devsecops-radar 0.3.6__tar.gz → 0.3.9__tar.gz

{devsecops_radar-0.3.6/devsecops_radar.egg-info → devsecops_radar-0.3.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devsecops-radar
-Version: 0.3.6
+Version: 0.3.9
 Summary: Unified CI/CD Security Dashboard — Pipeline Sentinel
 Author-email: Mehrdoost <70381337+Mehrdoost@users.noreply.github.com>
 License-Expression: MIT
@@ -27,16 +27,16 @@ Requires-Dist: pytest>=8.0
 Requires-Dist: pytest-flask>=1.3
 Dynamic: license-file
 
-<!-- markdownlint-disable MD033 MD041 -->
 <div align="center">
 
 # 🛡️ Pipeline Sentinel
+
 **The Open‑Source DevSecOps Command Center — Unify, Analyse, Remediate.**
 
 [![PyPI version](https://img.shields.io/pypi/v/devsecops-radar?style=flat-square&color=blue)](https://pypi.org/project/devsecops-radar/)
 [![License](https://img.shields.io/github/license/Mehrdoost/devsecops-radar?style=flat-square)](LICENSE)
 [![GitHub release](https://img.shields.io/github/v/release/Mehrdoost/devsecops-radar?include_prereleases&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/releases)
-[![CI](https://img.shields.io/github/actions/workflow/status/Mehrdoost/devsecops-radar/test-action.yml?branch=main&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/actions)
+[![CI](https://img.shields.io/github/actions/workflow/status/Mehrdoost/devsecops-radar/ci.yml?branch=main&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/actions)
 [![Stars](https://img.shields.io/github/stars/Mehrdoost/devsecops-radar?style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/stargazers)
 
 </div>
@@ -46,21 +46,24 @@ Dynamic: license-file
 ---
 
 ## 📖 Table of Contents
+
 1. [What Is Pipeline Sentinel? (Simple Explanation)](#-what-is-pipeline-sentinel-simple-explanation)
 2. [Why You Need It](#-why-you-need-it)
 3. [Where to Run It in Your Network](#-where-to-run-it-in-your-network)
 4. [Dashboard Preview](#-dashboard-preview)
 5. [Quick Start](#-quick-start)
-6. [Installation](#-installation)
-7. [How to Use (Step‑by‑Step)](#-how-to-use-stepbystep)
-8. [Complete Command Reference](#-complete-command-reference)
-9. [Core Capabilities](#-core-capabilities)
-10. [Architecture](#️-architecture)
-11. [Roadmap](#️-roadmap)
-12. [GitHub Action](#-github-action)
-13. [Contributing](#-contributing)
-14. [Author](#-author)
-15. [License](#-license)
+6. [Prerequisites](#-prerequisites)
+7. [Installation](#-installation)
+8. [How to Use (Step‑by‑Step)](#-how-to-use-stepbystep)
+9. [Complete Command Reference](#-complete-command-reference)
+10. [Core Capabilities](#-core-capabilities)
+11. [Community Rules & Online Updates](#-community-rules--online-updates)
+12. [Architecture](#️-architecture)
+13. [Roadmap](#️-roadmap)
+14. [Testing & CI](#-testing--ci)
+15. [Contributing](#-contributing)
+16. [Author](#-author)
+17. [License](#-license)
 
 ---
 
@@ -79,13 +82,13 @@ Think of it as a **security camera system for your entire CI/CD pipeline** — i
 In 2026, **supply chain attacks** have become the #1 threat. Tools like Trivy themselves were compromised, and attackers now inject malicious code directly into build pipelines. **You can no longer just scan your code; you must scan your pipeline.**
 
 Pipeline Sentinel gives you:
-*   **One screen for all scanners** – stop juggling log files.
-*   **AI that understands attack chains** – “A leaked secret + an old library = a disaster.”
-*   **Automatic fixes** – with a single flag, it patches files and opens a pull request.
-*   **Human review mode** – inspect each fix before applying.
-*   **Compliance reports** – generate a PDF for your boss or auditor.
-*   **100% offline capable** – works in air‑gapped environments where security matters most.
-*   **Interactive wizard** – one command to get everything running.
+* **One screen for all scanners** – stop juggling log files.
+* **AI that understands attack chains** – “A leaked secret + an old library = a disaster.”
+* **Automatic fixes** – with a single flag, it patches files and opens a pull request.
+* **Human review mode** – inspect each fix before applying.
+* **Compliance reports** – generate a PDF for your boss or auditor.
+* **100% offline capable** – works in air‑gapped environments where security matters most.
+* **Interactive wizard** – one command to get everything running.
 
