devsecops-radar 0.1.0__tar.gz

devsecops_radar-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mdm
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

devsecops_radar-0.1.0/PKG-INFO

@@ -0,0 +1,191 @@
+Metadata-Version: 2.4
+Name: devsecops-radar
+Version: 0.1.0
+Summary: Unified CI/CD Security Dashboard — Pipeline Sentinel
+Author-email: Mehrdoost <mehrdoost@users.noreply.github.com>
+License: MIT
+Project-URL: Homepage, https://github.com/Mehrdoost/devsecops-radar
+Project-URL: Source, https://github.com/Mehrdoost/devsecops-radar
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.12
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: flask>=3.0
+Requires-Dist: semgrep>=1.0
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: requests>=2.31
+Dynamic: license-file
+
+# 🛡️ Pipeline Sentinel
+
+**Unified CI/CD Security Observability — AI‑Enhanced & Offline‑Ready**
+
+Aggregate findings from **Trivy, Semgrep, Poutine, Zizmor** and more into a single, beautiful dashboard. Correlate risks with an **LLM‑powered analysis engine**, track security trends over time, and enforce guardrails – all in one CLI + web UI.
+
+[![GitHub stars](https://img.shields.io/github/stars/Mehrdoost/devsecops-radar?style=social)](https://github.com/Mehrdoost/devsecops-radar/stargazers)
+[![License](https://img.shields.io/github/license/Mehrdoost/devsecops-radar)](LICENSE)
+[![Docker Pulls](https://img.shields.io/docker/pulls/Mehrdoost/devsecops-radar)](https://hub.docker.com/r/Mehrdoost/devsecops-radar)
+[![PyPI version](https://img.shields.io/pypi/v/devsecops-radar.svg)](https://pypi.org/project/devsecops-radar/)
+[![GitHub release](https://img.shields.io/github/v/release/Mehrdoost/devsecops-radar?include_prereleases)](https://github.com/Mehrdoost/devsecops-radar/releases)
+[![CI](https://github.com/Mehrdoost/devsecops-radar/actions/workflows/test-action.yml/badge.svg)](https://github.com/Mehrdoost/devsecops-radar/actions/workflows/test-action.yml)
+
+---
+
+## 🚀 Quick Start
+
+```bash
+# Install from PyPI
+pip install devsecops-radar
+
+# Or install directly from GitHub
+pip install git+[https://github.com/Mehrdoost/devsecops-radar.git](https://github.com/Mehrdoost/devsecops-radar.git)
+
+# Run the web dashboard
+devsecops-radar-web
+```
+
+🐳 **Docker:** `docker pull ghcr.io/mehrdoost/devsecops-radar:latest` *(see instructions below)*
+
+---
+
+## ✨ Key Features
+
+| Capability | Description |
+| :--- | :--- |
+| 🔌 **Multi‑Scanner Integration** | Natively parses Trivy, Semgrep, Poutine, Zizmor. More via pluggable architecture. |
+| 🧠 **LLM‑Powered Analysis** | Optional AI correlation, false‑positive reduction, attack‑path identification (Ollama‑backed, offline capable). |
+| 📈 **Scan History & Trends** | SQLite‑powered historical storage. Visual trend chart shows risk evolution over time. |
+| 🤖 **GitHub Action** | One‑step integration into your CI/CD. Summarises findings and optionally comments on PRs. |
+| 🎨 **Beautiful Dark Dashboard** | Severity doughnut, trend line chart, search & filters – works fully offline (all assets bundled). |
+| 🐳 **Docker Native** | Official image on GitHub Container Registry. Just one `docker run` away. |
+
+---
+
+## 🔧 Supported Scanners
+
+| Scanner | What it scans | Status |
+| :--- | :--- | :--- |
+| **Trivy** | Container images & dependencies | ✅ |
+| **Semgrep** | SAST (Static Code Analysis) | ✅ |
+| **Poutine** | GitLab CI/CD configuration security | ✅ |
+| **Zizmor** | GitHub Actions workflow security | ✅ |
+| **Snyk, ZAP, Dependency-Track** | Roadmap | 🔲 |
+
+*Adding a new scanner is easy – extend `BaseScanner` and plug it in.*
+
+---
+
+
+## 📸 Dashboard Preview
+
+![DevSecOps Radar Dashboard](docs/Demo.gif)
+
+---
+
+## 🤖 GitHub Action
+
+Add security analysis to your workflow with a single step:
+
+```yaml
+- name: Pipeline Sentinel
+  uses: Mehrdoost/devsecops-radar/action@main
+  with:
+    trivy_report: trivy-results.json
+    semgrep_report: semgrep-results.json
+    poutine_report: poutine-results.json
+    zizmor_report: zizmor-results.json
+```
+
+The action merges findings, creates a job summary, and outputs CRITICAL/HIGH counts.
+
+---
+
+## 📊 Scan History & Trends
+
+Every run automatically stores findings in a local `scan_history.db`.
+The dashboard renders a **Trend Over Time** chart so teams can monitor whether security posture is improving.
+
+```bash
+# Multiple scans build history
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json --poutine sample_poutine.json
+
+# Now view the trend in the dashboard
+devsecops-radar-web
+```
+
+---
+
+## 🧠 AI‑Powered Analysis (Optional)
+
+Enable LLM analysis with `--analyze` (requires Ollama running locally):
+
+```bash
+ollama pull llama3.2:latest          # one-time setup
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json --zizmor sample_zizmor.json --analyze
+```
+
+*Generates `findings_ai_summary.md` with executive summary, attack paths, and remediation tips.*
+
+---
+
+## 🛠️ Usage
+
+### From Source (Python)
+```bash
+pip install -e .
+devsecops-radar --trivy trivy.json --semgrep semgrep.json
+devsecops-radar-web
+```
+
+### Docker
+```bash
+docker pull ghcr.io/mehrdoost/devsecops-radar:latest
+docker run -p 8080:8080 -v $(pwd)/findings.json:/data/findings.json ghcr.io/mehrdoost/devsecops-radar:latest
+```
+
+### Using Sample Data
+```bash
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json --poutine sample_poutine.json --zizmor sample_zizmor.json
+```
+
+---
+
+## 🗺️ Roadmap
+
+- [x] Multi‑scanner engine (Trivy, Semgrep, Poutine, Zizmor)
+- [x] AI correlation & analysis
+- [x] Scan history & trend visualisation
+- [x] GitHub Action (composite)
+- [x] Docker image (GitHub Container Registry)
+- [ ] Security guardrail policies (`policy.yml`)
+- [ ] AI remediation advisor (detailed fix guidance)
+- [ ] Findings diff/compare between branches
+- [ ] Jira / Slack integration
+
+---
+
+## 🤝 Contributing
+
+Pull requests and issues are warmly welcome!
+If you’d like to integrate a new scanner, open an issue with a sample of its JSON output.
+
+---
+
+## 👨‍💻 Author
+
+**Mehrdoost** 
+
+[![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost)
+
+---
+
+## 📜 License
+
+MIT – see [LICENSE](LICENSE) file.
+
+⭐ **If this project helps your team ship more secure software, please drop a star!**

