","Info: jobLevel 'actions' permission set to 'read': .github/workflows/release.yml:52","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/sbom.yml:21","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:17","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:14","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/update-major-tag.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/dco.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/docker.yml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/sbom.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/security.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/update-major-tag.yml:8"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/Richonn/ShieldCI/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/Richonn/ShieldCI/release.yml/main?enable=pin","Info:  17 out of  17 GitHub-owned GitHubAction dependencies pinned","Info:   9 out of  11 third-party GitHubAction dependencies pinned","Info:   2 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":7,"reason":"badge detected: Silver","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Signed-Releases","score":2,"reason":"1 out of the last 5 releases have a total of 1 signed artifacts.","details":["Warn: release artifact v1.12.3 not signed: https://api.github.com/repos/Richonn/ShieldCI/releases/307196316","Warn: release artifact v1.12.2 not signed: https://api.github.com/repos/Richonn/ShieldCI/releases/305689228","Warn: release artifact v1.12.1 not signed: https://api.github.com/repos/Richonn/ShieldCI/releases/305675100","Warn: release artifact v1.12.0 not signed: https://api.github.com/repos/Richonn/ShieldCI/releases/305293281","Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/Richonn/ShieldCI/releases/tag/v1.13.0","Warn: release artifact v1.12.3 does not have provenance: https://api.github.com/repos/Richonn/ShieldCI/releases/307196316","Warn: release artifact v1.12.2 does not have provenance: https://api.github.com/repos/Richonn/ShieldCI/releases/305689228","Warn: release artifact v1.12.1 does not have provenance: https://api.github.com/repos/Richonn/ShieldCI/releases/305675100","Warn: release artifact v1.12.0 does not have provenance: https://api.github.com/repos/Richonn/ShieldCI/releases/305293281"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 15 commits out of 17 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Branch-Protection","score":4,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: branch 'main' does not require approvers","Warn: codeowners review is not required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: GoBuiltInFuzzer integration found: internal/detect/fuzz_test.go:9","Info: GoBuiltInFuzzer integration found: internal/detect/fuzz_test.go:31","Info: GoBuiltInFuzzer integration found: internal/generate/fuzz_test.go:9"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"14 out of 14 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}}]},"last_synced_at":"2026-04-16T19:33:21.805Z","repository_id":347181617,"created_at":"2026-04-16T19:33:21.805Z","updated_at":"2026-04-16T19:33:21.805Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33686018,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","ci-cd","devops","devsecops","github-actions","gitleaks","golang","pipeline","sast","security","trivy"],"created_at":"2026-04-02T22:00:00.527Z","updated_at":"2026-05-30T09:01:14.389Z","avatar_url":"https://github.com/Richonn.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ShieldCI\n\n\u003e GitHub Action that auto-generates hardened CI/CD DevSecOps pipelines and opens a PR with the generated workflows.\n\n[![CI](https://github.com/Richonn/ShieldCI/actions/workflows/ci.yml/badge.svg)](https://github.com/Richonn/ShieldCI/actions/workflows/ci.yml)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12352/badge?v=2)](https://www.bestpractices.dev/projects/12352)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/Richonn/ShieldCI/badge)](https://securityscorecards.dev/viewer/?uri=github.com/Richonn/ShieldCI)\n[![SLSA Level 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/spec/v1.0/levels)\n[![Go Report Card](https://goreportcard.com/badge/github.com/Richonn/ShieldCI)](https://goreportcard.com/report/github.com/Richonn/ShieldCI)\n[![GitHub Release](https://img.shields.io/github/v/release/Richonn/ShieldCI)](https://github.com/Richonn/ShieldCI/releases/latest)\n\n## Quick start\n\n**1. Create a Personal Access Token** with scopes `repo` + `workflow` and store it as a secret (e.g. `GH_TOKEN`) in your repository.