 ---
 
@@ -110,14 +113,15 @@ Pipeline Sentinel is designed to be **flexible** — you decide where it fits be
 [Gitleaks scan] ┘
 ```
 
-> **📌 Diagram Placeholder:**  
-![Network Flow Diagram](docs/architecture.png)
+> **📌 Diagram Placeholder:** Add your network flow diagram here as `docs/network_flow.png`.  
+> `![Network Flow Diagram](docs/network_flow.png)`
 
 ---
 
 ## 📸 Dashboard Preview
 
 ![Pipeline Sentinel Dashboard](docs/Demo.gif)
+
 *(Severity doughnut, trend line chart, attack‑path graph (clickable nodes), topology view, executive summary — all fully offline.)*
 
 ---
@@ -144,6 +148,24 @@ devsecops-radar --wizard
 
 ---
 
+## 📋 Prerequisites
+
+Pipeline Sentinel relies on external security tools to produce the JSON reports it consumes. You must install these tools separately according to your needs.
+
+**Required for offline scanning:**
+* Trivy (installation)
+* Semgrep (installation)
+* Poutine (installation)
+* Zizmor (installation)
+* Gitleaks (installation)
+
+**Optional (for AI analysis):**
+* Ollama (installation)
+
+> 📖 **See `PREREQUISITES.md` for more details.**
+
+---
+
 ## 📦 Installation
 
 ### Option 1 — PyPI (Recommended)
@@ -199,19 +221,19 @@ gitleaks detect --source . --report-format json --report-path gitleaks.json
 ```bash
 devsecops-radar --trivy trivy.json --semgrep semgrep.json --poutine poutine.json --zizmor zizmor.json --gitleaks gitleaks.json
 ```
-This produces a single `findings.json` with all findings merged and normalised.
+*This produces a single `findings.json` with all findings merged and normalised.*
 
 ### 3. View the Dashboard
 ```bash
 devsecops-radar-web
 ```
 The dashboard shows:
-*   **Severity Breakdown** – Doughnut chart
-*   **Trend Over Time** – Line chart from scan history
-*   **Pipeline Security** – Poutine + Zizmor statistics card
-*   **Attack Path Graph** – Interactive D3.js graph (click nodes for details)
-*   **Executive Summary** – Risk score and AI‑generated summary
-*   **Findings Table** – Searchable, filterable, paginated
+* **Severity Breakdown** – Doughnut chart
+* **Trend Over Time** – Line chart from scan history
+* **Pipeline Security** – Poutine + Zizmor statistics card
+* **Attack Path Graph** – Interactive D3.js graph (click nodes for details)
+* **Executive Summary** – Risk score and AI‑generated summary
+* **Findings Table** – Searchable, filterable, paginated
 
 ### 4. Enable AI Analysis (Optional)
 ```bash
@@ -220,10 +242,10 @@ devsecops-radar --trivy trivy.json --analyze
 devsecops-radar-web
 ```
 The LLM generates `findings_ai_summary.json` containing:
-*   `executive_summary`, `risk_score`
-*   `attack_paths` with MITRE ATT&CK tactics
-*   `top_remediations` (some with `fix_diff`)
-*   `false_positives_likely`
+* `executive_summary`, `risk_score`
+* `attack_paths` with MITRE ATT&CK tactics
+* `top_remediations` (some with `fix_diff`)
+* `false_positives_likely`
 
 ### 5. Auto‑Remediation (with Human Review)
 ```bash
@@ -233,7 +255,7 @@ devsecops-radar --trivy trivy.json --analyze --fix
 # Review each fix before applying
 devsecops-radar --trivy trivy.json --analyze --fix --review
 ```
-The tool creates a new git branch `auto-fix` and pushes it for review.
+*The tool creates a new git branch `auto-fix` and pushes it for review.*
 
 ### 6. Policy Enforcement
 Create a `policy.json` file:
@@ -247,7 +269,7 @@ Create a `policy.json` file:
 ```bash
 devsecops-radar --trivy trivy.json --policy policy.json
 ```
-If critical findings exceed 5, the command exits with code 1 — perfect for CI/CD gates.
+*If critical findings exceed 5, the command exits with code 1 — perfect for CI/CD gates.*
 
 ### 7. Generate Compliance Reports
 ```bash
@@ -312,18 +334,18 @@ Built‑in support for five scanners with a real plugin system. Third‑party sc
 | **Gitleaks**| Secrets detection | `--gitleaks` |
 
 ### 🧩 Hybrid RuleFusion Engine
-*   **Offline** – Load custom JSON rules from any local directory (`--rules ~/my-rules/`)
-*   **Online** – Pull community‑curated rules from a configurable Git repository (`--update-rules`)
-*   Auto‑detects Trivy, Semgrep, Poutine, Zizmor, and plain‑list formats
-*   Policy evaluation built directly into the engine
-*   Community rules repo: `devsecops-radar-rules` (configurable via `COMMUNITY_RULES_REPO`)
+* **Offline** – Load custom JSON rules from any local directory (`--rules ~/my-rules/`)
+* **Online** – Pull community‑curated rules from a configurable Git repository (`--update-rules`)
+* Auto‑detects Trivy, Semgrep, Poutine, Zizmor, and plain‑list formats
+* Policy evaluation built directly into the engine
+* Community rules repo: `devsecops-radar-rules` (configurable via `COMMUNITY_RULES_REPO`)
 
 ### 🧠 LLM‑Powered Analysis
-*   Retry logic with exponential backoff for unstable endpoints
-*   Few‑shot examples covering real‑world supply chain attack chains
-*   Token‑aware selection (max items configurable via `ANALYZER_MAX_FINDINGS`)
-*   Structured JSON output: `executive_summary`, `risk_score`, `attack_paths` (MITRE ATT&CK), `top_remediations`, `false_positives_likely`
-*   Ollama (local, offline) and LiteLLM (OpenAI, Anthropic, etc.) support
+* Retry logic with exponential backoff for unstable endpoints
+* Few‑shot examples covering real‑world supply chain attack chains
+* Token‑aware selection (max items configurable via `ANALYZER_MAX_FINDINGS`)
+* Structured JSON output: `executive_summary`, `risk_score`, `attack_paths` (MITRE ATT&CK), `top_remediations`, `false_positives_likely`
+* Ollama (local, offline) and LiteLLM (OpenAI, Anthropic, etc.) support
 
 ### 🕸️ Multi‑Step Attack Path Visualization
 Interactive D3.js force graph that chains findings into realistic attack scenarios. Click any node to see detailed finding information. Accepts a topology file to map findings onto your actual infrastructure, showing lateral movement across servers and subnets.
@@ -343,17 +365,17 @@ AI‑suggested fixes can be applied automatically (`--fix`) or reviewed one‑by
 
 ### 📊 Compliance & Executive Reports (with Redaction)
 Generate professional PDF reports (`--report report.pdf`) with:
-*   Executive summary and risk score
-*   Findings table (first 50 items)
-*   Compliance mapping (CIS, PCI‑DSS, ISO 27001)
-*   Automatic redaction of passwords, tokens, JWTs
+* Executive summary and risk score
+* Findings table (first 50 items)
+* Compliance mapping (CIS, PCI‑DSS, ISO 27001)
+* Automatic redaction of passwords, tokens, JWTs
 
 ### 📈 Scan History & Trends (with Pagination)
 SQLAlchemy‑backed database with server‑side pagination (`/api/findings?page=1&per_page=50`). Scan history is stored efficiently, enabling fast trend charts and historical comparisons.
 
 ### 🧪 SBOM & Dependency Confusion Detection
-*   Generate a CycloneDX SBOM from your project using `syft`
-*   Detect dependency confusion risks in `package.json` and `requirements.txt` — internal packages that could be impersonated by public registries
+* Generate a CycloneDX SBOM from your project using `syft`
+* Detect dependency confusion risks in `package.json` and `requirements.txt` — internal packages that could be impersonated by public registries
 
 ### 🔍 RAG‑Powered Security Search
 Ask natural language questions about your scan history: *“When was the last Log4j vulnerability found?”* The built‑in RAG endpoint (`/api/rag?q=...`) searches stored findings and returns matches.
@@ -368,10 +390,34 @@ Beyond CVSS, each finding gets a dynamic risk score based on asset exposure (fro
 A `--wizard` flag walks new users through installing dependencies, pulling AI models, and running their first scan — all in one go.
 
 ### 🔒 Privacy & Offline‑First
-*   All assets (CSS, JS) are embedded — zero CDN calls
-*   LLM analysis runs locally with Ollama; no data leaves your network
-*   Optional API key authentication for the dashboard
-*   Docker image runs as non‑root user
+* All assets (CSS, JS) are embedded — zero CDN calls
+* LLM analysis runs locally with Ollama; no data leaves your network
+* Optional API key authentication for the dashboard (JWT supported)
+* Docker image runs as non‑root user
+
+---
+
+## 🌍 Community Rules & Online Updates
+
+Pipeline Sentinel features a community‑driven rule marketplace housed in a separate repository: `devsecops-radar-rules`.
+
+### How It Works
+The repository contains curated JSON rule files for all supported scanners (Trivy, Semgrep, Poutine, Zizmor, Gitleaks) and generic compliance checks. Anyone can contribute by submitting a Pull Request with new or improved rules. 
+
+Users can pull the latest rules with a single command:
+```bash
+devsecops-radar --update-rules
+```
+Rules are stored locally in `~/.devsecops-radar/community-rules/`. To use them alongside your scanner results:
+```bash
+devsecops-radar --trivy scan.json --rules ~/.devsecops-radar/community-rules/
+```
+You can even point to your own fork or a private repository by setting the `COMMUNITY_RULES_REPO` environment variable. This turns Pipeline Sentinel into a living, community‑improved security platform — just like Nuclei Templates or Semgrep Registry.
+
+### Contributing a Rule
+1. Fork the `devsecops-radar-rules` repository.
+2. Add a new JSON file to the `rules/` directory (or modify an existing one). Follow the standard Pipeline Sentinel finding format (see the repo’s README).
+3. Open a Pull Request — our maintainers will review and merge.
 
 ---
 
@@ -421,44 +467,42 @@ devsecops_radar/
 | ✅ **Phase 3** | Human review mode (`--review`) | Done |
 | ✅ **Phase 3** | Gitleaks secret scanner | Done |
 | ✅ **Phase 3** | Security badge endpoint | Done |
+| ✅ **Phase 3** | Full test suite & CI pipeline | Done |
 | 🔲 **Phase 4** | Jira / Slack integration | Planned |
 | 🔲 **Phase 4** | SARIF & CycloneDX support | Planned |
-| 🔲 **Phase 4** | Rule Marketplace (community YAML rules) | Planned |
 | 🔲 **Phase 4** | Pull Request assistant (GitHub App) | Planned |
 
-> See the [open issues](https://github.com/Mehrdoost/devsecops-radar/issues) for a full list of proposed features.
-
 ---
 