devsecops_radar-0.1.0/README.md

@@ -0,0 +1,169 @@
+# 🛡️ Pipeline Sentinel
+
+**Unified CI/CD Security Observability — AI‑Enhanced & Offline‑Ready**
+
+Aggregate findings from **Trivy, Semgrep, Poutine, Zizmor** and more into a single, beautiful dashboard. Correlate risks with an **LLM‑powered analysis engine**, track security trends over time, and enforce guardrails – all in one CLI + web UI.
+
+[![GitHub stars](https://img.shields.io/github/stars/Mehrdoost/devsecops-radar?style=social)](https://github.com/Mehrdoost/devsecops-radar/stargazers)
+[![License](https://img.shields.io/github/license/Mehrdoost/devsecops-radar)](LICENSE)
+[![Docker Pulls](https://img.shields.io/docker/pulls/Mehrdoost/devsecops-radar)](https://hub.docker.com/r/Mehrdoost/devsecops-radar)
+[![PyPI version](https://img.shields.io/pypi/v/devsecops-radar.svg)](https://pypi.org/project/devsecops-radar/)
+[![GitHub release](https://img.shields.io/github/v/release/Mehrdoost/devsecops-radar?include_prereleases)](https://github.com/Mehrdoost/devsecops-radar/releases)
+[![CI](https://github.com/Mehrdoost/devsecops-radar/actions/workflows/test-action.yml/badge.svg)](https://github.com/Mehrdoost/devsecops-radar/actions/workflows/test-action.yml)
+
+---
+
+## 🚀 Quick Start
+
+```bash
+# Install from PyPI
+pip install devsecops-radar
+
+# Or install directly from GitHub
+pip install git+[https://github.com/Mehrdoost/devsecops-radar.git](https://github.com/Mehrdoost/devsecops-radar.git)
+
+# Run the web dashboard
+devsecops-radar-web
+```
+
+🐳 **Docker:** `docker pull ghcr.io/mehrdoost/devsecops-radar:latest` *(see instructions below)*
+
+---
+
+## ✨ Key Features
+
+| Capability | Description |
+| :--- | :--- |
+| 🔌 **Multi‑Scanner Integration** | Natively parses Trivy, Semgrep, Poutine, Zizmor. More via pluggable architecture. |
+| 🧠 **LLM‑Powered Analysis** | Optional AI correlation, false‑positive reduction, attack‑path identification (Ollama‑backed, offline capable). |
+| 📈 **Scan History & Trends** | SQLite‑powered historical storage. Visual trend chart shows risk evolution over time. |
+| 🤖 **GitHub Action** | One‑step integration into your CI/CD. Summarises findings and optionally comments on PRs. |
+| 🎨 **Beautiful Dark Dashboard** | Severity doughnut, trend line chart, search & filters – works fully offline (all assets bundled). |
+| 🐳 **Docker Native** | Official image on GitHub Container Registry. Just one `docker run` away. |
+
+---
+
+## 🔧 Supported Scanners
+
+| Scanner | What it scans | Status |
+| :--- | :--- | :--- |
+| **Trivy** | Container images & dependencies | ✅ |
+| **Semgrep** | SAST (Static Code Analysis) | ✅ |
+| **Poutine** | GitLab CI/CD configuration security | ✅ |
+| **Zizmor** | GitHub Actions workflow security | ✅ |
+| **Snyk, ZAP, Dependency-Track** | Roadmap | 🔲 |
+
+*Adding a new scanner is easy – extend `BaseScanner` and plug it in.*
+
+---
+
+
+## 📸 Dashboard Preview
+
+![DevSecOps Radar Dashboard](docs/Demo.gif)
+
+---
+
+## 🤖 GitHub Action
+
+Add security analysis to your workflow with a single step:
+
+```yaml
+- name: Pipeline Sentinel
+  uses: Mehrdoost/devsecops-radar/action@main
+  with:
+    trivy_report: trivy-results.json
+    semgrep_report: semgrep-results.json
+    poutine_report: poutine-results.json
+    zizmor_report: zizmor-results.json
+```
+
+The action merges findings, creates a job summary, and outputs CRITICAL/HIGH counts.
+
+---
+
+## 📊 Scan History & Trends
+
+Every run automatically stores findings in a local `scan_history.db`.
+The dashboard renders a **Trend Over Time** chart so teams can monitor whether security posture is improving.
+
+```bash
+# Multiple scans build history
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json --poutine sample_poutine.json
+
+# Now view the trend in the dashboard
+devsecops-radar-web
+```
+
+---
+
+## 🧠 AI‑Powered Analysis (Optional)
+
+Enable LLM analysis with `--analyze` (requires Ollama running locally):
+
+```bash
+ollama pull llama3.2:latest          # one-time setup
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json --zizmor sample_zizmor.json --analyze
+```
+
+*Generates `findings_ai_summary.md` with executive summary, attack paths, and remediation tips.*
+
+---
+
+## 🛠️ Usage
+
+### From Source (Python)
+```bash
+pip install -e .
+devsecops-radar --trivy trivy.json --semgrep semgrep.json
+devsecops-radar-web
+```
+
+### Docker
+```bash
+docker pull ghcr.io/mehrdoost/devsecops-radar:latest
+docker run -p 8080:8080 -v $(pwd)/findings.json:/data/findings.json ghcr.io/mehrdoost/devsecops-radar:latest
+```
+
+### Using Sample Data
+```bash
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json --poutine sample_poutine.json --zizmor sample_zizmor.json
+```
+
+---
+
+## 🗺️ Roadmap
+
+- [x] Multi‑scanner engine (Trivy, Semgrep, Poutine, Zizmor)
+- [x] AI correlation & analysis
+- [x] Scan history & trend visualisation
+- [x] GitHub Action (composite)
+- [x] Docker image (GitHub Container Registry)
+- [ ] Security guardrail policies (`policy.yml`)
+- [ ] AI remediation advisor (detailed fix guidance)
+- [ ] Findings diff/compare between branches
+- [ ] Jira / Slack integration
+
+---
+
+## 🤝 Contributing
+
+Pull requests and issues are warmly welcome!
+If you’d like to integrate a new scanner, open an issue with a sample of its JSON output.
+
+---
+
+## 👨‍💻 Author
+
+**Mehrdoost** 
+
+[![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost)
+
+---
+
+## 📜 License
+
+MIT – see [LICENSE](LICENSE) file.
+
+⭐ **If this project helps your team ship more secure software, please drop a star!**

