Skip to main content

Orchestrates security scanning, policy-as-code enforcement, and SBOM generation as a CI/CD step.

Project description

devsecops-orchestrator

A Python CLI that orchestrates security scanning, policy-as-code enforcement, and SBOM generation as a CI/CD step. It is designed to be invoked inside pipelines scaffolded by repo-forge: repo-forge handles repo scaffolding and distribution, this tool handles the scanning / policy / reporting logic that runs inside the pipeline.

Status: Phase 5 (SBOM + Full Integration). scan, report, policy-check, and sbom are live, wired into a reusable CI workflow. Phase 4 (cloud cross-reference) is deferred as an optional plugin. See CLAUDE.md for the plan.

Installation

Requires Python 3.11+.

# From a clone, for development:
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"

# Once published (repo-forge pipelines will pin a version):
pip install devsecops-orchestrator==0.1.0

Usage

orchestrator --help
orchestrator --version

# Run all available scanners against a target; writes report.md, report.sarif,
# and report.json into the output directory (default: current dir).
orchestrator scan . --output-dir ./reports

# Run a subset of scanners (repeatable --select / -s).
orchestrator scan . -s bandit -s pip-audit

# Re-render a previous scan's report.json without re-scanning.
orchestrator report --input ./reports --format markdown
orchestrator report --input ./reports --format sarif

# Evaluate policy-as-code and gate the build (non-zero exit on violation).
orchestrator policy-check .                 # gate at MEDIUM+ (default)
orchestrator policy-check . --fail-on high  # only HIGH/CRITICAL block

# Generate a CycloneDX SBOM with syft.
orchestrator sbom . -o ./reports            # sbom.cyclonedx.json + sbom.md

scan runs each wrapped tool as a subprocess and normalizes its output into a common Finding model. A tool that is not installed (or crashes, or emits unparsable output) is recorded under "scanners skipped/failed" and the scan continues — it never aborts the whole run. Findings are written in three formats: report.md (human-readable), report.sarif (SARIF 2.1.0 for GitHub code scanning upload), and report.json (canonical machine-readable form that report reloads).

Command Purpose Status
scan Run wrapped security scanners, normalize findings, write reports ✅ live
report Re-render a saved report as Markdown or SARIF ✅ live
policy-check OPA + Checkov + gitleaks policy gate (non-zero exit on violation) ✅ live
sbom Generate a CycloneDX SBOM with syft ✅ live

Policy-as-code

policy-check evaluates starter policies across three engines and fails the build on violations. See docs/runbook.md for full details.

Policy Engine Severity Checks
required-license OPA/Rego HIGH LICENSE file at repo root
branch-protection-config-present OPA/Rego MEDIUM Branch protection declared as code
no-root-containers Checkov HIGH Dockerfiles set a non-root USER
no-hardcoded-secrets gitleaks HIGH No secrets in the tree

Requires the opa binary and pip install devsecops-orchestrator[policy] (Checkov). A missing engine degrades its policies to non-blocking ERROR rather than aborting the gate.

Wrapped scanners

Scanner Detects Install
bandit Python source security issues (SAST) pip install .[scanners]
pip-audit Known-vulnerable Python dependencies pip install .[scanners]
semgrep Multi-language pattern-based SAST pip install .[scanners]
gitleaks Hardcoded secrets binary (see gitleaks releases)
trivy Filesystem vulns, misconfigs, secrets binary (see trivy releases)

Development

pip install -e ".[dev]"
pre-commit install          # install git hooks (dogfoods our own tooling)

pytest                      # run tests with coverage
ruff check .                # lint
black --check .             # formatting
mypy                        # type-check
pre-commit run --all-files  # run every hook

Continuous integration

.github/workflows/ci.yml runs on every pull request and on pushes to main:

  • lintruff, black --check, mypy
  • testpytest across Python 3.11, 3.12, and 3.13
  • self-scan — dogfoods the orchestrator against its own source (bandit + pip-audit) and uploads the SARIF report to GitHub code scanning
  • policy-gate — runs policy-check against this repo (OPA + Checkov)

Branch protection

Configure the following on main (Settings → Branches → Branch protection rules) so the CI gate is enforced:

  • Require a pull request before merging, with at least 1 approving review.
  • Require status checks to pass before merging — select the lint and test jobs from the CI workflow.
  • Require branches to be up to date before merging.
  • Require signed commits.
  • Do not allow bypassing the above (apply to administrators).

Releases use semantic versioning and are tagged on main (vX.Y.Z).

License

Apache 2.0 — see LICENSE. Third-party tools invoked by this orchestrator are attributed in NOTICE; their source is not bundled.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

devsecops_orchestrator-0.1.0.tar.gz (48.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

devsecops_orchestrator-0.1.0-py3-none-any.whl (40.8 kB view details)

Uploaded Python 3

File details

Details for the file devsecops_orchestrator-0.1.0.tar.gz.

File metadata

  • Download URL: devsecops_orchestrator-0.1.0.tar.gz
  • Upload date:
  • Size: 48.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.6

File hashes

Hashes for devsecops_orchestrator-0.1.0.tar.gz
Algorithm Hash digest
SHA256 99abb34ad334ec150ee3aaccc15777a25a870f075c966d8690e9cc9d88025289
MD5 6ba9d21040c6e409baffd0cb6ffd22c2
BLAKE2b-256 f3f514a68d332b50aa0c2c3e5f797fc8bfb5769bd64061d85b05b5f516e1b35e

See more details on using hashes here.

File details

Details for the file devsecops_orchestrator-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for devsecops_orchestrator-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 5ac2523d47a7b4277b388aca6bb610a419091d850e093e4566c427d3805856f9
MD5 62faad4dcc43e29c4476ffcde6a51a22
BLAKE2b-256 1ff7f9b8d1de68351fb80d9d3662c9760a40e3ee0bf255f5b8a9cf93074b1f5b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page