@stefanoginella/code-guardian 0.0.11 → 0.0.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +18 -12
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
|
|
7
7
|
Deterministic security scanning layer for Claude Code.
|
|
8
8
|
|
|
9
|
-
Auto-detects your project's tech stack and runs appropriate open-source CLI tools (SAST, secret detection, dependency auditing, container and IaC scanning) to find and fix vulnerabilities. Every tool is free for private repositories,
|
|
9
|
+
Auto-detects your project's tech stack and runs appropriate open-source CLI tools (SAST, secret detection, dependency auditing, container and IaC scanning) to find and fix vulnerabilities. Every tool is free for private repositories, prefers local binaries, and produces a unified findings format so Claude can process results consistently. Docker is available as an opt-in fallback with pinned versions, read-only mounts, and network isolation. Two modes: **interactive** (review findings and choose what to fix) or **yolo** (auto-fix everything possible, then let Claude handle the rest).
|
|
10
10
|
|
|
11
11
|
> 🔧 The plugin ships 18 scanner wrappers and 4 orchestration scripts. The actual security analysis is deterministic (real CLI tools, not AI guessing) — Claude orchestrates the flow and handles the code-level fixes that tools can't auto-fix.
|
|
12
12
|
|
|
@@ -20,7 +20,7 @@ Auto-detects your project's tech stack and runs appropriate open-source CLI tool
|
|
|
20
20
|
|
|
21
21
|
## 🛠 Typical Workflow
|
|
22
22
|
|
|
23
|
-
1. **Run `/code-guardian:code-guardian-setup`** to check what security tools are available for your project's stack. The plugin auto-detects languages, frameworks, Docker, CI systems, and IaC, then reports which tools are
|
|
23
|
+
1. **Run `/code-guardian:code-guardian-setup`** to check what security tools are available for your project's stack. The plugin auto-detects languages, frameworks, Docker, CI systems, and IaC, then reports which tools are installed locally, which have Docker images available (opt-in fallback), and which are missing with install commands.
|
|
24
24
|
2. **Run `/code-guardian:code-guardian-scan`** to kick off a security scan. You'll be asked to choose a mode and scope.
|
|
25
25
|
3. **Review the findings** — in interactive mode, findings are grouped by severity with a summary table. Choose to fix all high-severity issues, all auto-fixable issues, specific findings, or just report.
|
|
26
26
|
4. **Let the tools and Claude fix things** — tools with autofix support (Semgrep, ESLint, npm audit) handle what they can, and the security-fixer agent takes care of the rest with targeted code-level fixes.
|
|
@@ -56,7 +56,8 @@ Scan defaults can be persisted in `.claude/code-guardian.config.json` so you don
|
|
|
56
56
|
"tools": ["semgrep", "gitleaks", "trivy"],
|
|
57
57
|
"disabled": ["trufflehog"],
|
|
58
58
|
"scope": "uncommitted",
|
|
59
|
-
"autofix": false
|
|
59
|
+
"autofix": false,
|
|
60
|
+
"dockerFallback": false
|
|
60
61
|
}
|
|
61
62
|
```
|
|
62
63
|
|
|
@@ -66,8 +67,9 @@ Scan defaults can be persisted in `.claude/code-guardian.config.json` so you don
|
|
|
66
67
|
| `disabled` | `string[]` | none | Never run these tools, even if available. |
|
|
67
68
|
| `scope` | `string` | `"codebase"` | Default scan scope: `codebase`, `uncommitted`, or `unpushed`. |
|
|
68
69
|
| `autofix` | `boolean` | `false` | Auto-fix findings by default. |
|
|
70
|
+
| `dockerFallback` | `boolean` | `false` | Allow Docker images as fallback for tools not installed locally. |
|
|
69
71
|
|
|
70
|
-
**Precedence:** CLI flags always win over config values. If both `tools` and `disabled` are set, `tools` takes precedence. Omitted keys use built-in defaults.
|
|
72
|
+
**Precedence:** CLI flags always win over config values. `CG_DOCKER_FALLBACK=1` env var overrides the config `dockerFallback` setting. If both `tools` and `disabled` are set, `tools` takes precedence. Omitted keys use built-in defaults.