devsecops_radar-0.1.0/devsecops_radar/cli/scanner.py

@@ -0,0 +1,72 @@
+import argparse
+import json
+import os
+from devsecops_radar.scanners.trivy import TrivyScanner
+from devsecops_radar.scanners.semgrep import SemgrepScanner
+from devsecops_radar.scanners.poutine import PoutineScanner
+from devsecops_radar.scanners.zizmor import ZizmorScanner
+from devsecops_radar.core.analyzer import OllamaAnalyzer
+from devsecops_radar.core.database import save_scan
+
+def main():
+    parser = argparse.ArgumentParser(description='DevSecOps Radar - Collect and view security findings.')
+    parser.add_argument('--trivy', type=str, help='Path to Trivy JSON output file or image name to scan directly (e.g., nginx:latest)')
+    parser.add_argument('--semgrep', type=str, help='Path to Semgrep JSON output file or target directory to scan directly')
+    parser.add_argument('--poutine', type=str, help='Path to Poutine JSON output file or repository path to scan directly')
+    parser.add_argument('--zizmor', type=str, help='Path to Zizmor JSON output file or repository path to scan directly')
+    parser.add_argument('--output', type=str, default='findings.json', help='Output file for merged findings')
+    parser.add_argument('--analyze', action='store_true', help='Enable LLM analysis (requires Ollama running locally)')
+    args = parser.parse_args()
+
+    all_findings = []
+
+    if args.trivy:
+        trivy = TrivyScanner()
+        if os.path.isfile(args.trivy):
+            all_findings.extend(trivy.parse(args.trivy))
+        else:
+            print(f"Scanning image: {args.trivy}")
+            all_findings.extend(trivy.run(args.trivy))
+
+    if args.semgrep:
+        semgrep = SemgrepScanner()
+        if os.path.isfile(args.semgrep):
+            all_findings.extend(semgrep.parse(args.semgrep))
+        else:
+            print(f"Scanning directory: {args.semgrep}")
+            all_findings.extend(semgrep.run(args.semgrep))
+
+    if args.poutine:
+        poutine = PoutineScanner()
+        if os.path.isfile(args.poutine):
+            all_findings.extend(poutine.parse(args.poutine))
+        else:
+            print(f"Scanning repository: {args.poutine}")
+            all_findings.extend(poutine.run(args.poutine))
+
+    if args.zizmor:
+        zizmor = ZizmorScanner()
+        if os.path.isfile(args.zizmor):
+            all_findings.extend(zizmor.parse(args.zizmor))
+        else:
+            print(f"Scanning repository: {args.zizmor}")
+            all_findings.extend(zizmor.run(args.zizmor))
+
+    with open(args.output, 'w') as f:
+        json.dump(all_findings, f, indent=2)
+    print(f"Merged {len(all_findings)} findings into {args.output}")
+
+    # Save to scan history database
+    save_scan(all_findings)
+
+    if args.analyze:
+        print("Running AI analysis...")
+        analyzer = OllamaAnalyzer()
+        summary = analyzer.analyze(all_findings)
+        summary_file = args.output.replace('.json', '_ai_summary.md')
+        with open(summary_file, 'w', encoding='utf-8') as s:
+            s.write(f"# 🛡️ Pipeline Sentinel AI Analysis\n\n{summary}")
+        print(f"AI summary saved to {summary_file}")
+
+if __name__ == '__main__':
+    main()

