controlgate 0.1.0__tar.gz

controlgate-0.1.0/PKG-INFO

@@ -0,0 +1,184 @@
+Metadata-Version: 2.4
+Name: controlgate
+Version: 0.1.0
+Summary: NIST RMF Cloud Security Hardening — Pre-Commit & Pre-Merge Compliance Gate
+License: MIT
+Project-URL: Homepage, https://github.com/sadayamuthu/controlgate
+Project-URL: Repository, https://github.com/sadayamuthu/controlgate
+Project-URL: Issues, https://github.com/sadayamuthu/controlgate/issues
+Project-URL: Documentation, https://github.com/sadayamuthu/controlgate#readme
+Keywords: nist,security,compliance,pre-commit,cloud,rmf,800-53
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: pyyaml>=6.0
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"
+Requires-Dist: pytest-cov>=4.0; extra == "dev"
+Requires-Dist: ruff>=0.4.0; extra == "dev"
+Requires-Dist: mypy>=1.10; extra == "dev"
+Requires-Dist: build>=1.0; extra == "dev"
+Requires-Dist: twine>=5.0; extra == "dev"
+Requires-Dist: pre-commit>=3.7.0; extra == "dev"
+
+# 🛡️ ControlGate
+
+[![CI](https://github.com/sadayamuthu/controlgate/actions/workflows/ci.yml/badge.svg)](https://github.com/sadayamuthu/controlgate/actions/workflows/ci.yml)
+[![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+
+**NIST RMF Cloud Security Hardening — Pre-Commit & Pre-Merge Compliance Gate**
+
+ControlGate is an AI-powered agent skill that scans your code changes against the **NIST SP 800-53 Rev. 5** security framework before every commit and merge. It maps findings directly to specific NIST control IDs, providing traceable compliance evidence and actionable remediation guidance.
+
+## Quick Start
+
+```bash
+# Install
+pip install controlgate
+
+# Scan staged changes
+controlgate scan --mode pre-commit --format markdown
+
+# Scan PR diff against main
+controlgate scan --mode pr --target-branch main --format json markdown
+```
+
+## How It Works
+
+```
+Developer writes code
+       ↓
+git commit / Pull Request
+       ↓
+ControlGate intercepts the diff
+       ↓
+8 Security Gates scan against 370 non-negotiable NIST controls
+       ↓
+Verdict: BLOCK 🚫 / WARN ⚠️ / PASS ✅
+```
+
+## The Eight Security Gates
+
+| # | Gate | NIST Families | What It Catches |
+|---|------|---------------|-----------------|
+| 1 | 🔑 Secrets | IA-5, SC-12, SC-28 | Hardcoded creds, API keys, private keys |
+| 2 | 🔒 Crypto | SC-8, SC-13, SC-17 | Weak algorithms, missing TLS, `ssl_verify=False` |
+| 3 | 🛡️ IAM | AC-3, AC-5, AC-6 | Wildcard IAM, missing auth, overprivileged roles |
+| 4 | 📦 Supply Chain | SR-3, SR-11, SA-10 | Unpinned deps, missing lockfiles, build tampering |
+| 5 | 🏗️ IaC | CM-2, CM-6, SC-7 | Public buckets, `0.0.0.0/0` rules, root containers |
+| 6 | ✅ Input | SI-10, SI-11 | SQL injection, `eval()`, exposed stack traces |
+| 7 | 📋 Audit | AU-2, AU-3, AU-12 | Missing security logging, PII in logs |
+| 8 | 🔄 Change | CM-3, CM-4, CM-5 | Unauthorized config changes, missing CODEOWNERS |
+
+## Installation
+
+### From Source
+
+```bash
+git clone https://github.com/YOUR_ORG/controlgate.git
+cd controlgate
+python3 -m venv .venv && source .venv/bin/activate
+make install-dev
+```
+
+### As a Pre-Commit Hook
+
+```yaml
+# .pre-commit-config.yaml
+repos:
+  - repo: local
+    hooks:
+      - id: controlgate
+        name: ControlGate Security Scan
+        entry: python -m controlgate scan --mode pre-commit --format markdown
+        language: python
+        always_run: true
+```
+
+### As a GitHub Action
+
+Copy [`hooks/github_action.yml`](hooks/github_action.yml) to `.github/workflows/controlgate.yml` in your repo.
+
+## Configuration
+
+Create a `.controlgate.yml` in your project root:
+
+```yaml
+baseline: moderate              # low | moderate | high
+catalog: baseline/nist80053r5_full_catalog_enriched.json
+
+gates:
+  secrets:    { enabled: true,  action: block }
+  crypto:     { enabled: true,  action: block }
+  iam:        { enabled: true,  action: warn  }
+  sbom:       { enabled: true,  action: warn  }
+  iac:        { enabled: true,  action: block }
+  input:      { enabled: true,  action: block }
+  audit:      { enabled: true,  action: warn  }
+  change:     { enabled: true,  action: warn  }
+
+thresholds:
+  block_on:   [CRITICAL, HIGH]
+  warn_on:    [MEDIUM]
+  ignore:     [LOW]
+
+exclusions:
+  paths: ["tests/**", "docs/**", "*.md"]
+```
+
+## CLI Usage
+
+```bash
+# Scan staged changes (pre-commit mode)
+controlgate scan --mode pre-commit --format markdown
+
+# Scan PR diff
+controlgate scan --mode pr --target-branch main --format json markdown sarif
+
+# Scan a saved diff file
+controlgate scan --diff-file path/to/diff --format json
+
+# Output reports to directory
+controlgate scan --output-dir .controlgate/reports --format json markdown sarif
+```
+
+## Output Formats
+
+| Format | Use Case |
+|--------|----------|
+| `markdown` | PR comments, terminal output |
+| `json` | Programmatic consumption, dashboards |
+| `sarif` | GitHub Code Scanning integration |
+
+## Development
+
+```bash
+make install-dev    # Install with dev dependencies
+make test           # Run tests
+make test-cov       # Run tests with coverage
+make lint           # Lint with ruff
+make format         # Auto-format code
+make typecheck      # Type check with mypy
+make check          # Run all checks (lint + typecheck + test)
+make build          # Build distribution packages
+```
+
+## Data Source
+
+Powered by the [NIST Cloud Security Baseline (NCSB)](https://github.com/sadayamuthu/nist-cloud-security-baseline) enriched catalog:
+- **1,189** controls across 20 families
+- **370** non-negotiable at Moderate baseline
+- **247** code-relevant controls mapped to automated scanning rules
+
+## License
+
+MIT

