{"id":49616176,"url":"https://github.com/zw008/vmware-harden","last_synced_at":"2026-06-08T04:01:18.694Z","repository":{"id":355696443,"uuid":"1229218812","full_name":"zw008/VMware-Harden","owner":"zw008","description":"AI-native VMware compliance and baseline enforcement (CIS, vSphere SCG, 等保 2.0, PCI-DSS) — sibling to vmware-* skill family","archived":false,"fork":false,"pushed_at":"2026-05-29T02:13:48.000Z","size":284,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-29T03:20:50.146Z","etag":null,"topics":["agent-skills","ai-skill","automation","cis-benchmark","claude-code","codex","compliance","disa-stig","drift-detection","esxi","gemini-cli","hardening","homelab","infrastructure","mcp","pci-dss","vmware","vsphere"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zw008.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-04T20:27:37.000Z","updated_at":"2026-05-29T02:13:50.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/zw008/VMware-Harden","commit_stats":null,"previous_names":["zw008/vmware-harden"],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/zw008/VMware-Harden","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zw008%2FVMware-Harden","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zw008%2FVMware-Harden/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zw008%2FVMware-Harden/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zw008%2FVMware-Harden/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zw008","download_url":"https://codeload.github.com/zw008/VMware-Harden/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zw008%2FVMware-Harden/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34047266,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-08T02:00:07.615Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-skills","ai-skill","automation","cis-benchmark","claude-code","codex","compliance","disa-stig","drift-detection","esxi","gemini-cli","hardening","homelab","infrastructure","mcp","pci-dss","vmware","vsphere"],"created_at":"2026-05-04T22:03:00.002Z","updated_at":"2026-06-08T04:01:18.683Z","avatar_url":"https://github.com/zw008.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vmware-harden\n\n\u003c!-- mcp-name: io.github.zw008/vmware-harden --\u003e\n\n\u003e **Disclaimer**: Community-maintained open-source project. **Not affiliated with, endorsed by, or sponsored by VMware, Inc. or Broadcom Inc.** \"VMware\", \"vSphere\", \"ESXi\", and \"NSX\" are trademarks of Broadcom. Source code is publicly auditable at [github.com/zw008/VMware-Harden](https://github.com/zw008/VMware-Harden) under the MIT license.\n\nAI-native VMware compliance and baseline enforcement. Sibling to the `vmware-*` skill family.\n\n## GA family member (since v1.5.18)\n\nProduction-ready compliance platform with **6 built-in baselines** (CIS ESXi, vSphere SCG v8, **等保 2.0 三级**, PCI-DSS 4.0, **EU NIS2**, **BSI IT-Grundschutz**), **87 rules**, multi-vCenter Twin, drift detection, **LLM Remediation Advisor**, **MCP server** with 6 audited tools, web dashboard, and `vmware-harden doctor` environment diagnostics.\n\n## Quickstart\n\n```bash\nuv tool install vmware-harden\n\n# List built-in baselines\nvmware-harden baseline list\n\n# Run a scan\nvmware-harden scan --target \u003cvcenter-name\u003e --baseline cis-vmware-esxi-8.0-subset\n\n# Or use 等保 2.0 三级 (国内合规独家)\nvmware-harden scan --target \u003cvc\u003e --baseline dengbao-2.0-level3-vmware\n\n# View results\nvmware-harden report\nvmware-harden drift\n\n# Generate remediation suggestions\nexport ANTHROPIC_API_KEY=...  # optional; falls back to mock without\nvmware-harden advise --all-critical\n\n# Web dashboard\nvmware-harden web --port 8080  # → http://127.0.0.1:8080\n```\n\n## Built-in baselines\n\n| Baseline | Rules | Applies to | Source |\n|----------|-------|-----------|--------|\n| `cis-vmware-esxi-8.0-subset` | 20 | host | CIS Benchmark v1.0 |\n| `vsphere-scg-v8-subset` | 15 | host, vm | [VMware vcf-security-and-compliance-guidelines](https://github.com/vmware/vcf-security-and-compliance-guidelines) |\n| `dengbao-2.0-level3-vmware` | 20 | host, vm, datastore, dfw_rule | GB/T 22239-2019 三级 |\n| `pci-dss-4.0-vmware` | 10 | host, dfw_rule | PCI-DSS v4.0 |\n| `eu-nis2-vmware` | 12 | host, dfw_rule | EU NIS2 Directive (Articles 21/23, Annex I) |\n| `bsi-itgs-basisabsicherung-vmware` | 10 | host | BSI IT-Grundschutz (OPS.1.1.4 + SYS.1.1) |\n\n### VCF 9.0 / 9.1 Compatibility\n\nThe existing baselines (`cis-vmware-esxi-8.0-subset`, `vsphere-scg-v8`, `dengbao-2.0-level3-vmware`, `pci-dss-4.0-vmware`) scan VCF 9.0 / 9.1 clusters successfully — most rules target host advanced settings stable across 8.x → 9.x. `cis-vmware-esxi-9.0` and `vsphere-scg-v9` baselines are planned for a future release.\n\n#### Official Broadcom References\n\n- **Security Configuration Guides**: \u003chttps://core.vmware.com/security/\u003e — vSphere SCG v8 / future v9\n- **SDKs**: \u003chttps://developer.broadcom.com/sdks\u003e — VCF Python SDK (for fetching host config via REST)\n- **CIS Benchmarks**: \u003chttps://www.cisecurity.org/cis-benchmarks/\u003e — CIS VMware ESXi Benchmark v1.0 (8.0 / future 9.0)\n\n## Custom baselines\n\n```bash\nvmware-harden baseline validate ./my-strict.yaml\nvmware-harden baseline import ./my-strict.yaml --name my-strict-cis\nvmware-harden scan --target \u003cvc\u003e --baseline my-strict-cis\n```\n\nYAML supports `extends:` for inheriting from a built-in baseline. See `skills/vmware-harden/references/cli-reference.md`.\n\n## MCP server\n\n```bash\nvmware-harden-mcp  # stdio MCP server\n```\n\nConfigure your MCP client with one of `examples/mcp-configs/*.json`. 6 read-only tools: `list_baselines`, `list_violations`, `get_remediation`, `list_drift_events`, `get_baseline_rules`, `scan_target`.\n\n## Architecture\n\n- **Estate Digital Twin** — DuckDB single file at `~/.vmware-harden/twin.duckdb`. Multi-target safe via target prefix on all node IDs.\n- **Collectors** — lazy-import sibling vmware-* skills (no spawn overhead). All scans are READ; writes deferred to vmware-pilot.\n- **Baseline schema** — Pydantic v2, strict (`extra=\"forbid\"`), `extends:` inheritance, user-dir override.\n- **Drift** — pure diff function with optional persistence; auto-runs after every scan.\n- **Advisor** — LLM-driven Suggestion generation; Anthropic provider with prompt caching; mock fallback for tests / no-API-key environments.\n- **Audit** — every MCP tool wrapped with `@vmware_tool` from family vmware-policy.\n- **Web** — FastAPI + Jinja2 + Tailwind/HTMX/ECharts CDN.\n\n## Lab regression\n\n```bash\nexport VMWARE_HARDEN_LAB_TARGET=\u003cyour-vc\u003e\npytest tests/eval/regression -v -m lab\n```\n\n## Family\n\n- **vmware-aiops** — host inventory + ops (used by harden's HostCollector)\n- **vmware-monitor** — read-only counterpart\n- **vmware-storage** — datastore inventory\n- **vmware-nsx-security** — DFW inventory\n- **vmware-pilot** — execute remediations (writes; out of scope for harden)\n- **vmware-policy** — `@vmware_tool` audit decorator\n\n## Acceptance criteria (v1.5.18 GA)\n\n- 221 tests passing\n- Bandit: 0 issues at any severity\n- All 6 MCP tools audited\n- SKILL.md ≤ 3000 words, family-convention compliant\n- SECURITY.md with 6 elements + Broadcom disclaimer\n- 6 built-in baselines (87 rules)\n- `vmware-harden doctor` for environment diagnostics\n- GA member of vmware-* family (version-aligned at 1.5.28)\n\n## References\n\n- Design: parent monorepo `docs/plans/2026-05-03-vmware-harden-design.md`\n- M1/M2/M3 plans: `docs/plans/2026-05-04-vmware-harden-{m1,m2,m3}-plan.md`\n- Family CLAUDE.md: `/Users/zw/testany/myskills/CLAUDE.md`\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzw008%2Fvmware-harden","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzw008%2Fvmware-harden","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzw008%2Fvmware-harden/lists"}