Shared types, Charter schema, signing, and SARIF emit for BlastContain tools
Project description
blastcontain-core
Shared types, Charter schema, audit-packet signing, and SARIF emit for the BlastContain tool family.
pip install blastcontain-core
What's in here
| Module | Purpose |
|---|---|
blastcontain_core.models |
Severity, ScanStatus, InfraFinding, ScanResult |
blastcontain_core.constants |
MIT_RISK_MAP — finding_type → MIT AI Risk taxonomy |
blastcontain_core.charter |
CharterSchema, DelegationRules, HitlConfig, RemediationProof |
blastcontain_core.signing |
Ed25519 + HMAC packet signing and verification |
blastcontain_core.sarif |
SARIF 2.1.0 output for GitHub/GitLab/IDEs |
blastcontain_core.ignore |
.blastcontainignore pattern loader |
Who uses this
blastcontain-verify— pre-deployment compliance scannerblastcontain-drill— runtime probing / red-team simulationblastcontain-discovery— shadow AI / agent discovery- BlastContain Platform (closed source)
Pre-release note: these repositories and PyPI packages are not published yet. The links above are the planned canonical locations and will 404 until the first public release;
blastcontain-verifyships first, withdrillanddiscoveryfollowing once they have implementations. Until then, build from the localblastcontain-oss/working tree.
If you're writing a third-party BlastContain tool, depend on this package and your output will be wire-compatible with the rest of the ecosystem.
Signing an audit packet
from blastcontain_core.signing import sign_packet, verify_packet
from datetime import datetime, timezone
payload = {"agent_id": "my-agent", "environment": "prod", "findings": []}
signed_at = datetime.now(timezone.utc).isoformat()
signature = sign_packet(payload, signed_at=signed_at)
packet = {"schema_version": "1.1", "packet": payload, "signature": signature}
# Anyone with the public key (or the HMAC secret) can verify
assert verify_packet(packet) is True
Signing key sources, in priority order:
BLASTCONTAIN_SIGNING_KEY_PATH— path to a PEM-encoded Ed25519 private key (preferred)BLASTCONTAIN_SIGNING_KEY_PEM— PEM contents as a stringBLASTCONTAIN_SIGNING_KEY— arbitrary HMAC secret (fallback)- None — defaults to
local-verify-defaultHMAC with a stderr warning
Generate a real Ed25519 key:
openssl genpkey -algorithm Ed25519 -out blastcontain-signing.key
chmod 600 blastcontain-signing.key
export BLASTCONTAIN_SIGNING_KEY_PATH=$PWD/blastcontain-signing.key
export BLASTCONTAIN_SIGNING_KEY_ID=ed25519-prod-2026-q2
Writing a local Charter
# charter.yaml
agent_id: my-agent
environment: prod
version: "1.0"
trust_tier: 1
permitted_tools:
- search_knowledge_base
- get_ticket_status
delegation_rules:
max_chain_depth: 0
require_parent_approval: true
hitl_config:
required_for: ["destructive_apis"]
timeout_sec: 600
from blastcontain_core.charter import load_charter
charter = load_charter("./charter.yaml")
assert "search_knowledge_base" in charter.permitted_tools
SARIF output
from blastcontain_core.sarif import write_sarif
write_sarif(scan_result, "scan.sarif", tool_name="my-tool", tool_version="1.0.0")
Upload to GitHub Code Scanning in your CI:
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: scan.sarif
License
Apache 2.0 — see also NOTICE for third-party attribution.
Contributing
See CONTRIBUTING.md. All contributions require a DCO sign-off (git commit -s).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file blastcontain_core-0.2.0.tar.gz.
File metadata
- Download URL: blastcontain_core-0.2.0.tar.gz
- Upload date:
- Size: 26.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
af1ce6f33a36c7bd67860b30df2110461e5a2a0db20c14105288bce7701d33c0
|
|
| MD5 |
ac391b3239dfbad28122f7ec442aa865
|
|
| BLAKE2b-256 |
3b441820b36ab8af82e5513a0cf8d2bfea03d3f0b877d9b2f8632084a1085a25
|
Provenance
The following attestation bundles were made for blastcontain_core-0.2.0.tar.gz:
Publisher:
release.yml on gdeudney/blastcontain-oss
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
blastcontain_core-0.2.0.tar.gz -
Subject digest:
af1ce6f33a36c7bd67860b30df2110461e5a2a0db20c14105288bce7701d33c0 - Sigstore transparency entry: 2072653196
- Sigstore integration time:
-
Permalink:
gdeudney/blastcontain-oss@399eb04063b7b426f93a07fdaaa520d3c7c1e915 -
Branch / Tag:
refs/tags/core-v0.2.0 - Owner: https://github.com/gdeudney
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@399eb04063b7b426f93a07fdaaa520d3c7c1e915 -
Trigger Event:
push
-
Statement type:
File details
Details for the file blastcontain_core-0.2.0-py3-none-any.whl.
File metadata
- Download URL: blastcontain_core-0.2.0-py3-none-any.whl
- Upload date:
- Size: 23.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
de14a3fc462d9b3300199c20e212a3fa053569568033e91b69b40ab16baeb540
|
|
| MD5 |
df0f0a2aa7e62d1281c83e21b7154def
|
|
| BLAKE2b-256 |
93b9eba5e3bfb74ed60e19de70c1e6ffba5f72f18fa155deb5d67e318fdd872a
|
Provenance
The following attestation bundles were made for blastcontain_core-0.2.0-py3-none-any.whl:
Publisher:
release.yml on gdeudney/blastcontain-oss
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
blastcontain_core-0.2.0-py3-none-any.whl -
Subject digest:
de14a3fc462d9b3300199c20e212a3fa053569568033e91b69b40ab16baeb540 - Sigstore transparency entry: 2072653208
- Sigstore integration time:
-
Permalink:
gdeudney/blastcontain-oss@399eb04063b7b426f93a07fdaaa520d3c7c1e915 -
Branch / Tag:
refs/tags/core-v0.2.0 - Owner: https://github.com/gdeudney
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@399eb04063b7b426f93a07fdaaa520d3c7c1e915 -
Trigger Event:
push
-
Statement type: