Unified CI/CD Security Dashboard — Pipeline Sentinel
Project description
🛡️ Pipeline Sentinel
The Open‑Source DevSecOps Command Center — Unify, Analyse, Remediate.
Severity doughnut, trend line chart, attack‑path graph (clickable nodes), topology view, executive summary, and attack simulation panel — all fully offline.
📑 Table of Contents (Click to expand)
- What Is Pipeline Sentinel? (Simple Explanation)
- Why You Need It
- Where to Run It in Your Network
- Dashboard Preview
- Quick Start
- Prerequisites
- Installation
- How to Use (Step‑by‑Step)
- Complete Command Reference
- Core Capabilities
- Community Rules & Online Updates
- Attack Simulation & What‑If Analysis
- Security Hardening (v0.4.1)
- Architecture
- Roadmap
- Testing & CI
- Security Policy
- Contributing
- Code of Conduct
- Author
- License
👨👩👧 What Is Pipeline Sentinel? (Simple Explanation)
Imagine you have several security guards, each watching a different door of a building. They all shout their findings in different languages, and you have to run around to understand what’s going on.
Pipeline Sentinel puts them all in one room, translates their reports, and shows you a single, clear screen with the full picture. It connects to tools like Trivy (checks your containers), Semgrep (scans your code), Poutine (audits your GitLab pipelines), Zizmor (secures your GitHub Actions), and Gitleaks (finds secrets).
Instead of digging through multiple JSON files, you get a beautiful, dark‑mode command‑center dashboard that tells you what’s critical, how risks are trending, and even how an attacker might chain several small issues into a big problem.
Think of it as a security camera system for your entire CI/CD pipeline — it watches everything, alerts you, suggests fixes, and even lets you simulate attack chains, all without needing internet access if you want.
💥 Why You Need It
In 2026, supply chain attacks have become the #1 threat. Tools like Trivy themselves were compromised, and attackers now inject malicious code directly into build pipelines. You can no longer just scan your code; you must scan your pipeline.
Pipeline Sentinel gives you:
- ✅ One screen for all scanners – stop juggling log files.
- ✅ AI that understands attack chains – “A leaked secret + an old library = a disaster.”
- ✅ Automatic fixes – with a single flag, it patches files and opens a pull request (with backup).
- ✅ Human review mode – inspect each fix before applying.
- ✅ Compliance reports – generate a PDF for your boss or auditor.
- ✅ Attack simulation – tick a few findings and see a generated attack script.
- ✅ 100% offline capable – works in air‑gapped environments where security matters most.
- ✅ Interactive wizard – one command to get everything running.
- ✅ Community rules marketplace – pull curated detection rules from the community.
📍 Where to Run It in Your Network
Pipeline Sentinel is designed to be flexible — you decide where it fits best:
| Deployment | Description |
|---|---|
| 🖥️ Local Developer Machine | Run the CLI and dashboard right on your laptop. Perfect for individual pentesters or developers who want instant feedback. |
| 🔧 CI/CD Runner | Use the GitHub Action or call devsecops-radar directly in your Jenkins/GitLab CI scripts. It can fail the build if critical vulnerabilities exceed your policy (--policy). |
| 🏢 Central Security Server | Install on a dedicated server (via Docker or pip) that collects scan results from multiple teams. The dashboard becomes a shared security operations console. |
| 🌐 Air‑Gapped Networks | Copy the Docker image and sample data to an offline server. The dashboard works with zero external calls — all assets are embedded. |
🔍 View Typical Network Flow
[Trivy scan] ──┐
[Semgrep scan] ─┤
[Poutine scan] ─┼──> devsecops-radar (CLI) ──> findings.json ──> Dashboard (Flask) ──> Browser
[Zizmor scan] ─┘
[Gitleaks scan] ┘
📌 Diagram Placeholder: >
📸 Dashboard Preview
(See the animated demo at the top of this README for a live preview of the UI in action!)
🚀 Quick Start
Get up and running in 3 simple steps:
# 1. Install from PyPI
pip install devsecops-radar
# 2. Feed scanner data (sample data is included in the repo)
devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json
# 3. Launch the dashboard
devsecops-radar-web
Open http://localhost:8080 — your unified command center is live with sample findings.
[!TIP] 🧙 Want a fully guided setup? Run the interactive wizard:
devsecops-radar --wizard
📦 Installation
View All Installation Options (PyPI, Docker, Source, One-Command)
Option 1 — PyPI (Recommended)
pip install devsecops-radar
Option 2 — From Source
git clone [https://github.com/Mehrdoost/devsecops-radar.git](https://github.com/Mehrdoost/devsecops-radar.git)
cd devsecops-radar
pip install -e ".[dev]"
Option 3 — Docker
docker pull ghcr.io/mehrdoost/devsecops-radar:latest
docker run -p 8080:8080 ghcr.io/mehrdoost/devsecops-radar:latest
Mount your own findings file:
docker run -p 8080:8080 -v $(pwd)/findings.json:/data/findings.json ghcr.io/mehrdoost/devsecops-radar:latest
Or use Docker Compose:
docker compose up
🧙 One‑Command Install (curl)
curl -fsSL [https://raw.githubusercontent.com/Mehrdoost/devsecops-radar/main/install.sh](https://raw.githubusercontent.com/Mehrdoost/devsecops-radar/main/install.sh) | bash
This script installs Python dependencies, Ollama, pulls the AI model, and starts the wizard.
📋 Prerequisites
[!IMPORTANT] Pipeline Sentinel relies on external security tools to produce the JSON reports it consumes. You must install these tools separately according to your needs.
- Required for offline scanning: Trivy, Semgrep, Poutine, Zizmor, Gitleaks.
- Optional: Ollama (AI analysis), Docker (Sandboxing), OPA (Rego policy).
📖 See
PREREQUISITES.mdfor full installation details of these tools.
🧭 How to Use (Step‑by‑Step)
1. Run Your Security Scanners
Generate JSON output from your tools:
trivy image --format json -o trivy.json nginx:latest
semgrep --config=auto --json --output semgrep.json .
poutine scan ./repo --format json --output poutine.json
zizmor scan ./repo --output zizmor.json --format json
gitleaks detect --source . --report-format json --report-path gitleaks.json
2. Merge Findings with the CLI
devsecops-radar --trivy trivy.json --semgrep semgrep.json --poutine poutine.json --zizmor zizmor.json --gitleaks gitleaks.json
This produces a single findings.json with all findings merged and normalised.
3. View the Dashboard
devsecops-radar-web
The dashboard shows:
- Severity Breakdown – Doughnut chart with total count
- Trend Over Time – Line chart from scan history
- Pipeline Security – Poutine + Zizmor statistics card
- Attack Path Graph – Interactive D3.js graph (click nodes for details)
- Executive Summary – Risk score and AI‑generated summary
- Findings Table – Searchable, filterable, paginated, with checkboxes for simulation
4. Enable AI Analysis (Optional)
ollama pull llama3.2:latest
devsecops-radar --trivy trivy.json --analyze
devsecops-radar-web
The LLM generates findings_ai_summary.json containing: executive_summary, risk_score, attack_paths (with MITRE ATT&CK), top_remediations, and false_positives_likely.
5. Auto‑Remediation (with Human Review)
# Apply fixes automatically
devsecops-radar --trivy trivy.json --analyze --fix
# Interactive step‑by‑step review
devsecops-radar --trivy trivy.json --analyze --fix --review
[!NOTE] All modified files are backed up to
~/.devsecops-radar/backups/. The tool creates a new git branchauto-fixand pushes it for review.
6. Policy Enforcement
Create a policy.json file:
{
"max_critical": 5,
"on_violation": "fail"
}
devsecops-radar --trivy trivy.json --policy policy.json
If critical findings exceed 5, the command exits with code 1. You can also use OPA Rego policies (--rego-policy).
7. Generate Compliance & Standard Reports
# PDF report with compliance mapping
devsecops-radar --trivy trivy.json --analyze --compliance CIS --report cis-report.pdf
# Export as SARIF for GitHub Code Scanning
devsecops-radar --trivy trivy.json --export-sarif report.sarif
# Export as CycloneDX SBOM
devsecops-radar --trivy trivy.json --export-cyclonedx report.cdx.json
8. Security Badge for Your Project
Embed a dynamic security badge in your README:
[](https://github.com/Mehrdoost/devsecops-radar)