-## 🤖 GitHub Action
-
-```yaml
-- name: Pipeline Sentinel
-  uses: Mehrdoost/devsecops-radar/action@main
-  with:
-    trivy_report: trivy-results.json
-    semgrep_report: semgrep-results.json
-    poutine_report: poutine-results.json
-    zizmor_report: zizmor-results.json
-    gitleaks_report: gitleaks-results.json
+## 🧪 Testing & CI
+
+Pipeline Sentinel is thoroughly tested to ensure reliability for production use.
+* **Unit & Integration Tests:** 23 tests covering scanners, rule engine, database, analyzer, API, and CLI.
+* **CI Pipeline:** Every push and pull request triggers automated testing (pytest) and linting (ruff) via GitHub Actions.
+
+You can run the tests locally:
+```bash
+pip install -e .
+pip install pytest pytest-flask ruff
+pytest tests/ -v
+ruff check .
 ```
-*The action merges findings, creates a job summary, and outputs CRITICAL/HIGH counts.*
 
 ---
 
 ## 🤝 Contributing
 
-Pull requests and issues are warmly welcome!
-If you would like to integrate a new scanner, open an issue with a sample of its JSON output.
-For permanent scanner plugins, extend the `ScannerPlugin` class and register it via entry points.
+We welcome contributions of all kinds! Please read our `CONTRIBUTING.md` for detailed guidelines on how to set up the project, add new scanners, or submit rule changes. For contributing community rules, see the Community Rules section above.
 
 ---
 
 ## 👨‍💻 Author
 
-**Mehrdoost** 
+**ReverseForge** — ( Mehrdoost And Mi0r4 ) 
 
-[![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost)
+[cite_start][![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/ReverseForge) 
+[cite_start][![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost) 
+[cite_start][![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/miora-sora) 
 
 
 ---

{devsecops_radar-0.3.6 → devsecops_radar-0.3.9}/README.md

@@ -1,13 +1,13 @@
-<!-- markdownlint-disable MD033 MD041 -->
 <div align="center">
 
 # 🛡️ Pipeline Sentinel
+
 **The Open‑Source DevSecOps Command Center — Unify, Analyse, Remediate.**
 
 [![PyPI version](https://img.shields.io/pypi/v/devsecops-radar?style=flat-square&color=blue)](https://pypi.org/project/devsecops-radar/)
 [![License](https://img.shields.io/github/license/Mehrdoost/devsecops-radar?style=flat-square)](LICENSE)
 [![GitHub release](https://img.shields.io/github/v/release/Mehrdoost/devsecops-radar?include_prereleases&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/releases)
-[![CI](https://img.shields.io/github/actions/workflow/status/Mehrdoost/devsecops-radar/test-action.yml?branch=main&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/actions)
+[![CI](https://img.shields.io/github/actions/workflow/status/Mehrdoost/devsecops-radar/ci.yml?branch=main&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/actions)
 [![Stars](https://img.shields.io/github/stars/Mehrdoost/devsecops-radar?style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/stargazers)
 
 </div>
@@ -17,21 +17,24 @@
 ---
 
 ## 📖 Table of Contents
+
 1. [What Is Pipeline Sentinel? (Simple Explanation)](#-what-is-pipeline-sentinel-simple-explanation)
 2. [Why You Need It](#-why-you-need-it)
 3. [Where to Run It in Your Network](#-where-to-run-it-in-your-network)
 4. [Dashboard Preview](#-dashboard-preview)
 5. [Quick Start](#-quick-start)
-6. [Installation](#-installation)
-7. [How to Use (Step‑by‑Step)](#-how-to-use-stepbystep)
-8. [Complete Command Reference](#-complete-command-reference)
-9. [Core Capabilities](#-core-capabilities)
-10. [Architecture](#️-architecture)
-11. [Roadmap](#️-roadmap)
-12. [GitHub Action](#-github-action)
-13. [Contributing](#-contributing)
-14. [Author](#-author)
-15. [License](#-license)
+6. [Prerequisites](#-prerequisites)
+7. [Installation](#-installation)
+8. [How to Use (Step‑by‑Step)](#-how-to-use-stepbystep)
+9. [Complete Command Reference](#-complete-command-reference)
+10. [Core Capabilities](#-core-capabilities)
+11. [Community Rules & Online Updates](#-community-rules--online-updates)
+12. [Architecture](#️-architecture)
+13. [Roadmap](#️-roadmap)
+14. [Testing & CI](#-testing--ci)
+15. [Contributing](#-contributing)
+16. [Author](#-author)
+17. [License](#-license)
 
 ---
 
@@ -50,13 +53,13 @@ Think of it as a **security camera system for your entire CI/CD pipeline** — i
 In 2026, **supply chain attacks** have become the #1 threat. Tools like Trivy themselves were compromised, and attackers now inject malicious code directly into build pipelines. **You can no longer just scan your code; you must scan your pipeline.**
 
 Pipeline Sentinel gives you:
-*   **One screen for all scanners** – stop juggling log files.
-*   **AI that understands attack chains** – “A leaked secret + an old library = a disaster.”
-*   **Automatic fixes** – with a single flag, it patches files and opens a pull request.
-*   **Human review mode** – inspect each fix before applying.
-*   **Compliance reports** – generate a PDF for your boss or auditor.
-*   **100% offline capable** – works in air‑gapped environments where security matters most.
-*   **Interactive wizard** – one command to get everything running.
+* **One screen for all scanners** – stop juggling log files.
+* **AI that understands attack chains** – “A leaked secret + an old library = a disaster.”
+* **Automatic fixes** – with a single flag, it patches files and opens a pull request.
+* **Human review mode** – inspect each fix before applying.
+* **Compliance reports** – generate a PDF for your boss or auditor.
+* **100% offline capable** – works in air‑gapped environments where security matters most.
+* **Interactive wizard** – one command to get everything running.
 
 ---
 
@@ -81,14 +84,15 @@ Pipeline Sentinel is designed to be **flexible** — you decide where it fits be
 [Gitleaks scan] ┘
 ```
 
-> **📌 Diagram Placeholder:**  
-![Network Flow Diagram](docs/architecture.png)
+> **📌 Diagram Placeholder:** Add your network flow diagram here as `docs/network_flow.png`.  
+> `![Network Flow Diagram](docs/network_flow.png)`
 
