NIST RMF Cloud Security Hardening — Pre-Commit & Pre-Merge Compliance Gate
Project description
🛡️ ControlGate
NIST RMF Cloud Security Hardening — Pre-Commit & Pre-Merge Compliance Gate
ControlGate is an AI-powered agent skill that scans your code changes against the NIST SP 800-53 Rev. 5 security framework before every commit and merge. It maps findings directly to specific NIST control IDs, providing traceable compliance evidence and actionable remediation guidance.
Quick Start
# Install
pip install controlgate
# Scan staged changes
controlgate scan --mode pre-commit --format markdown
# Scan PR diff against main
controlgate scan --mode pr --target-branch main --format json markdown
How It Works
Developer writes code
↓
git commit / Pull Request
↓
ControlGate intercepts the diff
↓
8 Security Gates scan against 370 non-negotiable NIST controls
↓
Verdict: BLOCK 🚫 / WARN ⚠️ / PASS ✅
The Eight Security Gates
| # | Gate | NIST Families | What It Catches |
|---|---|---|---|
| 1 | 🔑 Secrets | IA-5, SC-12, SC-28 | Hardcoded creds, API keys, private keys |
| 2 | 🔒 Crypto | SC-8, SC-13, SC-17 | Weak algorithms, missing TLS, ssl_verify=False |
| 3 | 🛡️ IAM | AC-3, AC-5, AC-6 | Wildcard IAM, missing auth, overprivileged roles |
| 4 | 📦 Supply Chain | SR-3, SR-11, SA-10 | Unpinned deps, missing lockfiles, build tampering |
| 5 | 🏗️ IaC | CM-2, CM-6, SC-7 | Public buckets, 0.0.0.0/0 rules, root containers |
| 6 | ✅ Input | SI-10, SI-11 | SQL injection, eval(), exposed stack traces |
| 7 | 📋 Audit | AU-2, AU-3, AU-12 | Missing security logging, PII in logs |
| 8 | 🔄 Change | CM-3, CM-4, CM-5 | Unauthorized config changes, missing CODEOWNERS |
Installation
From Source
git clone https://github.com/YOUR_ORG/controlgate.git
cd controlgate
python3 -m venv .venv && source .venv/bin/activate
make install-dev
As a Pre-Commit Hook
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: controlgate
name: ControlGate Security Scan
entry: python -m controlgate scan --mode pre-commit --format markdown
language: python
always_run: true
As a GitHub Action
Copy hooks/github_action.yml to .github/workflows/controlgate.yml in your repo.
Configuration
Create a .controlgate.yml in your project root:
baseline: moderate # low | moderate | high
catalog: baseline/nist80053r5_full_catalog_enriched.json
gates:
secrets: { enabled: true, action: block }
crypto: { enabled: true, action: block }
iam: { enabled: true, action: warn }
sbom: { enabled: true, action: warn }
iac: { enabled: true, action: block }
input: { enabled: true, action: block }
audit: { enabled: true, action: warn }
change: { enabled: true, action: warn }
thresholds:
block_on: [CRITICAL, HIGH]
warn_on: [MEDIUM]
ignore: [LOW]
exclusions:
paths: ["tests/**", "docs/**", "*.md"]
CLI Usage
# Scan staged changes (pre-commit mode)
controlgate scan --mode pre-commit --format markdown
# Scan PR diff
controlgate scan --mode pr --target-branch main --format json markdown sarif
# Scan a saved diff file
controlgate scan --diff-file path/to/diff --format json
# Output reports to directory
controlgate scan --output-dir .controlgate/reports --format json markdown sarif
Output Formats
| Format | Use Case |
|---|---|
markdown |
PR comments, terminal output |
json |
Programmatic consumption, dashboards |
sarif |
GitHub Code Scanning integration |
Development
make install-dev # Install with dev dependencies
make test # Run tests
make test-cov # Run tests with coverage
make lint # Lint with ruff
make format # Auto-format code
make typecheck # Type check with mypy
make check # Run all checks (lint + typecheck + test)
make build # Build distribution packages
AI Agent Skills
ControlGate provides native skills for popular AI coding assistants. These skills teach the agents how to proactively scan your code for NIST 800-53 R5 compliance and automatically apply remediations.
The agent prompts and workflows are located in the skills/ directory and are published to their respective marketplaces/repositories:
- Antigravity: Full workflow definitions available in
skills/antigravity/controlgate/ - Cursor: Repository rules available in
skills/cursor/.cursorrules - Claude Code: System prompt instructions in
skills/claude_code/.clauderules - CodeEx: Integration prompts in
skills/codeex/instructions.md
Data Source
Powered by the NIST Cloud Security Baseline (NCSB) enriched catalog:
- 1,189 controls across 20 families
- 370 non-negotiable at Moderate baseline
- 247 code-relevant controls mapped to automated scanning rules
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file controlgate-0.1.5.tar.gz.
File metadata
- Download URL: controlgate-0.1.5.tar.gz
- Upload date:
- Size: 40.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.19
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f7f1393df8432a2431846ded344fd626095c03f0878ae18c6f35f05b885dc0e3
|
|
| MD5 |
8d60efdbf8d6c47e6fbb059b72803e23
|
|
| BLAKE2b-256 |
8faf778642996857511c9dc8e43ccc1e8acd7ed7a2692acd96582d400ee6c201
|
File details
Details for the file controlgate-0.1.5-py3-none-any.whl.
File metadata
- Download URL: controlgate-0.1.5-py3-none-any.whl
- Upload date:
- Size: 37.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.19
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f6a8c2176032e2eadef013a8741c37e824bbc05156e862fd15db24a27135e303
|
|
| MD5 |
616f5df22c89fe6939f3a532ed1423a8
|
|
| BLAKE2b-256 |
4ab7c9022c73d485c19ce22ef19ac63f844a84ab63d9744ab9419ef6b20f64b2
|