9. Jira / Asana Integration (New!)
Set environment variables to create issues automatically:
export JIRA_URL="[https://your-domain.atlassian.net](https://your-domain.atlassian.net)"
export JIRA_TOKEN="your-api-token"
devsecops-radar --trivy trivy.json --analyze --notify-jira
export ASANA_TOKEN="your-asana-token"
export ASANA_WORKSPACE="your-workspace-gid"
devsecops-radar --trivy trivy.json --analyze --notify-asana
📋 Complete Command Reference
Click to Expand Command Categories
🔎 Scanners & Inputs
| Flag | Description | Example |
|---|---|---|
--trivy |
Trivy JSON file or image name | --trivy results.json or nginx:latest |
--semgrep |
Semgrep JSON file or directory | --semgrep results.json or ./src |
--poutine |
Poutine JSON file or repo path | --poutine results.json or ./repo |
--zizmor |
Zizmor JSON file or repo path | --zizmor results.json or ./repo |
--gitleaks |
Gitleaks JSON file or repo path | --gitleaks results.json or ./repo |
--rules |
Directory with custom JSON rules | --rules ~/my-rules/ |
--topology |
Path to topology JSON file | --topology topology.json |
🧠 AI, Policies & Remediation
| Flag | Description | Example |
|---|---|---|
--analyze |
Enable async LLM analysis (Ollama required) | --analyze |
--llm-backend |
ollama (default) or litellm |
--llm-backend litellm |
--llm-model |
Model name | --llm-model gpt-4o-mini |
--fix |
Auto‑apply AI‑suggested fixes (with backup) | --fix |
--review |
Interactive step‑by‑step remediation | --review |
--policy |
Policy JSON file for gating | --policy policy.json |
--rego-policy |
OPA Rego policy file | --rego-policy policy.rego |
📊 Reports & Exports
| Flag | Description | Example |
|---|---|---|
--output |
Output JSON file (default: findings.json) | --output merged.json |
--report |
Generate PDF/JSON/HTML report | --report report.pdf |
--export-sarif |
Export findings as SARIF | --export-sarif report.sarif |
--export-cyclonedx |
Export findings as CycloneDX | --export-cyclonedx report.cdx |
--compliance |
Framework: CIS, PCI-DSS, ISO27001 |
--compliance CIS |
⚙️ Integrations & Setup
| Flag | Description | Example |
|---|---|---|
--notify-jira |
Create Jira issues for criticals | --notify-jira |
--notify-asana |
Create Asana tasks for criticals | --notify-asana |
--wizard |
Interactive first‑time setup wizard | --wizard |
--update-rules |
Download/update community rules | --update-rules |
[!TIP]
devsecops-radar-web— Web Server Optionsdevsecops-radar-web # Launch on http://localhost:8080 FINDINGS_FILE=my.json devsecops-radar-web # Use a custom findings file PIPELINE_API_KEY=secret devsecops-radar-web # Enable API authentication
✨ Core Capabilities
Explore the Engine Powering Pipeline Sentinel
- 🔌 Multi‑Scanner Plugin Architecture: Built‑in support for Trivy (
--trivy), Semgrep (--semgrep), Poutine (--poutine), Zizmor (--zizmor), and Gitleaks (--gitleaks). - 🧩 Hybrid RuleFusion Engine: Load custom JSON rules locally or pull community‑curated rules from a configurable Git repository (
--update-rules). - 🧠 LLM‑Powered Analysis: Async, enriched context (NIST NVD/GitHub links), structured JSON with MITRE ATT&CK, risk scores, and step‑by‑step remediation. Supports Ollama and LiteLLM.
- 🕸️ Multi‑Step Attack Path Visualization: Interactive D3.js force graph that chains findings into realistic attack scenarios based on your network topology.
- 🛡️ Policy‑as‑Code (JSON & Rego): Define simple security gates or write complex rules in Rego for OPA to fail pipelines safely.
- 🛠️ Auto‑Remediation: AI‑suggested fixes applied automatically (
--fix) or reviewed (--review). Every file is backed up safely in a new Git branch. - 📊 Compliance & Reports: Professional reports in PDF, JSON, HTML (
--report), plus SARIF and CycloneDX exports. - 📈 Scan History & Trends: SQLAlchemy‑backed database with fast pagination and historical trend comparisons.
- 🧪 SBOM & Dependency Confusion: Generate CycloneDX SBOMs, apply VEX files, and detect impersonation risks.
- 🔍 RAG‑Powered Security Search: Ask natural language questions about your scan history.
- 📉 Dynamic Risk Scoring: Context-aware scoring based on asset exposure, exploit availability, and threat intelligence.
- 🔒 Privacy & Offline‑First: 100% embedded assets. LLM analysis runs locally via Ollama. No data leaves your network.
🌍 Community Rules & Online Updates
Pipeline Sentinel features a community‑driven rule marketplace housed in a separate repository: devsecops-radar-rules.
How It Works: The repository contains curated JSON rule files for all supported scanners. You can pull the latest rules with a single command:
devsecops-radar --update-rules
Rules are stored locally in ~/.devsecops-radar/community-rules/. To use them alongside your scanner results:
devsecops-radar --trivy scan.json --rules ~/.devsecops-radar/community-rules/
[!NOTE] (You can even point to your own private repository via
COMMUNITY_RULES_REPO!)
⚔️ Attack Simulation & What‑If Analysis
Interactive attack simulation directly from the dashboard:
- Tick the checkboxes next to the findings you want to investigate.