controlgate-0.1.0/README.md

@@ -0,0 +1,153 @@
+# 🛡️ ControlGate
+
+[![CI](https://github.com/sadayamuthu/controlgate/actions/workflows/ci.yml/badge.svg)](https://github.com/sadayamuthu/controlgate/actions/workflows/ci.yml)
+[![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+
+**NIST RMF Cloud Security Hardening — Pre-Commit & Pre-Merge Compliance Gate**
+
+ControlGate is an AI-powered agent skill that scans your code changes against the **NIST SP 800-53 Rev. 5** security framework before every commit and merge. It maps findings directly to specific NIST control IDs, providing traceable compliance evidence and actionable remediation guidance.
+
+## Quick Start
+
+```bash
+# Install
+pip install controlgate
+
+# Scan staged changes
+controlgate scan --mode pre-commit --format markdown
+
+# Scan PR diff against main
+controlgate scan --mode pr --target-branch main --format json markdown
+```
+
+## How It Works
+
+```
+Developer writes code
+       ↓
+git commit / Pull Request
+       ↓
+ControlGate intercepts the diff
+       ↓
+8 Security Gates scan against 370 non-negotiable NIST controls
+       ↓
+Verdict: BLOCK 🚫 / WARN ⚠️ / PASS ✅
+```
+
+## The Eight Security Gates
+
+| # | Gate | NIST Families | What It Catches |
+|---|------|---------------|-----------------|
+| 1 | 🔑 Secrets | IA-5, SC-12, SC-28 | Hardcoded creds, API keys, private keys |
+| 2 | 🔒 Crypto | SC-8, SC-13, SC-17 | Weak algorithms, missing TLS, `ssl_verify=False` |
+| 3 | 🛡️ IAM | AC-3, AC-5, AC-6 | Wildcard IAM, missing auth, overprivileged roles |
+| 4 | 📦 Supply Chain | SR-3, SR-11, SA-10 | Unpinned deps, missing lockfiles, build tampering |
+| 5 | 🏗️ IaC | CM-2, CM-6, SC-7 | Public buckets, `0.0.0.0/0` rules, root containers |
+| 6 | ✅ Input | SI-10, SI-11 | SQL injection, `eval()`, exposed stack traces |
+| 7 | 📋 Audit | AU-2, AU-3, AU-12 | Missing security logging, PII in logs |
+| 8 | 🔄 Change | CM-3, CM-4, CM-5 | Unauthorized config changes, missing CODEOWNERS |
+
+## Installation
+
+### From Source
+
+```bash
+git clone https://github.com/YOUR_ORG/controlgate.git
+cd controlgate
+python3 -m venv .venv && source .venv/bin/activate
+make install-dev
+```
+
+### As a Pre-Commit Hook
+
+```yaml
+# .pre-commit-config.yaml
+repos:
+  - repo: local
+    hooks:
+      - id: controlgate
+        name: ControlGate Security Scan
+        entry: python -m controlgate scan --mode pre-commit --format markdown
+        language: python
+        always_run: true
+```
+
+### As a GitHub Action
+
+Copy [`hooks/github_action.yml`](hooks/github_action.yml) to `.github/workflows/controlgate.yml` in your repo.
+
+## Configuration
+
+Create a `.controlgate.yml` in your project root:
+
+```yaml
+baseline: moderate              # low | moderate | high
+catalog: baseline/nist80053r5_full_catalog_enriched.json
+
+gates:
+  secrets:    { enabled: true,  action: block }
+  crypto:     { enabled: true,  action: block }
+  iam:        { enabled: true,  action: warn  }
+  sbom:       { enabled: true,  action: warn  }
+  iac:        { enabled: true,  action: block }
+  input:      { enabled: true,  action: block }
+  audit:      { enabled: true,  action: warn  }
+  change:     { enabled: true,  action: warn  }
+
+thresholds:
+  block_on:   [CRITICAL, HIGH]
+  warn_on:    [MEDIUM]
+  ignore:     [LOW]
+
+exclusions:
+  paths: ["tests/**", "docs/**", "*.md"]
+```
+
+## CLI Usage
+
+```bash
+# Scan staged changes (pre-commit mode)
+controlgate scan --mode pre-commit --format markdown
+
+# Scan PR diff
+controlgate scan --mode pr --target-branch main --format json markdown sarif
+
+# Scan a saved diff file
+controlgate scan --diff-file path/to/diff --format json
+
+# Output reports to directory
+controlgate scan --output-dir .controlgate/reports --format json markdown sarif
+```
+
+## Output Formats
+
+| Format | Use Case |
+|--------|----------|
+| `markdown` | PR comments, terminal output |
+| `json` | Programmatic consumption, dashboards |
+| `sarif` | GitHub Code Scanning integration |
+
+## Development
+
+```bash
+make install-dev    # Install with dev dependencies
+make test           # Run tests
+make test-cov       # Run tests with coverage
+make lint           # Lint with ruff
+make format         # Auto-format code
+make typecheck      # Type check with mypy
+make check          # Run all checks (lint + typecheck + test)
+make build          # Build distribution packages
+```
+
+## Data Source
+
+Powered by the [NIST Cloud Security Baseline (NCSB)](https://github.com/sadayamuthu/nist-cloud-security-baseline) enriched catalog:
+- **1,189** controls across 20 families
+- **370** non-negotiable at Moderate baseline
+- **247** code-relevant controls mapped to automated scanning rules
+
+## License
+
+MIT