\n\n**2. Add the action to your workflow:**\n\n```yaml\n- uses: Richonn/ShieldCI@v1\n  with:\n    github-token: ${{ secrets.GH_TOKEN }}\n```\n\nShieldCI will detect your stack, generate the appropriate workflows, and open a PR.\n\n\u003e **Why a PAT?** GitHub blocks writes to `.github/workflows/` for `GITHUB_TOKEN` by design. A PAT with `workflow` scope is required to create workflow files.\n\n## Inputs\n\n| Input | Required | Default | Description |\n|---|---|---|---|\n| `github-token` | ✅ | — | Token for creating branches and PRs |\n| `language` | ❌ | `auto` | Language override: `node`, `python`, `java`, `go`, `auto` |\n| `docker` | ❌ | `auto` | Docker detection: `true`, `false`, `auto` |\n| `kubernetes` | ❌ | `false` | Include K8s deploy workflow |\n| `enable-trivy` | ❌ | `true` | Add Trivy image scan job |\n| `enable-gitleaks` | ❌ | `true` | Add Gitleaks secret scan job |\n| `enable-sast` | ❌ | `true` | Add SAST job (CodeQL or Semgrep) |\n| `sast-tool` | ❌ | `codeql` | SAST tool: `codeql` or `semgrep` |\n| `branch-name` | ❌ | `shieldci/generated-workflows` | Branch to push generated workflows to |\n| `pr-title` | ❌ | `[ShieldCI] Add CI/CD DevSecOps pipeline` | PR title |\n| `dry-run` | ❌ | `false` | If `true`, print generated workflows to the Job Summary without creating a branch or PR |\n| `max-depth` | ❌ | `3` | Max directory depth for monorepo component detection |\n\n## Outputs\n\n| Output | Description |\n|---|---|\n| `pr-url` | URL of the created pull request |\n| `detected-stack` | Detected stack as JSON |\n| `generated-files` | Comma-separated list of generated file paths |\n\n## Using outputs in downstream steps\n\n```yaml\n- name: Generate pipelines\n  id: shieldci\n  uses: Richonn/ShieldCI@v1\n  with:\n    github-token: ${{ secrets.GH_TOKEN }}\n\n- name: Print detected stack\n  run: |\n    echo \"Stack: ${{ steps.shieldci.outputs.detected-stack }}\"\n    echo \"PR: ${{ steps.shieldci.outputs.pr-url }}\"\n\n- name: Conditional step based on detected stack\n  if: ${{ fromJson(steps.shieldci.outputs.detected-stack).language == 'go' }}\n  run: echo \"Go project detected — run extra Go-specific steps here\"\n```\n\n\u003e `detected-stack` is a JSON string — use `fromJson()` to access individual fields (`language`, `docker`, `k8s`).\n\n## Supported stacks\n\n| Language | CI | Lint | Test | Build |\n|---|---|---|---|---|\n| Go | ✅ | golangci-lint | go test -race | go build |\n| Node.js | ✅ | eslint | jest | npm/yarn build |\n| Python | ✅ | ruff | pytest | build/poetry |\n| Java | ✅ | — | mvn/gradle | mvn/gradle |\n| Rust | ✅ | cargo clippy | cargo test | cargo build |\n\nDocker and Kubernetes workflows are generated automatically when detected.\n\n## Security tools\n\n- **Gitleaks** — secret detection in git history\n- **Trivy** — container vulnerability scanning with SARIF upload to GitHub Security tab\n- **CodeQL / Semgrep** — static analysis (SAST)\n- **Syft** — SBOM generation (Software Bill of Materials)\n- **OpenSSF Scorecard** — automated security posture scoring (weekly + on push), results uploaded to GitHub Security tab\n- **SLSA provenance** — cryptographic attestation of the build process (level 3), stored in the Rekor transparency log\n\n### Semgrep custom rules\n\nWhen `sast-tool: semgrep` is set and no `.semgrep/` directory exists in the target repo, ShieldCI generates a `.semgrep/rules/example.yml` file with a commented example rule to get you started.\n\nIf `.semgrep/` already exists, ShieldCI uses your existing rules (`--config=.semgrep/`) instead of the default community ruleset (`--config=auto`).\n\n## Dry-run mode\n\nSet `dry-run: \"true\"` to preview the generated workflows in the GitHub Actions Job Summary without touching your repository:\n\n```yaml\n- uses: Richonn/ShieldCI@v1\n  with:\n    github-token: ${{ secrets.GH_TOKEN }}\n    dry-run: \"true\"\n```\n\nThe Job Summary will display each generated workflow file as a fenced YAML block. No branch or PR is created.\n\n## Verifying releases\n\nEvery ShieldCI release ships with [SLSA Level 3](https://slsa.dev/spec/v1.0/levels) provenance generated by [`slsa-github-generator`](https://github.com/slsa-framework/slsa-github-generator). Provenance attestations are stored in the public [Rekor](https://rekor.sigstore.dev) transparency log and cryptographically tie each artifact to the `Richonn/ShieldCI` repository and the exact CI workflow that produced it.