Orchestrates security scanning, policy-as-code enforcement, and SBOM generation as a CI/CD step.
Project description
devsecops-orchestrator
A Python CLI that orchestrates security scanning, policy-as-code enforcement, and SBOM generation as a CI/CD step. It is designed to be invoked inside pipelines scaffolded by repo-forge: repo-forge handles repo scaffolding and distribution, this tool handles the scanning / policy / reporting logic that runs inside the pipeline.
Status: Phase 5 (SBOM + Full Integration).
scan,report,policy-check, andsbomare live, wired into a reusable CI workflow. Phase 4 (cloud cross-reference) is deferred as an optional plugin. SeeCLAUDE.mdfor the plan.
Installation
Requires Python 3.11+.
# From a clone, for development:
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
# Once published (repo-forge pipelines will pin a version):
pip install devsecops-orchestrator==0.1.0
Usage
orchestrator --help
orchestrator --version
# Run all available scanners against a target; writes report.md, report.sarif,
# and report.json into the output directory (default: current dir).
orchestrator scan . --output-dir ./reports
# Run a subset of scanners (repeatable --select / -s).
orchestrator scan . -s bandit -s pip-audit
# Re-render a previous scan's report.json without re-scanning.
orchestrator report --input ./reports --format markdown
orchestrator report --input ./reports --format sarif
# Evaluate policy-as-code and gate the build (non-zero exit on violation).
orchestrator policy-check . # gate at MEDIUM+ (default)
orchestrator policy-check . --fail-on high # only HIGH/CRITICAL block
# Generate a CycloneDX SBOM with syft.
orchestrator sbom . -o ./reports # sbom.cyclonedx.json + sbom.md
scan runs each wrapped tool as a subprocess and normalizes its output into a
common Finding model. A tool that is not installed (or crashes, or emits
unparsable output) is recorded under "scanners skipped/failed" and the scan
continues — it never aborts the whole run. Findings are written in three formats:
report.md (human-readable), report.sarif (SARIF 2.1.0 for GitHub code
scanning upload), and report.json (canonical machine-readable form that
report reloads).
| Command | Purpose | Status |
|---|---|---|
scan |
Run wrapped security scanners, normalize findings, write reports | ✅ live |
report |
Re-render a saved report as Markdown or SARIF | ✅ live |
policy-check |
OPA + Checkov + gitleaks policy gate (non-zero exit on violation) | ✅ live |
sbom |
Generate a CycloneDX SBOM with syft | ✅ live |
Policy-as-code
policy-check evaluates starter policies across three engines and fails the
build on violations. See docs/runbook.md for full details.
| Policy | Engine | Severity | Checks |
|---|---|---|---|
required-license |
OPA/Rego | HIGH | LICENSE file at repo root |
branch-protection-config-present |
OPA/Rego | MEDIUM | Branch protection declared as code |
no-root-containers |
Checkov | HIGH | Dockerfiles set a non-root USER |
no-hardcoded-secrets |
gitleaks | HIGH | No secrets in the tree |
Requires the opa binary and pip install devsecops-orchestrator[policy]
(Checkov). A missing engine degrades its policies to non-blocking ERROR rather
than aborting the gate.
Wrapped scanners
| Scanner | Detects | Install |
|---|---|---|
bandit |
Python source security issues (SAST) | pip install .[scanners] |
pip-audit |
Known-vulnerable Python dependencies | pip install .[scanners] |
semgrep |
Multi-language pattern-based SAST | pip install .[scanners] |
gitleaks |
Hardcoded secrets | binary (see gitleaks releases) |
trivy |
Filesystem vulns, misconfigs, secrets | binary (see trivy releases) |
Development
pip install -e ".[dev]"
pre-commit install # install git hooks (dogfoods our own tooling)
pytest # run tests with coverage
ruff check . # lint
black --check . # formatting
mypy # type-check
pre-commit run --all-files # run every hook
Continuous integration
.github/workflows/ci.yml runs on every pull request and on pushes to main:
- lint —
ruff,black --check,mypy - test —
pytestacross Python 3.11, 3.12, and 3.13 - self-scan — dogfoods the orchestrator against its own source (bandit + pip-audit) and uploads the SARIF report to GitHub code scanning
- policy-gate — runs
policy-checkagainst this repo (OPA + Checkov)
Branch protection
Configure the following on main (Settings → Branches → Branch protection rules)
so the CI gate is enforced:
- Require a pull request before merging, with at least 1 approving review.
- Require status checks to pass before merging — select the
lintandtestjobs from the CI workflow. - Require branches to be up to date before merging.
- Require signed commits.
- Do not allow bypassing the above (apply to administrators).
Releases use semantic versioning and are tagged on main (vX.Y.Z).
License
Apache 2.0 — see LICENSE. Third-party tools invoked by this
orchestrator are attributed in NOTICE; their source is not bundled.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file devsecops_orchestrator-0.1.0.tar.gz.
File metadata
- Download URL: devsecops_orchestrator-0.1.0.tar.gz
- Upload date:
- Size: 48.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
99abb34ad334ec150ee3aaccc15777a25a870f075c966d8690e9cc9d88025289
|
|
| MD5 |
6ba9d21040c6e409baffd0cb6ffd22c2
|
|
| BLAKE2b-256 |
f3f514a68d332b50aa0c2c3e5f797fc8bfb5769bd64061d85b05b5f516e1b35e
|
File details
Details for the file devsecops_orchestrator-0.1.0-py3-none-any.whl.
File metadata
- Download URL: devsecops_orchestrator-0.1.0-py3-none-any.whl
- Upload date:
- Size: 40.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5ac2523d47a7b4277b388aca6bb610a419091d850e093e4566c427d3805856f9
|
|
| MD5 |
62faad4dcc43e29c4476ffcde6a51a22
|
|
| BLAKE2b-256 |
1ff7f9b8d1de68351fb80d9d3662c9760a40e3ee0bf255f5b8a9cf93074b1f5b
|