 ---
 
 ## 📸 Dashboard Preview
 
 ![Pipeline Sentinel Dashboard](docs/Demo.gif)
+
 *(Severity doughnut, trend line chart, attack‑path graph (clickable nodes), topology view, executive summary — all fully offline.)*
 
 ---
@@ -115,6 +119,24 @@ devsecops-radar --wizard
 
 ---
 
+## 📋 Prerequisites
+
+Pipeline Sentinel relies on external security tools to produce the JSON reports it consumes. You must install these tools separately according to your needs.
+
+**Required for offline scanning:**
+* Trivy (installation)
+* Semgrep (installation)
+* Poutine (installation)
+* Zizmor (installation)
+* Gitleaks (installation)
+
+**Optional (for AI analysis):**
+* Ollama (installation)
+
+> 📖 **See `PREREQUISITES.md` for more details.**
+
+---
+
 ## 📦 Installation
 
 ### Option 1 — PyPI (Recommended)
@@ -170,19 +192,19 @@ gitleaks detect --source . --report-format json --report-path gitleaks.json
 ```bash
 devsecops-radar --trivy trivy.json --semgrep semgrep.json --poutine poutine.json --zizmor zizmor.json --gitleaks gitleaks.json
 ```
-This produces a single `findings.json` with all findings merged and normalised.
+*This produces a single `findings.json` with all findings merged and normalised.*
 
 ### 3. View the Dashboard
 ```bash
 devsecops-radar-web
 ```
 The dashboard shows:
-*   **Severity Breakdown** – Doughnut chart
-*   **Trend Over Time** – Line chart from scan history
-*   **Pipeline Security** – Poutine + Zizmor statistics card
-*   **Attack Path Graph** – Interactive D3.js graph (click nodes for details)
-*   **Executive Summary** – Risk score and AI‑generated summary
-*   **Findings Table** – Searchable, filterable, paginated
+* **Severity Breakdown** – Doughnut chart
+* **Trend Over Time** – Line chart from scan history
+* **Pipeline Security** – Poutine + Zizmor statistics card
+* **Attack Path Graph** – Interactive D3.js graph (click nodes for details)
+* **Executive Summary** – Risk score and AI‑generated summary
+* **Findings Table** – Searchable, filterable, paginated
 
 ### 4. Enable AI Analysis (Optional)
 ```bash
@@ -191,10 +213,10 @@ devsecops-radar --trivy trivy.json --analyze
 devsecops-radar-web
 ```
 The LLM generates `findings_ai_summary.json` containing:
-*   `executive_summary`, `risk_score`
-*   `attack_paths` with MITRE ATT&CK tactics
-*   `top_remediations` (some with `fix_diff`)
-*   `false_positives_likely`
+* `executive_summary`, `risk_score`
+* `attack_paths` with MITRE ATT&CK tactics
+* `top_remediations` (some with `fix_diff`)
+* `false_positives_likely`
 
 ### 5. Auto‑Remediation (with Human Review)
 ```bash
@@ -204,7 +226,7 @@ devsecops-radar --trivy trivy.json --analyze --fix
 # Review each fix before applying
 devsecops-radar --trivy trivy.json --analyze --fix --review
 ```
-The tool creates a new git branch `auto-fix` and pushes it for review.
+*The tool creates a new git branch `auto-fix` and pushes it for review.*
 
 ### 6. Policy Enforcement
 Create a `policy.json` file:
@@ -218,7 +240,7 @@ Create a `policy.json` file:
 ```bash
 devsecops-radar --trivy trivy.json --policy policy.json
 ```
-If critical findings exceed 5, the command exits with code 1 — perfect for CI/CD gates.
+*If critical findings exceed 5, the command exits with code 1 — perfect for CI/CD gates.*
 