- Click “⚡ Simulate Selected”.
- A modal displays a generated attack script (
bash), attack chain description, and (if Docker is available) the sandbox output.
(You can also click any node in the Attack Path Graph and press “Simulate this attack”).
🔐 Security Hardening (v0.4.1)
Pipeline Sentinel now includes several important security improvements:
- Command injection prevention – all scanner inputs and community repo URLs are strictly validated.
- Password hashing – API keys are stored using Werkzeug’s secure hashing (no plaintext).
- Safe git staging – only the files that were actually modified are committed, preventing accidental exposure of
.envor other secrets. - Consistent DB session management – all database operations use the same context manager, preventing resource leaks.
- Specific exception handling – bare
exceptclauses have been replaced with targeted exceptions, improving debuggability. - Removal of duplicated parsing code – the deprecated
parser.pymodule has been deleted.
🏗️ Architecture
devsecops_radar/
├── cli/ # CLI entry point – plugin discovery, policy, remediation
├── core/ # RuleFusion engine, DB (SQLAlchemy), async LLM analysers
├── scanners/ # Pluggable scanner classes (extend ScannerPlugin)
├── plugins/ # ScannerPlugin abstract base class & entry points
└── web/ # Flask dashboard (modular Blueprints, WCAG 2.1 AA)
├── dashboard/ # Main dashboard routes & embedded HTML
├── attack_paths/
├── topology/
├── summary/
└── sentry/ # Live webhook agent for CI/CD
📌 Diagram Placeholder:
🗺️ Roadmap
| Phase | Feature | Status |
|---|---|---|
| ✅ Phase 1 | Multi‑scanner engine (Trivy, Semgrep, Poutine, Zizmor), LLM analysis, GH Actions | Done |
| ✅ Phase 2 | Attack‑path visualization, Policy‑as‑Code, Auto‑remediation, Compliance reports | Done |
| ✅ Phase 3 | Web dashboard Blueprint, ORM pagination, SBOM, Dynamic Risk Scoring, Gitleaks | Done |
| ✅ Phase 4 | Advanced attack simulation, VEX filtering, Async LLM, SARIF/CycloneDX | Done |
| 🔲 Phase 5 | eBPF runtime security agent | Planned |
| 🔲 Phase 5 | Rule marketplace with YAML | Planned |
| 🔲 Phase 5 | Pull Request assistant (GitHub App) | Planned |
See the open issues for a full list of proposed features.
🧪 Testing & CI
Pipeline Sentinel is thoroughly tested to ensure reliability for production use.
- Unit & Integration Tests: 23+ tests covering scanners, rule engine, database, analyzer, API, and CLI.
- CI Pipeline: Every push and pull request triggers automated testing (
pytestwith coverage) and linting (ruff,mypy) via GitHub Actions.
Run tests locally:
pip install -e ".[dev]"
pip install pytest pytest-flask ruff
pytest tests/ -v --cov=devsecops_radar --cov-report=term-missing
ruff check .
mypy .
🤝 Community & Support
Contributing, Security Policy, & Code of Conduct
- Security Policy: We take security seriously. If you discover a vulnerability, please report it privately. See our full Security Policy for details.
- Contributing: We welcome contributions of all kinds! Please read our Contributing Guide. For adding new rules, see the Community Rules section.
- Code of Conduct: This project adheres to the Contributor Covenant Code of Conduct. By participating, you are expected to uphold this code.
👨💻 Author
ReverseForge — ( Mehrdoost And Mi0r4 )
📜 License
MIT — see LICENSE.
⭐ If this project helps your team ship safer software, drop a star — it makes a real difference.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file devsecops_radar-0.4.1.tar.gz.
File metadata
- Download URL: devsecops_radar-0.4.1.tar.gz
- Upload date:
- Size: 655.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fc94686c2b2d2cfa6eeb18952ff07bc6a9ba37a26b3651cd0f303ac6370c16f5
|
|
| MD5 |
ff326b9380fb04f64eb8f48afdcd6be0
|
|
| BLAKE2b-256 |
c384ef3e503e49a388915eaf0f181999fa91797f942c38162da2b0dea3285a98
|
File details
Details for the file devsecops_radar-0.4.1-py3-none-any.whl.
File metadata
- Download URL: devsecops_radar-0.4.1-py3-none-any.whl
- Upload date:
- Size: 653.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
437086003789aed4db80596ad90e0f76040511ac5a2e77f9cd358c5019cc119b
|
|
| MD5 |
c4297d45c16cafd11c87635acfb93dde
|
|
| BLAKE2b-256 |
32417a2f3cc7640b7491196d39695e536c57474523641b8ea678f47c91fa5403
|