controlgate-0.1.0/pyproject.toml

@@ -0,0 +1,84 @@
+[build-system]
+requires = ["setuptools>=68.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "controlgate"
+version = "0.1.0"
+description = "NIST RMF Cloud Security Hardening — Pre-Commit & Pre-Merge Compliance Gate"
+readme = "README.md"
+license = {text = "MIT"}
+requires-python = ">=3.10"
+keywords = ["nist", "security", "compliance", "pre-commit", "cloud", "rmf", "800-53"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security",
+    "Topic :: Software Development :: Quality Assurance",
+]
+dependencies = [
+    "pyyaml>=6.0",
+]
+
+[project.urls]
+Homepage = "https://github.com/sadayamuthu/controlgate"
+Repository = "https://github.com/sadayamuthu/controlgate"
+Issues = "https://github.com/sadayamuthu/controlgate/issues"
+Documentation = "https://github.com/sadayamuthu/controlgate#readme"
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=7.0",
+    "pytest-cov>=4.0",
+    "ruff>=0.4.0",
+    "mypy>=1.10",
+    "build>=1.0",
+    "twine>=5.0",
+    "pre-commit>=3.7.0",
+]
+
+[project.scripts]
+controlgate = "controlgate.__main__:main"
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.setuptools.package-data]
+controlgate = ["data/*.json"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+
+[tool.coverage.run]
+source = ["controlgate"]
+
+[tool.coverage.report]
+fail_under = 100
+show_missing = true
+exclude_lines = [
+    "pragma: no cover",
+    "if __name__",
+]
+
+[tool.ruff]
+target-version = "py310"
+line-length = 100
+
+[tool.ruff.lint]
+select = ["E", "F", "W", "I", "N", "UP", "B", "SIM"]
+ignore = ["E501"]
+
+[tool.ruff.lint.isort]
+known-first-party = ["controlgate"]
+
+[tool.mypy]
+python_version = "3.10"
+warn_return_any = true
+warn_unused_configs = true
+disallow_untyped_defs = false
+check_untyped_defs = true

controlgate-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

controlgate-0.1.0/src/controlgate/__init__.py

@@ -0,0 +1,3 @@
+"""ControlGate — NIST RMF Cloud Security Hardening Compliance Gate."""
+
+__version__ = "0.1.0"