Skip to main content

Read-only security posture self-check for self-hosted Gitea and Forgejo.

Project description

ForgeGuard by Gexiro

Read-only security posture self-check for self-hosted Gitea and Forgejo.

ForgeGuard helps operators of self-hosted Gitea/Forgejo instances understand patch currency, registry exposure, anonymous access posture, and basic security configuration without exploit probes or internet-wide scanning. It is intended to close a visibility gap after self-hosting: operators need quick, repeatable evidence about whether one authorized forge is patched and whether anonymous surfaces look intentionally constrained.

What It Checks In v0.2

  • Forge version and patch currency against the fixed Gitea 1.26.2 release for CVE-2026-27771.
  • CVE-2026-27771 posture using safe root response inference.
  • Anonymous registry posture via safe /v2/ response inference.
  • Sign-in and anonymous access posture.
  • Basic registry exposure.

What It Does NOT Do

  • No mass scanning.
  • No exploit PoC.
  • No private blob or manifest retrieval.
  • No unauthenticated third-party probing.
  • No AI code review.
  • No guarantee of full security.

Install

A PyPI release is coming soon. Until then, install the latest from source:

python -m pip install "git+https://github.com/gexiro-global/forgeguard.git"

Once published to PyPI:

python -m pip install forgeguard

For local development:

git clone https://github.com/gexiro-global/forgeguard.git
cd forgeguard
python -m pip install -e ".[dev]"

Quickstart

forgeguard scan --url https://git.example.com --authorized --out ./reports/scan_report.md

Use --known-version when your version endpoint is intentionally hidden:

forgeguard scan --url https://git.example.com --authorized --known-version 1.26.2 --format md,json --out ./reports/scan_report.md

Sample Output

A before/after on a synthetic instance, showing the CVE-2026-27771 patch-currency gap closing after a Gitea update.

Before - Gitea 1.25.3 (mitigated, but the code-level fix is missing):

# ForgeGuard by Gexiro - https://git.example.com
Forge: gitea 1.25.3 | Score: 66/100 (C)
Summary: critical 1 | high 1 | medium 0 | low 0 | pass 3
Top action: P1 - Update Gitea to >=1.26.2
  (CVE-2026-27771 window present, mitigation active, code-level fix missing)

After - Gitea 1.26.2 (patched):

# ForgeGuard by Gexiro - https://git.example.com
Forge: gitea 1.26.2 | Score: 100/100 (A)
Summary: critical 0 | high 0 | medium 0 | low 0 | pass 5
Top action: None - all checks pass.
Finding Before (1.25.3) After (1.26.2)
FG-VER - patch currency FAIL / HIGH PASS
FG-CVE-27771 - exposure posture WARN / CRITICAL (mitigated) PASS
FG-SIGNIN / FG-REG / FG-ANON PASS PASS
Score 66/100 (C) 100/100 (A)

The update closes the code-level patch-currency gap; the posture checks were already passing. Full synthetic reports: examples/scan_report_mitigated_pre_update.md and examples/scan_report_patched_post_update.md.

Scoring

ForgeGuard scoring is deterministic and does not use AI. Findings subtract fixed penalties from 100: critical -40, high -20, medium -10, low -4. Warning findings use WARN_FACTOR = 0.35, so a critical warning subtracts 14 points. Grades are A at 90+, B at 75+, C at 60+, D at 40+, and F below 40.

Security And Ethics

Run ForgeGuard only on instances you own or are explicitly authorized to assess. ForgeGuard v0.2 uses read-only HTTP GET checks and stops at posture signals; it does not request package contents or registry artifacts. Reports are posture evidence, not proof of compromise.

See AUTHORIZED_USE.md and SECURITY.md.

Roadmap

  • v0.3: runner, token, and TLS posture checks.
  • v0.4: optional issue emitter and AI remediation notes.
  • v1: supply-chain, SBOM, and OSV enrichment.
  • Later: semantic code intelligence.

Responsible Disclosure

To report a vulnerability in ForgeGuard itself, see SECURITY.md.

ForgeGuard by Gexiro

Not affiliated with Gitea, Forgejo, Codeberg, GitHub, or GitLab.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

forgeguard-0.2.0.tar.gz (18.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

forgeguard-0.2.0-py3-none-any.whl (17.2 kB view details)

Uploaded Python 3

File details

Details for the file forgeguard-0.2.0.tar.gz.

File metadata

  • Download URL: forgeguard-0.2.0.tar.gz
  • Upload date:
  • Size: 18.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.13

File hashes

Hashes for forgeguard-0.2.0.tar.gz
Algorithm Hash digest
SHA256 3ba62764d7f7bdd2bb6c73b49939f4ffd60c26162b7f1975a1bd9abde160a237
MD5 bcce81c041d65da608d5ead041c20009
BLAKE2b-256 702df655e581c81a4a07d7b53401b7180e640630e6eb1c47d3f1e0b791563bb3

See more details on using hashes here.

File details

Details for the file forgeguard-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: forgeguard-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 17.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.13

File hashes

Hashes for forgeguard-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d24767ba445ff27316bcdca140fd3452c8fcaac5cf2d81e8a94159905701065d
MD5 0e7c8ada06e196a9964eac8486ef1833
BLAKE2b-256 5b8ad7505d00e6ddd4ef73e8d0bd592448c1c3eacfa1c57c79dc724065f3bc87

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page