 ### 7. Generate Compliance Reports
 ```bash
@@ -283,18 +305,18 @@ Built‑in support for five scanners with a real plugin system. Third‑party sc
 | **Gitleaks**| Secrets detection | `--gitleaks` |
 
 ### 🧩 Hybrid RuleFusion Engine
-*   **Offline** – Load custom JSON rules from any local directory (`--rules ~/my-rules/`)
-*   **Online** – Pull community‑curated rules from a configurable Git repository (`--update-rules`)
-*   Auto‑detects Trivy, Semgrep, Poutine, Zizmor, and plain‑list formats
-*   Policy evaluation built directly into the engine
-*   Community rules repo: `devsecops-radar-rules` (configurable via `COMMUNITY_RULES_REPO`)
+* **Offline** – Load custom JSON rules from any local directory (`--rules ~/my-rules/`)
+* **Online** – Pull community‑curated rules from a configurable Git repository (`--update-rules`)
+* Auto‑detects Trivy, Semgrep, Poutine, Zizmor, and plain‑list formats
+* Policy evaluation built directly into the engine
+* Community rules repo: `devsecops-radar-rules` (configurable via `COMMUNITY_RULES_REPO`)
 
 ### 🧠 LLM‑Powered Analysis
-*   Retry logic with exponential backoff for unstable endpoints
-*   Few‑shot examples covering real‑world supply chain attack chains
-*   Token‑aware selection (max items configurable via `ANALYZER_MAX_FINDINGS`)
-*   Structured JSON output: `executive_summary`, `risk_score`, `attack_paths` (MITRE ATT&CK), `top_remediations`, `false_positives_likely`
-*   Ollama (local, offline) and LiteLLM (OpenAI, Anthropic, etc.) support
+* Retry logic with exponential backoff for unstable endpoints
+* Few‑shot examples covering real‑world supply chain attack chains
+* Token‑aware selection (max items configurable via `ANALYZER_MAX_FINDINGS`)
+* Structured JSON output: `executive_summary`, `risk_score`, `attack_paths` (MITRE ATT&CK), `top_remediations`, `false_positives_likely`
+* Ollama (local, offline) and LiteLLM (OpenAI, Anthropic, etc.) support
 
 ### 🕸️ Multi‑Step Attack Path Visualization
 Interactive D3.js force graph that chains findings into realistic attack scenarios. Click any node to see detailed finding information. Accepts a topology file to map findings onto your actual infrastructure, showing lateral movement across servers and subnets.
@@ -314,17 +336,17 @@ AI‑suggested fixes can be applied automatically (`--fix`) or reviewed one‑by
 
 ### 📊 Compliance & Executive Reports (with Redaction)
 Generate professional PDF reports (`--report report.pdf`) with:
-*   Executive summary and risk score
-*   Findings table (first 50 items)
-*   Compliance mapping (CIS, PCI‑DSS, ISO 27001)
-*   Automatic redaction of passwords, tokens, JWTs
+* Executive summary and risk score
+* Findings table (first 50 items)
+* Compliance mapping (CIS, PCI‑DSS, ISO 27001)
+* Automatic redaction of passwords, tokens, JWTs
 
 ### 📈 Scan History & Trends (with Pagination)
 SQLAlchemy‑backed database with server‑side pagination (`/api/findings?page=1&per_page=50`). Scan history is stored efficiently, enabling fast trend charts and historical comparisons.
 
 ### 🧪 SBOM & Dependency Confusion Detection
-*   Generate a CycloneDX SBOM from your project using `syft`
-*   Detect dependency confusion risks in `package.json` and `requirements.txt` — internal packages that could be impersonated by public registries
+* Generate a CycloneDX SBOM from your project using `syft`
+* Detect dependency confusion risks in `package.json` and `requirements.txt` — internal packages that could be impersonated by public registries
 
 ### 🔍 RAG‑Powered Security Search
 Ask natural language questions about your scan history: *“When was the last Log4j vulnerability found?”* The built‑in RAG endpoint (`/api/rag?q=...`) searches stored findings and returns matches.
@@ -339,10 +361,34 @@ Beyond CVSS, each finding gets a dynamic risk score based on asset exposure (fro
 A `--wizard` flag walks new users through installing dependencies, pulling AI models, and running their first scan — all in one go.
 
 ### 🔒 Privacy & Offline‑First
-*   All assets (CSS, JS) are embedded — zero CDN calls
-*   LLM analysis runs locally with Ollama; no data leaves your network
-*   Optional API key authentication for the dashboard
-*   Docker image runs as non‑root user
+* All assets (CSS, JS) are embedded — zero CDN calls
+* LLM analysis runs locally with Ollama; no data leaves your network
+* Optional API key authentication for the dashboard (JWT supported)
+* Docker image runs as non‑root user
+
+---
+
+## 🌍 Community Rules & Online Updates
+
+Pipeline Sentinel features a community‑driven rule marketplace housed in a separate repository: `devsecops-radar-rules`.
+
+### How It Works
+The repository contains curated JSON rule files for all supported scanners (Trivy, Semgrep, Poutine, Zizmor, Gitleaks) and generic compliance checks. Anyone can contribute by submitting a Pull Request with new or improved rules. 
+
+Users can pull the latest rules with a single command:
+```bash
+devsecops-radar --update-rules
+```
+Rules are stored locally in `~/.devsecops-radar/community-rules/`. To use them alongside your scanner results:
+```bash
+devsecops-radar --trivy scan.json --rules ~/.devsecops-radar/community-rules/
+```
+You can even point to your own fork or a private repository by setting the `COMMUNITY_RULES_REPO` environment variable. This turns Pipeline Sentinel into a living, community‑improved security platform — just like Nuclei Templates or Semgrep Registry.
+
+### Contributing a Rule
+1. Fork the `devsecops-radar-rules` repository.
+2. Add a new JSON file to the `rules/` directory (or modify an existing one). Follow the standard Pipeline Sentinel finding format (see the repo’s README).
+3. Open a Pull Request — our maintainers will review and merge.
 
 ---
 
@@ -392,44 +438,42 @@ devsecops_radar/
 | ✅ **Phase 3** | Human review mode (`--review`) | Done |
 | ✅ **Phase 3** | Gitleaks secret scanner | Done |
 | ✅ **Phase 3** | Security badge endpoint | Done |
+| ✅ **Phase 3** | Full test suite & CI pipeline | Done |
 | 🔲 **Phase 4** | Jira / Slack integration | Planned |
 | 🔲 **Phase 4** | SARIF & CycloneDX support | Planned |
-| 🔲 **Phase 4** | Rule Marketplace (community YAML rules) | Planned |
 | 🔲 **Phase 4** | Pull Request assistant (GitHub App) | Planned |
 
-> See the [open issues](https://github.com/Mehrdoost/devsecops-radar/issues) for a full list of proposed features.
-
 ---
 
-## 🤖 GitHub Action
-
-```yaml
-- name: Pipeline Sentinel
-  uses: Mehrdoost/devsecops-radar/action@main
-  with:
-    trivy_report: trivy-results.json
-    semgrep_report: semgrep-results.json
-    poutine_report: poutine-results.json
-    zizmor_report: zizmor-results.json
-    gitleaks_report: gitleaks-results.json
+## 🧪 Testing & CI
+
+Pipeline Sentinel is thoroughly tested to ensure reliability for production use.
+* **Unit & Integration Tests:** 23 tests covering scanners, rule engine, database, analyzer, API, and CLI.
+* **CI Pipeline:** Every push and pull request triggers automated testing (pytest) and linting (ruff) via GitHub Actions.
+
+You can run the tests locally:
+```bash
+pip install -e .
+pip install pytest pytest-flask ruff
+pytest tests/ -v
+ruff check .
 ```
-*The action merges findings, creates a job summary, and outputs CRITICAL/HIGH counts.*
 
