Skip to main content

LineBreak security gate at the git/CI boundary: dependency CVE scan + AI SAST, human-approved overrides, git-native audit records

Project description

linebreak-gate — the LineBreak security gate at the git/CI boundary

Blocks merges that carry known vulnerabilities. One tool, two detectors:

  • Dependency CVE scanosv-scanner across every ecosystem (npm, PyPI, Go, Cargo, Maven, …), with an npm audit fallback for npm projects (npm-only coverage and no installed-version data — the GitHub Action fails closed if osv-scanner can't be installed instead of degrading to it).
  • AI SAST — an LLM security review of first-party source (injection, broken auth, secret exposure, SSRF, unsafe deserialization, crypto misuse) with adversarial verification, enabled by ANTHROPIC_API_KEY.

The gate blocks and can propose; it never auto-clears on an agent's say-so. A human approves the fix or records an override — with a reason and an approver — in a git-committed audit file.

This is the same scanner core that powers the LineBreak desktop app's in-app security gate (the desktop backend imports this package), but it is fully standalone: a team that has never opened the desktop app can add the gate to their repo and get real enforcement.

Where this code lives. Development happens in the LineBreak monorepo (packages/gate); every green change to it is automatically mirrored to Baktun-Studio/linebreak-gate (the public repo the Action snippet uses) and published to PyPI as linebreak-gate. Never edit the mirror directly — the next sync overwrites it. Licensed Apache-2.0.

Quickstart — GitHub Actions

# .github/workflows/security-gate.yml
name: Security gate
on:
  pull_request:

permissions:
  contents: read
  pull-requests: write # for the summary comment

jobs:
  gate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: Baktun-Studio/linebreak-gate@v1
        with:
          # fail-on: high # blocking floor; default: critical
          # Optional today; required once license enforcement is enabled.
          license-key: ${{ secrets.LINEBREAK_LICENSE_KEY }}
          # Enables the AI code review; leave unset for dependency scan only.
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}

The action runs linebreak-gate scan, always runs report, posts one PR comment (updated in place on every push, never spammed), uploads the JSON report + audit artifacts as a workflow artifact, and fails the check per the scan's exit code.

Make it a real boundary: require the check

A CI job that can be ignored is a dashboard, not a gate. In your repo:

Settings → Branches → Branch protection rules → your default branch → "Require status checks to pass before merging" → add the gate job (the name of the job that runs this action). From then on a PR carrying a critical CVE cannot be merged through the GitHub UI.

Quickstart — any other CI (GitLab example)

The CLI is a plain Python package with strict exit codes — 0 pass, 1 blocking findings, 2 tool/config error (fail closed: a scanner crash fails the pipeline, it is never a clean pass). Any CI that respects exit codes gets the same enforcement:

# .gitlab-ci.yml
security-gate:
  image: python:3.11
  script:
    - pip install linebreak-gate
    - curl -fsSL -o /usr/local/bin/osv-scanner
      "$(curl -fsSL https://api.github.com/repos/google/osv-scanner/releases/latest
      | python -c "import json,sys;print(next(a['browser_download_url'] for a in json.load(sys.stdin)['assets'] if a['name'].endswith('linux_amd64')))")"
    - chmod +x /usr/local/bin/osv-scanner
    - linebreak-gate scan
    - linebreak-gate report

Mark the job as required (no allow_failure) and protect the branch.

CLI

linebreak-gate init     [--path .] [--fail-on critical|high|medium|low] [--force] [--non-interactive]
linebreak-gate scan     [--path .] [--fail-on critical|high|medium|low] [--format summary|json]
linebreak-gate report   [--path .] [--format summary|json]
linebreak-gate override --finding <id> --reason "…" --approver <name/email> [--path .]
  • init sets a repo up in one command: writes the workflow file (never clobbers an existing one without --force), optionally writes .linebreak/gate.yml, offers to store the secrets via the GitHub CLI and to require the gate check — and prints the exact settings links for anything it can't do for you.

  • scan runs both detectors, writes git-native audit artifacts under .linebreak/audit/, and exits 0/1/2.

  • report renders the recorded scan: counts by severity and every finding with CVE id, CVSS, advisory link, and override status. --format json for machines.

  • override records a human-approved acknowledgment of one exact finding — the package + installed version + CVE tuple. A different CVE, a bumped version, or a new finding still blocks. --reason and --approver are required; the record lands in the artifact's approval trail. Commit the updated .linebreak/audit/*.json so CI sees it.

Configuration — .linebreak/gate.yml

The gate's strictness is governance, so it lives in the repo — changing the threshold is itself a PR: visible, reviewable, attributable in git history.

# .linebreak/gate.yml
fail_on: critical # critical (default) | high | medium | low
exclude_paths: # optional: root-relative globs excluded from scanning
  - fixtures
  - "sandbox/*"
code_scan: auto # auto (run when ANTHROPIC_API_KEY is set) | on (required) | off

Precedence: explicit --fail-on flag / Action input → .linebreak/gate.yml → built-in default (critical). An invalid config is a tool error (exit 2) — a broken governance file never silently falls back to a default.

Audit records

Every scan and every override is recorded in .linebreak/audit/security.json (dependencies) and .linebreak/audit/code.json (AI SAST) — the same versioned document format the LineBreak desktop app writes, carrying findings (CVE id, CVSS, advisory link), scanner engine, timestamp, actor, and the approval trail with each override's reason + approver. Who relaxed the gate, and when, is itself auditable.

Licensing

The gate reads LINEBREAK_LICENSE_KEY from the environment (the Action's license-key input). Entitlements currently default open: without a key the gate runs and prints a notice. The check is wired through LineBreak's entitlements provider, so flipping LINEBREAK_ENTITLEMENTS_PROVIDER=remote enforces licensing without a client change — set the key in CI secrets now so the gate keeps working then.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

linebreak_gate-1.2.0.tar.gz (51.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

linebreak_gate-1.2.0-py3-none-any.whl (46.3 kB view details)

Uploaded Python 3

File details

Details for the file linebreak_gate-1.2.0.tar.gz.

File metadata

  • Download URL: linebreak_gate-1.2.0.tar.gz
  • Upload date:
  • Size: 51.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for linebreak_gate-1.2.0.tar.gz
Algorithm Hash digest
SHA256 5751952f81fc5b273e0c1b439f64763787499ee94f097d70d535caf7383fb8ca
MD5 696fc0f40b9efc0b842890b38f095a04
BLAKE2b-256 18c7f7d1db576c5145a3e014ca5f27d3866a9f4cb169525750810e1e6b01360f

See more details on using hashes here.

Provenance

The following attestation bundles were made for linebreak_gate-1.2.0.tar.gz:

Publisher: publish-gate.yml on Baktun-Studio/linebreak

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file linebreak_gate-1.2.0-py3-none-any.whl.

File metadata

  • Download URL: linebreak_gate-1.2.0-py3-none-any.whl
  • Upload date:
  • Size: 46.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for linebreak_gate-1.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4126295d832d232b80202c3fdfef5a3cfbdd98cb0b622ba5bcb6425a8549e6f2
MD5 8d242e8b33d3c143c4a501675a360a7c
BLAKE2b-256 5daa6e2983df95c9096b9c795cfe8240dfb0f2b6200eeda52a9a983bfbf3056d

See more details on using hashes here.

Provenance

The following attestation bundles were made for linebreak_gate-1.2.0-py3-none-any.whl:

Publisher: publish-gate.yml on Baktun-Studio/linebreak

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page