Read-only security posture self-check for self-hosted Gitea and Forgejo.
Project description
ForgeGuard by Gexiro
Read-only security posture self-check for self-hosted Gitea and Forgejo.
ForgeGuard helps operators of self-hosted Gitea/Forgejo instances understand patch currency, registry exposure, anonymous access posture, and basic security configuration without exploit probes or internet-wide scanning. It is intended to close a visibility gap after self-hosting: operators need quick, repeatable evidence about whether one authorized forge is patched and whether anonymous surfaces look intentionally constrained.
What It Checks In v0.2
- Forge version and patch currency against the fixed Gitea 1.26.2 release for CVE-2026-27771.
- CVE-2026-27771 posture using safe root response inference.
- Anonymous registry posture via safe
/v2/response inference. - Sign-in and anonymous access posture.
- Basic registry exposure.
What It Does NOT Do
- No mass scanning.
- No exploit PoC.
- No private blob or manifest retrieval.
- No unauthenticated third-party probing.
- No AI code review.
- No guarantee of full security.
Install
A PyPI release is coming soon. Until then, install the latest from source:
python -m pip install "git+https://github.com/gexiro-global/forgeguard.git"
Once published to PyPI:
python -m pip install forgeguard
For local development:
git clone https://github.com/gexiro-global/forgeguard.git
cd forgeguard
python -m pip install -e ".[dev]"
Quickstart
forgeguard scan --url https://git.example.com --authorized --out ./reports/scan_report.md
Use --known-version when your version endpoint is intentionally hidden:
forgeguard scan --url https://git.example.com --authorized --known-version 1.26.2 --format md,json --out ./reports/scan_report.md
Sample Output
A before/after on a synthetic instance, showing the CVE-2026-27771 patch-currency gap closing after a Gitea update.
Before - Gitea 1.25.3 (mitigated, but the code-level fix is missing):
# ForgeGuard by Gexiro - https://git.example.com
Forge: gitea 1.25.3 | Score: 66/100 (C)
Summary: critical 1 | high 1 | medium 0 | low 0 | pass 3
Top action: P1 - Update Gitea to >=1.26.2
(CVE-2026-27771 window present, mitigation active, code-level fix missing)
After - Gitea 1.26.2 (patched):
# ForgeGuard by Gexiro - https://git.example.com
Forge: gitea 1.26.2 | Score: 100/100 (A)
Summary: critical 0 | high 0 | medium 0 | low 0 | pass 5
Top action: None - all checks pass.
| Finding | Before (1.25.3) | After (1.26.2) |
|---|---|---|
| FG-VER - patch currency | FAIL / HIGH | PASS |
| FG-CVE-27771 - exposure posture | WARN / CRITICAL (mitigated) | PASS |
| FG-SIGNIN / FG-REG / FG-ANON | PASS | PASS |
| Score | 66/100 (C) | 100/100 (A) |
The update closes the code-level patch-currency gap; the posture checks were already passing. Full synthetic reports: examples/scan_report_mitigated_pre_update.md and examples/scan_report_patched_post_update.md.
Scoring
ForgeGuard scoring is deterministic and does not use AI. Findings subtract fixed penalties from 100: critical -40, high -20, medium -10, low -4. Warning findings use WARN_FACTOR = 0.35, so a critical warning subtracts 14 points. Grades are A at 90+, B at 75+, C at 60+, D at 40+, and F below 40.
Security And Ethics
Run ForgeGuard only on instances you own or are explicitly authorized to assess. ForgeGuard v0.2 uses read-only HTTP GET checks and stops at posture signals; it does not request package contents or registry artifacts. Reports are posture evidence, not proof of compromise.
See AUTHORIZED_USE.md and SECURITY.md.
Roadmap
- v0.3: runner, token, and TLS posture checks.
- v0.4: optional issue emitter and AI remediation notes.
- v1: supply-chain, SBOM, and OSV enrichment.
- Later: semantic code intelligence.
Responsible Disclosure
To report a vulnerability in ForgeGuard itself, see SECURITY.md.
ForgeGuard by Gexiro
Not affiliated with Gitea, Forgejo, Codeberg, GitHub, or GitLab.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file forgeguard-0.2.0.tar.gz.
File metadata
- Download URL: forgeguard-0.2.0.tar.gz
- Upload date:
- Size: 18.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3ba62764d7f7bdd2bb6c73b49939f4ffd60c26162b7f1975a1bd9abde160a237
|
|
| MD5 |
bcce81c041d65da608d5ead041c20009
|
|
| BLAKE2b-256 |
702df655e581c81a4a07d7b53401b7180e640630e6eb1c47d3f1e0b791563bb3
|
File details
Details for the file forgeguard-0.2.0-py3-none-any.whl.
File metadata
- Download URL: forgeguard-0.2.0-py3-none-any.whl
- Upload date:
- Size: 17.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d24767ba445ff27316bcdca140fd3452c8fcaac5cf2d81e8a94159905701065d
|
|
| MD5 |
0e7c8ada06e196a9964eac8486ef1833
|
|
| BLAKE2b-256 |
5b8ad7505d00e6ddd4ef73e8d0bd592448c1c3eacfa1c57c79dc724065f3bc87
|