 ---
 
 ## 🤝 Contributing
 
-Pull requests and issues are warmly welcome!
-If you would like to integrate a new scanner, open an issue with a sample of its JSON output.
-For permanent scanner plugins, extend the `ScannerPlugin` class and register it via entry points.
+We welcome contributions of all kinds! Please read our `CONTRIBUTING.md` for detailed guidelines on how to set up the project, add new scanners, or submit rule changes. For contributing community rules, see the Community Rules section above.
 
 ---
 
 ## 👨‍💻 Author
 
-**Mehrdoost** 
+**ReverseForge** — ( Mehrdoost And Mi0r4 ) 
 
-[![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost)
+[cite_start][![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/ReverseForge) 
+[cite_start][![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost) 
+[cite_start][![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/miora-sora) 
 
 
 ---
@@ -440,4 +484,4 @@ MIT — see [LICENSE](LICENSE).
 
 <div align="center">
 ⭐ If this project helps your team ship safer software, drop a star — it makes a real difference.
-</div>
+</div>

{devsecops_radar-0.3.6 → devsecops_radar-0.3.9}/devsecops_radar/core/auth.py

@@ -1,3 +1,4 @@
+import os
 import jwt
 import datetime
 from functools import wraps
@@ -18,11 +19,11 @@ def verify_token(token: str) -> dict:
 def login_required(f):
     @wraps(f)
     def decorated(*args, **kwargs):
-        # Only enforce authentication if the admin has configured an API key.
-        if settings.PIPELINE_API_KEY != "disabled":
+        # Read directly from os.environ to support test patching
+        api_key = os.environ.get("PIPELINE_API_KEY", "disabled")
+        if api_key != "disabled":
             key = request.headers.get("X-API-Key")
-            if key != settings.PIPELINE_API_KEY:
+            if key != api_key:
                 return jsonify({"error": "API key required"}), 401
-        # Without an API key, all requests are permitted (default for local use).
         return f(*args, **kwargs)
     return decorated

{devsecops_radar-0.3.6 → devsecops_radar-0.3.9}/devsecops_radar/web/dashboard/routes.py

@@ -39,7 +39,7 @@ DASHBOARD_HTML = r"""
     <nav class="navbar navbar-dark border-bottom border-secondary mb-4" style="background:#1e293b;">
         <div class="container-fluid">
             <span class="navbar-brand mb-0 h1">🛡️ Pipeline Sentinel</span>
-            <span class="text-muted">v0.3.3</span>
+            <span class="text-muted">v0.3.8</span>
         </div>
     </nav>
 

{devsecops_radar-0.3.6 → devsecops_radar-0.3.9/devsecops_radar.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devsecops-radar
-Version: 0.3.6
+Version: 0.3.9
 Summary: Unified CI/CD Security Dashboard — Pipeline Sentinel
 Author-email: Mehrdoost <70381337+Mehrdoost@users.noreply.github.com>
 License-Expression: MIT
@@ -27,16 +27,16 @@ Requires-Dist: pytest>=8.0
 Requires-Dist: pytest-flask>=1.3
 Dynamic: license-file
 
-<!-- markdownlint-disable MD033 MD041 -->
 <div align="center">
 
 # 🛡️ Pipeline Sentinel
+
 **The Open‑Source DevSecOps Command Center — Unify, Analyse, Remediate.**
 
 [![PyPI version](https://img.shields.io/pypi/v/devsecops-radar?style=flat-square&color=blue)](https://pypi.org/project/devsecops-radar/)
 [![License](https://img.shields.io/github/license/Mehrdoost/devsecops-radar?style=flat-square)](LICENSE)
 [![GitHub release](https://img.shields.io/github/v/release/Mehrdoost/devsecops-radar?include_prereleases&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/releases)
-[![CI](https://img.shields.io/github/actions/workflow/status/Mehrdoost/devsecops-radar/test-action.yml?branch=main&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/actions)
+[![CI](https://img.shields.io/github/actions/workflow/status/Mehrdoost/devsecops-radar/ci.yml?branch=main&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/actions)
 [![Stars](https://img.shields.io/github/stars/Mehrdoost/devsecops-radar?style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/stargazers)
 