devsecops_radar-0.1.0/devsecops_radar/core/analyzer.py

@@ -0,0 +1,45 @@
+import json
+import os
+import requests
+from typing import List, Dict, Any, Optional
+
+class BaseAnalyzer:
+    def analyze(self, findings: List[Dict[str, Any]]) -> str:
+        raise NotImplementedError
+
+class OllamaAnalyzer(BaseAnalyzer):
+    def __init__(self, model: str = "llama3.2:latest", endpoint: str = "http://localhost:11434/api/generate"):
+        self.model = model
+        self.endpoint = endpoint
+
+    def analyze(self, findings: List[Dict[str, Any]]) -> str:
+        if not findings:
+            return "No findings to analyze."
+
+        criticals = [f for f in findings if f.get("severity") == "CRITICAL"]
+        highs = [f for f in findings if f.get("severity") == "HIGH"]
+        mediums = [f for f in findings if f.get("severity") == "MEDIUM"]
+        lows = [f for f in findings if f.get("severity") == "LOW"]
+
+        prompt = f"""You are a DevSecOps security expert. Analyze the following aggregated security findings from CI/CD scanners (Trivy, Semgrep, Poutine, Zizmor).
+Total findings: {len(findings)} (CRITICAL: {len(criticals)}, HIGH: {len(highs)}, MEDIUM: {len(mediums)}, LOW: {len(lows)})
+
+List of findings:
+{json.dumps(findings, indent=2)}
+
+Provide:
+1. A short executive summary (2-3 sentences) of the overall risk.
+2. Identify possible attack paths (e.g., "a vulnerable package combined with an exposed secret could lead to RCE").
+3. Recommend the top 3 most critical actions to fix.
+Keep the response concise and use bullet points."""
+        try:
+            resp = requests.post(
+                self.endpoint,
+                json={"model": self.model, "prompt": prompt, "stream": False},
+                timeout=120
+            )
+            resp.raise_for_status()
+            result = resp.json()
+            return result.get("response", "No AI response.")
+        except Exception as e:
+            return f"AI analysis failed: {str(e)}"

devsecops_radar-0.1.0/devsecops_radar/core/database.py

@@ -0,0 +1,54 @@
+import sqlite3
+import json
+from datetime import datetime
+from typing import List, Dict, Any
+
+DB_PATH = "scan_history.db"
+
+def init_db():
+    conn = sqlite3.connect(DB_PATH)
+    c = conn.cursor()
+    c.execute('''
+        CREATE TABLE IF NOT EXISTS scans (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            timestamp TEXT NOT NULL,
+            findings_json TEXT NOT NULL
+        )
+    ''')
+    conn.commit()
+    conn.close()
+
+def save_scan(findings: List[Dict[str, Any]]):
+    init_db()
+    conn = sqlite3.connect(DB_PATH)
+    c = conn.cursor()
+    c.execute('INSERT INTO scans (timestamp, findings_json) VALUES (?, ?)',
+              (datetime.utcnow().isoformat(), json.dumps(findings)))
+    conn.commit()
+    conn.close()
+
+def get_all_scans() -> List[Dict[str, Any]]:
+    init_db()
+    conn = sqlite3.connect(DB_PATH)
+    conn.row_factory = sqlite3.Row
+    c = conn.cursor()
+    c.execute('SELECT id, timestamp, findings_json FROM scans ORDER BY timestamp ASC')
+    rows = c.fetchall()
+    scans = []
+    for row in rows:
+        findings = json.loads(row['findings_json'])
+        criticals = sum(1 for f in findings if f.get('severity') == 'CRITICAL')
+        highs = sum(1 for f in findings if f.get('severity') == 'HIGH')
+        mediums = sum(1 for f in findings if f.get('severity') == 'MEDIUM')
+        lows = sum(1 for f in findings if f.get('severity') == 'LOW')
+        scans.append({
+            'id': row['id'],
+            'timestamp': row['timestamp'],
+            'total': len(findings),
+            'critical': criticals,
+            'high': highs,
+            'medium': mediums,
+            'low': lows
+        })
+    conn.close()
+    return scans