\n\n### Docker image\n\n```sh\n# Install slsa-verifier: https://github.com/slsa-framework/slsa-verifier\nslsa-verifier verify-image ghcr.io/richonn/shieldci:\u003csha\u003e \\\n  --source-uri github.com/Richonn/ShieldCI \\\n  --source-tag \u003cversion\u003e\n```\n\n### Binary artifacts\n\nEach GitHub Release includes pre-built binaries for Linux, macOS, and Windows, a `checksums.txt` SHA256 manifest, and a `.intoto.jsonl` SLSA provenance file.\n\n```sh\n# Download the binary, checksums, and provenance from the release page, then:\nslsa-verifier verify-artifact shieldci-linux-amd64 \\\n  --provenance-path shieldci-linux-amd64.intoto.jsonl \\\n  --source-uri github.com/Richonn/ShieldCI \\\n  --source-tag \u003cversion\u003e\n```\n\nThe provenance certificate contains the exact workflow path (`.github/workflows/release.yml`) and commit SHA, providing cryptographic proof of both integrity and author identity.\n\n## Versioning\n\nShieldCI uses a floating major tag (`v1`) that always points to the latest release in the `v1.x.x` series. This means `Richonn/ShieldCI@v1` automatically picks up new features and fixes without any change on your side.\n\nThe floating tag is updated automatically via a GitHub Actions workflow on every new release.\n\nIf you need reproducibility, pin to a specific version:\n\n```yaml\n- uses: Richonn/ShieldCI@v1.1.1\n```\n\n## Image signing with Cosign\n\nWhen a `Dockerfile` is detected, ShieldCI generates a Docker workflow that automatically signs the built image using [Cosign](https://github.com/sigstore/cosign) in keyless mode via GitHub Actions OIDC.\n\nNo keys or secrets to manage — the signature is tied to the GitHub Actions identity and stored in the public [Rekor](https://rekor.sigstore.dev) transparency log.\n\nThe image is pushed to `ghcr.io/\u003cowner\u003e/\u003crepo\u003e:\u003csha\u003e` and signed immediately after the build. Anyone can verify the signature with:\n\n```sh\ncosign verify ghcr.io/\u003cowner\u003e/\u003crepo\u003e:\u003csha\u003e \\\n  --certificate-identity-regexp=\"https://github.com/\u003cowner\u003e/\u003crepo\u003e\" \\\n  --certificate-oidc-issuer=\"https://token.actions.githubusercontent.com\"\n```\n\n## SBOM generation\n\nShieldCI generates two SBOM workflows via [Syft](https://github.com/anchore/syft):\n\n- **`sbom.yml`** — always generated, analyses the repository source and dependencies\n- **`sbom-docker.yml`** — generated when a `Dockerfile` is detected, builds the image and generates a SBOM from it\n\nSBOM files are uploaded as artifacts and available from the Actions run summary.\n\n## Monorepo support\n\nShieldCI automatically detects monorepos by scanning subdirectories up to a configurable depth. A separate workflow is generated per detected component, named `\u003ccomponent\u003e-ci.yml`, `\u003ccomponent\u003e-lint.yml`, etc.\n\n**Supported monorepo layouts:**\n\n```\nmy-monorepo/\n├── backend-services/\n│   ├── user-service/       # Go component → user-service-ci.yml\n│   └── media-service/      # Rust component → media-service-ci.yml\n└── tools/\n    └── inspector/          # Python component → inspector-ci.yml\n```\n\nThe following directories are automatically excluded from scanning: `node_modules`, `vendor`, `dist`, `build`, `target`, `docs`, `scripts`, and others.\n\nAdjust scan depth with `max-depth` (default: `3`):\n\n```yaml\n- uses: Richonn/ShieldCI@v1\n  with:\n    github-token: ${{ secrets.GH_TOKEN }}\n    max-depth: '4'\n```\n\n## Roadmap\n\n- [x] Rust support\n- [x] `dry-run` mode\n- [x] Pinned action SHAs in generated workflows\n- [x] Semgrep custom rules support\n- [x] SBOM via Syft\n- [x] Monorepo support\n- [x] Image signing with Cosign (keyless via OIDC)\n- [x] SLSA provenance via `slsa-github-generator` (level 3)\n- [x] Build caching in generated workflows (Go modules, pip/poetry, npm/yarn, maven/gradle)\n- [x] Multi-version matrix testing in generated workflows (Go, Rust, Java, Node, Python)\n- [x] OpenSSF Scorecard integration\n- [x] Concurrency groups in generated workflows (`cancel-in-progress`)\n- [x] Go fuzz tests (`detect`, `generate`)\n- [x] Workflow permission hardening (least privilege, job-level write scopes)\n- [x] Dockerfile base image SHA pinning\n- [x] Security policy (`SECURITY.md`)\n- [x] Multi-arch Docker builds (`linux/amd64`, `linux/arm64`)\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frichonn%2Fshieldci","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frichonn%2Fshieldci","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frichonn%2Fshieldci/lists"}