Skip to content
/ CI-CD-Supply-Chain-Auditor Public

"An extensible auditor for CI/CD pipelines, identifying security weaknesses and best-practice deviations in your software supply chain. (Aims to incorporate SLSA checks and AI-driven insights)."

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

raghu-007/CI-CD-Supply-Chain-Auditor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

CI-CD-Supply-Chain-Auditor 🛡️🔗

An extensible auditor for CI/CD pipelines, identifying security weaknesses, misconfigurations, and best-practice deviations in your software supply chain. This tool aims to help organizations improve their SLSA posture and secure their build and deployment processes.

🎯 Goals

  • Provide actionable insights into the security of CI/CD pipelines.
  • Automate checks for common software supply chain vulnerabilities.
  • Help teams align with frameworks like SLSA (Supply-chain Levels for Software Artifacts).
  • (Future) Leverage AI for advanced anomaly detection and risk scoring.

✨ Key Features (Planned & In-Progress)

  • Pipeline Configuration Analysis: Parses pipeline definitions (e.g., GitHub Actions YAML, Jenkinsfile) for insecure patterns.
  • Source Code Integrity Checks: Verifies branch protections, signed commits, etc.
  • Dependency Security Audits: Integrates with SCA tools and checks dependency hygiene.
  • Build Environment Scrutiny: Checks for secure runner configurations and secrets management.
  • Artifact Integrity Verification: Looks for signed artifacts, image scan results.
  • SLSA Compliance Reporting: Audits against specified SLSA levels.
  • Extensible Plugin Architecture: Allows adding new checks and CI/CD platform support easily.
  • Multiple CI/CD Platform Support: (Starting with GitHub Actions, then GitLab CI, Jenkins, etc.)
  • Clear Reporting: HTML, JSON, and Markdown reports.

🛠️ Technology Stack (Tentative)

  • Python 3.x
  • Key Python Libraries: requests, PyYAML, gitpython, click (for CLI), (AI: scikit-learn, tensorflow/pytorch - future)
  • (Potentially) OPA/Rego for policy definition.

🏁 Getting Started

(This section will be filled in as you build)

  1. Clone the repository: 
    git clone https://github.com/raghu-007/CI-CD-Supply-Chain-Auditor.git
cd CI-CD-Supply-Chain-Auditor
  2. Install dependencies: 
    pip install -r requirements.txt
  3. Configure (e.g., API tokens for CI/CD platforms): 
    cp config.example.yml config.yml
# Edit config.yml
  4. Run an audit: 
    python auditor_cli.py --platform github_actions --repo-url <your-repo-url>

📂 Project Structure (Tentative)

(Briefly describe your planned folder structure here once decided)

🤝 Contributing

Contributions are highly welcome! Please read CONTRIBUTING.md for guidelines. We're looking for help with:

  • Adding checks for different supply chain security aspects.
  • Integrating support for more CI/CD platforms.
  • Improving reporting and documentation.
  • Developing AI-driven analysis features.

📜 License

This project is licensed under the Apache License 2.0. See the LICENSE file for the full license text.

⚠️ Disclaimer

This tool is for auditing and educational purposes. Always ensure you have authorization before scanning any systems or pipelines.

About

"An extensible auditor for CI/CD pipelines, identifying security weaknesses and best-practice deviations in your software supply chain. (Aims to incorporate SLSA checks and AI-driven insights)."

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published