|
|
71
73
|
|
|
72
74
|
This file should be committed to the repo so the team shares the same scan defaults.
|
|
73
75
|
|
|
@@ -114,7 +116,7 @@ All tools are free, open-source, and work on private repositories with no limita
|
|
|
114
116
|
| Container | Dockle | Docker images (manual) | No | `goodwithtech/dockle` |
|
|
115
117
|
| IaC | Checkov | Terraform, CFN, K8s | No | `bridgecrew/checkov` |
|
|
116
118
|
|
|
117
|
-
>
|
|
119
|
+
> Local installation is the recommended method for all tools. Tools with Docker images can optionally use Docker as a fallback when `dockerFallback` is enabled — see [Configuration](#️-configuration). Tools without a Docker image always require local installation. Run `/code-guardian:code-guardian-setup` to see what's needed and get install commands.
|
|
118
120
|
|
|
119
121
|
## 📦 Installation
|
|
120
122
|
|
|
@@ -146,19 +148,19 @@ claude --plugin-dir /path/to/plugins/code-guardian
|
|
|
146
148
|
- `bash` — shell scripts
|
|
147
149
|
- `python3` — JSON parsing in scanner output processing
|
|
148
150
|
|
|
149
|
-
###
|
|
151
|
+
### Optional
|
|
150
152
|
|
|
151
|
-
- **Docker** — the plugin
|
|
153
|
+
- **Docker** — when explicitly opted in via `"dockerFallback": true` in config, the plugin can use official Docker images as a fallback for tools not installed locally. Docker images are pinned to specific versions, mounted read-only, and run with network isolation where possible. Without Docker or without opt-in, all tools must be installed locally.
|
|
152
154
|
|
|
153
155
|
### Security Tools
|
|
154
156
|
|
|
155
157
|
You don't need to install anything upfront. Run `/code-guardian:code-guardian-setup` and the plugin will:
|
|
156
158
|
1. Detect your stack
|
|
157
159
|
2. Show which tools are needed
|
|
158
|
-
3. Report which are available via Docker
|
|
160
|
+
3. Report which are installed locally vs. available via Docker
|
|
159
161
|
4. Show install commands for anything missing
|
|
160
162
|
|
|
161
|
-
|
|
163
|
+
Local installation is the primary execution method. Docker fallback is available as an opt-in alternative.
|
|
162
164
|
|
|
163
165
|
## 🏗 Architecture
|
|
164
166
|
|
|
@@ -187,10 +189,14 @@ code-guardian/
|
|
|
187
189
|
|
|
188
190
|
### How the Deterministic Layer Works
|
|
189
191
|
|
|
190
|
-
Each scanner wrapper follows a
|
|
192
|
+
Each scanner wrapper follows a local-first execution strategy:
|
|
191
193
|
|
|
192
|
-
1. **Local binary** — If the tool is installed locally, it runs directly. Fastest option, zero overhead, respects your installed version and configuration.
|
|
193
|
-
2. **Docker image** — If the tool isn't installed locally
|
|
194
|
+
1. **Local binary** (default) — If the tool is installed locally, it runs directly. Fastest option, zero overhead, respects your installed version and configuration.
|
|
195
|
+
2. **Docker image** (opt-in fallback) — If the tool isn't installed locally and Docker fallback is enabled (`"dockerFallback": true` in config or `CG_DOCKER_FALLBACK=1` env var), it runs via the tool's official Docker image with hardened security controls:
|
|
196
|
+
- **Pinned versions** — Docker images use exact version tags from the tool registry, never `:latest`
|
|
197
|
+
- **Read-only mounts** — Source code is mounted `:ro` (except for autofix mode in Semgrep)
|
|
198
|
+
- **Network isolation** — `--network none` for tools that don't need network access (gitleaks, hadolint, checkov, gosec, brakeman, trufflehog, phpstan, osv-scanner, dockle)
|
|
199
|
+
- **Minimal socket access** — Docker socket only mounted for image-scanning tools (trivy image mode, dockle)
|
|
194
200
|
|
|
195
201
|
After choosing the execution environment, each wrapper:
|
|
196
202
|
1. Runs the tool with appropriate flags for the requested scope
|