devsecops_radar-0.1.0/devsecops_radar/core/parser.py

@@ -0,0 +1,44 @@
+import json
+from typing import List, Dict, Any
+
+def parse_trivy_json(file_path: str) -> List[Dict[str, Any]]:
+    with open(file_path) as f:
+        data = json.load(f)
+    findings = []
+    for result in data.get("Results", []):
+        target = result.get("Target", "Unknown")
+        for vuln in result.get("Vulnerabilities", []):
+            findings.append({
+                "tool": "Trivy",
+                "target": target,
+                "id": vuln.get("VulnerabilityID"),
+                "severity": vuln.get("Severity", "UNKNOWN").upper(),
+                "title": vuln.get("Title", ""),
+                "description": vuln.get("Description", ""),
+                "package": vuln.get("PkgName", ""),
+                "installed_version": vuln.get("InstalledVersion", ""),
+                "fixed_version": vuln.get("FixedVersion", "")
+            })
+    return findings
+
+def parse_semgrep_json(file_path: str) -> List[Dict[str, Any]]:
+    with open(file_path) as f:
+        data = json.load(f)
+    findings = []
+    for result in data.get("results", []):
+        findings.append({
+            "tool": "Semgrep",
+            "target": result.get("path", ""),
+            "id": result.get("check_id", ""),
+            "severity": result.get("extra", {}).get("severity", "WARNING").upper(),
+            "title": result.get("check_id", ""),
+            "description": result.get("extra", {}).get("message", ""),
+            "line": result.get("start", {}).get("line", 0),
+        })
+    return findings
+
+def merge_findings(*finding_lists) -> List[Dict[str, Any]]:
+    merged = []
+    for lst in finding_lists:
+        merged.extend(lst)
+    return merged

devsecops_radar-0.1.0/devsecops_radar/scanners/base.py

@@ -0,0 +1,11 @@
+from abc import ABC, abstractmethod
+from typing import List, Dict, Any
+
+class BaseScanner(ABC):
+    @abstractmethod
+    def run(self, target: str) -> List[Dict[str, Any]]:
+        pass
+
+    @abstractmethod
+    def parse(self, file_path: str) -> List[Dict[str, Any]]:
+        pass

devsecops_radar-0.1.0/devsecops_radar/scanners/poutine.py

@@ -0,0 +1,33 @@
+import json
+import subprocess
+import tempfile
+import os
+from typing import List, Dict, Any
+from .base import BaseScanner
+
+class PoutineScanner(BaseScanner):
+    def run(self, target: str) -> List[Dict[str, Any]]:
+        with tempfile.NamedTemporaryFile(suffix='.json', delete=False) as tmp:
+            outfile = tmp.name
+        try:
+            subprocess.run(['poutine', 'scan', target, '--format', 'json', '--output', outfile], check=True)
+            return self.parse(outfile)
+        finally:
+            if os.path.exists(outfile):
+                os.unlink(outfile)
+
+    def parse(self, file_path: str) -> List[Dict[str, Any]]:
+        with open(file_path) as f:
+            data = json.load(f)
+        findings = []
+        for result in data.get("findings", []):
+            findings.append({
+                "tool": "Poutine",
+                "target": result.get("location", {}).get("file", ""),
+                "id": result.get("rule_id", ""),
+                "severity": result.get("severity", "UNKNOWN").upper(),
+                "title": result.get("message", ""),
+                "description": result.get("description", ""),
+                "line": result.get("location", {}).get("line", 0),
+            })
+        return findings

devsecops_radar-0.1.0/devsecops_radar/scanners/semgrep.py

@@ -0,0 +1,33 @@
+import json
+import subprocess
+import tempfile
+import os
+from typing import List, Dict, Any
+from .base import BaseScanner
+
+class SemgrepScanner(BaseScanner):
+    def run(self, target: str) -> List[Dict[str, Any]]:
+        with tempfile.NamedTemporaryFile(suffix='.json', delete=False) as tmp:
+            outfile = tmp.name
+        try:
+            subprocess.run(['semgrep', '--config=auto', '--json', '--output', outfile, target], check=True)
+            return self.parse(outfile)
+        finally:
+            if os.path.exists(outfile):
+                os.unlink(outfile)
+
+    def parse(self, file_path: str) -> List[Dict[str, Any]]:
+        with open(file_path) as f:
+            data = json.load(f)
+        findings = []
+        for result in data.get("results", []):
+            findings.append({
+                "tool": "Semgrep",
+                "target": result.get("path", ""),
+                "id": result.get("check_id", ""),
+                "severity": result.get("extra", {}).get("severity", "WARNING").upper(),
+                "title": result.get("check_id", ""),
+                "description": result.get("extra", {}).get("message", ""),
+                "line": result.get("start", {}).get("line", 0),
+            })
+        return findings

devsecops_radar-0.1.0/devsecops_radar/scanners/trivy.py

@@ -0,0 +1,37 @@
+import json
+import subprocess
+import tempfile
+import os
+from typing import List, Dict, Any
+from .base import BaseScanner
+
+class TrivyScanner(BaseScanner):
+    def run(self, target: str) -> List[Dict[str, Any]]:
+        with tempfile.NamedTemporaryFile(suffix='.json', delete=False) as tmp:
+            outfile = tmp.name
+        try:
+            subprocess.run(['trivy', 'image', '--format', 'json', '--output', outfile, target], check=True)
+            return self.parse(outfile)
+        finally:
+            if os.path.exists(outfile):
+                os.unlink(outfile)
+
+    def parse(self, file_path: str) -> List[Dict[str, Any]]:
+        with open(file_path) as f:
+            data = json.load(f)
+        findings = []
+        for result in data.get("Results", []):
+            target_name = result.get("Target", "Unknown")
+            for vuln in result.get("Vulnerabilities", []):
+                findings.append({
+                    "tool": "Trivy",
+                    "target": target_name,
+                    "id": vuln.get("VulnerabilityID"),
+                    "severity": vuln.get("Severity", "UNKNOWN").upper(),
+                    "title": vuln.get("Title", ""),
+                    "description": vuln.get("Description", ""),
+                    "package": vuln.get("PkgName", ""),
+                    "installed_version": vuln.get("InstalledVersion", ""),
+                    "fixed_version": vuln.get("FixedVersion", "")
+                })
+        return findings

devsecops_radar-0.1.0/devsecops_radar/scanners/zizmor.py

@@ -0,0 +1,33 @@
+import json
+import subprocess
+import tempfile
+import os
+from typing import List, Dict, Any
+from .base import BaseScanner
+
+class ZizmorScanner(BaseScanner):
+    def run(self, target: str) -> List[Dict[str, Any]]:
+        with tempfile.NamedTemporaryFile(suffix='.json', delete=False) as tmp:
+            outfile = tmp.name
+        try:
+            subprocess.run(['zizmor', 'scan', target, '--output', outfile, '--format', 'json'], check=True)
+            return self.parse(outfile)
+        finally:
+            if os.path.exists(outfile):
+                os.unlink(outfile)
+
+    def parse(self, file_path: str) -> List[Dict[str, Any]]:
+        with open(file_path) as f:
+            data = json.load(f)
+        findings = []
+        for result in data.get("findings", []):
+            findings.append({
+                "tool": "Zizmor",
+                "target": result.get("path", ""),
+                "id": result.get("rule_id", ""),
+                "severity": result.get("severity", "UNKNOWN").upper(),
+                "title": result.get("message", ""),
+                "description": result.get("description", ""),
+                "line": result.get("location", {}).get("line", 0),
+            })
+        return findings

devsecops_radar-0.1.0/devsecops_radar/web/app.py

@@ -0,0 +1,33 @@
+from flask import Flask, render_template, jsonify
+import json
+import os
+from devsecops_radar.core.database import get_all_scans
+
+app = Flask(__name__)
+
+FINDINGS_FILE = os.environ.get('FINDINGS_FILE', 'findings.json')
+
+def load_findings():
+    if not os.path.exists(FINDINGS_FILE):
+        return []
+    with open(FINDINGS_FILE) as f:
+        return json.load(f)
+
+@app.route('/')
+def index():
+    findings = load_findings()
+    return render_template('index.html', findings=findings)
+
+@app.route('/api/findings')
+def api_findings():
+    return jsonify(load_findings())
+
+@app.route('/api/history')
+def api_history():
+    return jsonify(get_all_scans())
+
+def start_server(host='0.0.0.0', port=8080):
+    app.run(host=host, port=port, debug=True)
+
+if __name__ == '__main__':
+    start_server()

devsecops_radar-0.1.0/devsecops_radar.egg-info/PKG-INFO

@@ -0,0 +1,191 @@
+Metadata-Version: 2.4
+Name: devsecops-radar
+Version: 0.1.0
+Summary: Unified CI/CD Security Dashboard — Pipeline Sentinel
+Author-email: Mehrdoost <mehrdoost@users.noreply.github.com>
+License: MIT
+Project-URL: Homepage, https://github.com/Mehrdoost/devsecops-radar
+Project-URL: Source, https://github.com/Mehrdoost/devsecops-radar
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.12
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: flask>=3.0
+Requires-Dist: semgrep>=1.0
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: requests>=2.31
+Dynamic: license-file
+
+# 🛡️ Pipeline Sentinel
+
+**Unified CI/CD Security Observability — AI‑Enhanced & Offline‑Ready**
+
+Aggregate findings from **Trivy, Semgrep, Poutine, Zizmor** and more into a single, beautiful dashboard. Correlate risks with an **LLM‑powered analysis engine**, track security trends over time, and enforce guardrails – all in one CLI + web UI.
+
+[![GitHub stars](https://img.shields.io/github/stars/Mehrdoost/devsecops-radar?style=social)](https://github.com/Mehrdoost/devsecops-radar/stargazers)
+[![License](https://img.shields.io/github/license/Mehrdoost/devsecops-radar)](LICENSE)
+[![Docker Pulls](https://img.shields.io/docker/pulls/Mehrdoost/devsecops-radar)](https://hub.docker.com/r/Mehrdoost/devsecops-radar)
+[![PyPI version](https://img.shields.io/pypi/v/devsecops-radar.svg)](https://pypi.org/project/devsecops-radar/)
+[![GitHub release](https://img.shields.io/github/v/release/Mehrdoost/devsecops-radar?include_prereleases)](https://github.com/Mehrdoost/devsecops-radar/releases)
+[![CI](https://github.com/Mehrdoost/devsecops-radar/actions/workflows/test-action.yml/badge.svg)](https://github.com/Mehrdoost/devsecops-radar/actions/workflows/test-action.yml)
+
+---
+
+## 🚀 Quick Start
+
+```bash
+# Install from PyPI
+pip install devsecops-radar
+
+# Or install directly from GitHub
+pip install git+[https://github.com/Mehrdoost/devsecops-radar.git](https://github.com/Mehrdoost/devsecops-radar.git)
+
+# Run the web dashboard
+devsecops-radar-web
+```
+
+🐳 **Docker:** `docker pull ghcr.io/mehrdoost/devsecops-radar:latest` *(see instructions below)*
+
+---
+
+## ✨ Key Features
+
+| Capability | Description |
+| :--- | :--- |
+| 🔌 **Multi‑Scanner Integration** | Natively parses Trivy, Semgrep, Poutine, Zizmor. More via pluggable architecture. |
+| 🧠 **LLM‑Powered Analysis** | Optional AI correlation, false‑positive reduction, attack‑path identification (Ollama‑backed, offline capable). |
+| 📈 **Scan History & Trends** | SQLite‑powered historical storage. Visual trend chart shows risk evolution over time. |
+| 🤖 **GitHub Action** | One‑step integration into your CI/CD. Summarises findings and optionally comments on PRs. |
+| 🎨 **Beautiful Dark Dashboard** | Severity doughnut, trend line chart, search & filters – works fully offline (all assets bundled). |
+| 🐳 **Docker Native** | Official image on GitHub Container Registry. Just one `docker run` away. |
+
+---
+
+## 🔧 Supported Scanners
+
+| Scanner | What it scans | Status |
+| :--- | :--- | :--- |
+| **Trivy** | Container images & dependencies | ✅ |
+| **Semgrep** | SAST (Static Code Analysis) | ✅ |
+| **Poutine** | GitLab CI/CD configuration security | ✅ |
+| **Zizmor** | GitHub Actions workflow security | ✅ |
+| **Snyk, ZAP, Dependency-Track** | Roadmap | 🔲 |
+
+*Adding a new scanner is easy – extend `BaseScanner` and plug it in.*
+
+---
+
+
+## 📸 Dashboard Preview
+
+![DevSecOps Radar Dashboard](docs/Demo.gif)
+
+---
+
+## 🤖 GitHub Action
+
+Add security analysis to your workflow with a single step:
+
+```yaml
+- name: Pipeline Sentinel
+  uses: Mehrdoost/devsecops-radar/action@main
+  with:
+    trivy_report: trivy-results.json
+    semgrep_report: semgrep-results.json
+    poutine_report: poutine-results.json
+    zizmor_report: zizmor-results.json
+```
+
+The action merges findings, creates a job summary, and outputs CRITICAL/HIGH counts.
+
+---
+
+## 📊 Scan History & Trends
+
+Every run automatically stores findings in a local `scan_history.db`.
+The dashboard renders a **Trend Over Time** chart so teams can monitor whether security posture is improving.
+
+```bash
+# Multiple scans build history
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json --poutine sample_poutine.json
+
+# Now view the trend in the dashboard
+devsecops-radar-web
+```
+
+---
+
+## 🧠 AI‑Powered Analysis (Optional)
+
+Enable LLM analysis with `--analyze` (requires Ollama running locally):
+
+```bash
+ollama pull llama3.2:latest          # one-time setup
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json --zizmor sample_zizmor.json --analyze
+```
+
+*Generates `findings_ai_summary.md` with executive summary, attack paths, and remediation tips.*
+
+---
+
+## 🛠️ Usage
+
+### From Source (Python)
+```bash
+pip install -e .
+devsecops-radar --trivy trivy.json --semgrep semgrep.json
+devsecops-radar-web
+```
+
+### Docker
+```bash
+docker pull ghcr.io/mehrdoost/devsecops-radar:latest
+docker run -p 8080:8080 -v $(pwd)/findings.json:/data/findings.json ghcr.io/mehrdoost/devsecops-radar:latest
+```
+
+### Using Sample Data
+```bash
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json --poutine sample_poutine.json --zizmor sample_zizmor.json
+```
+
+---
+
+## 🗺️ Roadmap
+
+- [x] Multi‑scanner engine (Trivy, Semgrep, Poutine, Zizmor)
+- [x] AI correlation & analysis
+- [x] Scan history & trend visualisation
+- [x] GitHub Action (composite)
+- [x] Docker image (GitHub Container Registry)
+- [ ] Security guardrail policies (`policy.yml`)
+- [ ] AI remediation advisor (detailed fix guidance)
+- [ ] Findings diff/compare between branches
+- [ ] Jira / Slack integration
+
+---
+
+## 🤝 Contributing
+
+Pull requests and issues are warmly welcome!
+If you’d like to integrate a new scanner, open an issue with a sample of its JSON output.
+
+---
+
+## 👨‍💻 Author
+
+**Mehrdoost** 
+
+[![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost)
+
+---
+
+## 📜 License
+
+MIT – see [LICENSE](LICENSE) file.
+
+⭐ **If this project helps your team ship more secure software, please drop a star!**

devsecops_radar-0.1.0/devsecops_radar.egg-info/SOURCES.txt

@@ -0,0 +1,25 @@
+LICENSE
+README.md
+pyproject.toml
+devsecops_radar/__init__.py
+devsecops_radar.egg-info/PKG-INFO
+devsecops_radar.egg-info/SOURCES.txt
+devsecops_radar.egg-info/dependency_links.txt
+devsecops_radar.egg-info/entry_points.txt
+devsecops_radar.egg-info/requires.txt
+devsecops_radar.egg-info/top_level.txt
+devsecops_radar/cli/__init__.py
+devsecops_radar/cli/scanner.py
+devsecops_radar/core/__init__.py
+devsecops_radar/core/analyzer.py
+devsecops_radar/core/database.py
+devsecops_radar/core/parser.py
+devsecops_radar/scanners/base.py
+devsecops_radar/scanners/poutine.py
+devsecops_radar/scanners/semgrep.py
+devsecops_radar/scanners/trivy.py
+devsecops_radar/scanners/zizmor.py
+devsecops_radar/web/__init__.py
+devsecops_radar/web/app.py
+tests/test_cli.py
+tests/test_scanners.py

devsecops_radar-0.1.0/devsecops_radar.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

devsecops_radar-0.1.0/devsecops_radar.egg-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+devsecops-radar = devsecops_radar.cli.scanner:main
+devsecops-radar-web = devsecops_radar.web.app:start_server

devsecops_radar-0.1.0/devsecops_radar.egg-info/requires.txt

@@ -0,0 +1,4 @@
+flask>=3.0
+semgrep>=1.0
+pyyaml>=6.0
+requests>=2.31

devsecops_radar-0.1.0/devsecops_radar.egg-info/top_level.txt

@@ -0,0 +1 @@
+devsecops_radar

devsecops_radar-0.1.0/pyproject.toml

@@ -0,0 +1,38 @@
+[build-system]
+requires = ["setuptools>=68.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "devsecops-radar"
+version = "0.1.0"
+description = "Unified CI/CD Security Dashboard — Pipeline Sentinel"
+readme = "README.md"
+license = {text = "MIT"}
+authors = [
+    {name = "Mehrdoost", email = "mehrdoost@users.noreply.github.com"}
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Topic :: Security",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.12",
+]
+dependencies = [
+    "flask>=3.0",
+    "semgrep>=1.0",
+    "pyyaml>=6.0",
+    "requests>=2.31"
+]
+
+[project.urls]
+Homepage = "https://github.com/Mehrdoost/devsecops-radar"
+Source = "https://github.com/Mehrdoost/devsecops-radar"
+
+[tool.setuptools]
+packages = ["devsecops_radar", "devsecops_radar.core", "devsecops_radar.cli", "devsecops_radar.web", "devsecops_radar.scanners"]
+
+[project.scripts]
+devsecops-radar = "devsecops_radar.cli.scanner:main"
+devsecops-radar-web = "devsecops_radar.web.app:start_server"

devsecops_radar-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

devsecops_radar-0.1.0/tests/test_scanners.py

@@ -0,0 +1,70 @@
+import json
+import tempfile
+import os
+from devsecops_radar.scanners.trivy import TrivyScanner
+from devsecops_radar.scanners.semgrep import SemgrepScanner
+from devsecops_radar.scanners.poutine import PoutineScanner
+
+sample_trivy = {
+    "Results": [{
+        "Target": "test-app",
+        "Vulnerabilities": [{
+            "VulnerabilityID": "CVE-TEST-1",
+            "Severity": "CRITICAL",
+            "Title": "Test vuln",
+            "Description": "Test description",
+            "PkgName": "test-pkg",
+            "InstalledVersion": "1.0",
+            "FixedVersion": "2.0"
+        }]
+    }]
+}
+
+sample_semgrep = {
+    "results": [{
+        "path": "test.py",
+        "check_id": "test.rule",
+        "extra": {"severity": "HIGH", "message": "Test finding"},
+        "start": {"line": 10}
+    }]
+}
+
+sample_poutine = {
+    "findings": [{
+        "rule_id": "test-rule",
+        "severity": "MEDIUM",
+        "message": "Test poutine",
+        "description": "Desc",
+        "location": {"file": ".gitlab-ci.yml", "line": 1}
+    }]
+}
+
+def write_temp(data):
+    tmp = tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False)
+    json.dump(data, tmp)
+    tmp.close()
+    return tmp.name
+
+def test_trivy_parse():
+    path = write_temp(sample_trivy)
+    findings = TrivyScanner().parse(path)
+    os.unlink(path)
+    assert len(findings) == 1
+    assert findings[0]['tool'] == 'Trivy'
+    assert findings[0]['severity'] == 'CRITICAL'
+
+def test_semgrep_parse():
+    path = write_temp(sample_semgrep)
+    findings = SemgrepScanner().parse(path)
+    os.unlink(path)
+    assert len(findings) == 1
+    assert findings[0]['tool'] == 'Semgrep'
+    assert findings[0]['severity'] == 'HIGH'
+
+def test_poutine_parse():
+    path = write_temp(sample_poutine)
+    findings = PoutineScanner().parse(path)
+    os.unlink(path)
+    assert len(findings) == 1
+    assert findings[0]['tool'] == 'Poutine'
+    assert findings[0]['severity'] == 'MEDIUM'