 </div>
@@ -46,21 +46,24 @@ Dynamic: license-file
 ---
 
 ## 📖 Table of Contents
+
 1. [What Is Pipeline Sentinel? (Simple Explanation)](#-what-is-pipeline-sentinel-simple-explanation)
 2. [Why You Need It](#-why-you-need-it)
 3. [Where to Run It in Your Network](#-where-to-run-it-in-your-network)
 4. [Dashboard Preview](#-dashboard-preview)
 5. [Quick Start](#-quick-start)
-6. [Installation](#-installation)
-7. [How to Use (Step‑by‑Step)](#-how-to-use-stepbystep)
-8. [Complete Command Reference](#-complete-command-reference)
-9. [Core Capabilities](#-core-capabilities)
-10. [Architecture](#️-architecture)
-11. [Roadmap](#️-roadmap)
-12. [GitHub Action](#-github-action)
-13. [Contributing](#-contributing)
-14. [Author](#-author)
-15. [License](#-license)
+6. [Prerequisites](#-prerequisites)
+7. [Installation](#-installation)
+8. [How to Use (Step‑by‑Step)](#-how-to-use-stepbystep)
+9. [Complete Command Reference](#-complete-command-reference)
+10. [Core Capabilities](#-core-capabilities)
+11. [Community Rules & Online Updates](#-community-rules--online-updates)
+12. [Architecture](#️-architecture)
+13. [Roadmap](#️-roadmap)
+14. [Testing & CI](#-testing--ci)
+15. [Contributing](#-contributing)
+16. [Author](#-author)
+17. [License](#-license)
 
 ---
 
@@ -79,13 +82,13 @@ Think of it as a **security camera system for your entire CI/CD pipeline** — i
 In 2026, **supply chain attacks** have become the #1 threat. Tools like Trivy themselves were compromised, and attackers now inject malicious code directly into build pipelines. **You can no longer just scan your code; you must scan your pipeline.**
 
 Pipeline Sentinel gives you:
-*   **One screen for all scanners** – stop juggling log files.
-*   **AI that understands attack chains** – “A leaked secret + an old library = a disaster.”
-*   **Automatic fixes** – with a single flag, it patches files and opens a pull request.
-*   **Human review mode** – inspect each fix before applying.
-*   **Compliance reports** – generate a PDF for your boss or auditor.
-*   **100% offline capable** – works in air‑gapped environments where security matters most.
-*   **Interactive wizard** – one command to get everything running.
+* **One screen for all scanners** – stop juggling log files.
+* **AI that understands attack chains** – “A leaked secret + an old library = a disaster.”
+* **Automatic fixes** – with a single flag, it patches files and opens a pull request.
+* **Human review mode** – inspect each fix before applying.
+* **Compliance reports** – generate a PDF for your boss or auditor.
+* **100% offline capable** – works in air‑gapped environments where security matters most.
+* **Interactive wizard** – one command to get everything running.
 
 ---
 
@@ -110,14 +113,15 @@ Pipeline Sentinel is designed to be **flexible** — you decide where it fits be
 [Gitleaks scan] ┘
 ```
 
-> **📌 Diagram Placeholder:**  
-![Network Flow Diagram](docs/architecture.png)
+> **📌 Diagram Placeholder:** Add your network flow diagram here as `docs/network_flow.png`.  
+> `![Network Flow Diagram](docs/network_flow.png)`
 
 ---
 
 ## 📸 Dashboard Preview
 
 ![Pipeline Sentinel Dashboard](docs/Demo.gif)
+
 *(Severity doughnut, trend line chart, attack‑path graph (clickable nodes), topology view, executive summary — all fully offline.)*
 
 ---
@@ -144,6 +148,24 @@ devsecops-radar --wizard
 
 ---
 
+## 📋 Prerequisites
+
+Pipeline Sentinel relies on external security tools to produce the JSON reports it consumes. You must install these tools separately according to your needs.
+
+**Required for offline scanning:**
+* Trivy (installation)
+* Semgrep (installation)
+* Poutine (installation)
+* Zizmor (installation)
+* Gitleaks (installation)
+
+**Optional (for AI analysis):**
+* Ollama (installation)
+
+> 📖 **See `PREREQUISITES.md` for more details.**
+
+---
+
 ## 📦 Installation
 
 ### Option 1 — PyPI (Recommended)
@@ -199,19 +221,19 @@ gitleaks detect --source . --report-format json --report-path gitleaks.json
 ```bash
 devsecops-radar --trivy trivy.json --semgrep semgrep.json --poutine poutine.json --zizmor zizmor.json --gitleaks gitleaks.json
 ```
-This produces a single `findings.json` with all findings merged and normalised.
+*This produces a single `findings.json` with all findings merged and normalised.*
 
 ### 3. View the Dashboard
 ```bash
 devsecops-radar-web
 ```
 The dashboard shows:
-*   **Severity Breakdown** – Doughnut chart
-*   **Trend Over Time** – Line chart from scan history
-*   **Pipeline Security** – Poutine + Zizmor statistics card
-*   **Attack Path Graph** – Interactive D3.js graph (click nodes for details)
-*   **Executive Summary** – Risk score and AI‑generated summary
-*   **Findings Table** – Searchable, filterable, paginated
+* **Severity Breakdown** – Doughnut chart
+* **Trend Over Time** – Line chart from scan history
+* **Pipeline Security** – Poutine + Zizmor statistics card
+* **Attack Path Graph** – Interactive D3.js graph (click nodes for details)
+* **Executive Summary** – Risk score and AI‑generated summary
+* **Findings Table** – Searchable, filterable, paginated
 
 ### 4. Enable AI Analysis (Optional)
 ```bash
@@ -220,10 +242,10 @@ devsecops-radar --trivy trivy.json --analyze
 devsecops-radar-web
 ```
 The LLM generates `findings_ai_summary.json` containing:
-*   `executive_summary`, `risk_score`
-*   `attack_paths` with MITRE ATT&CK tactics
-*   `top_remediations` (some with `fix_diff`)
-*   `false_positives_likely`
+* `executive_summary`, `risk_score`
+* `attack_paths` with MITRE ATT&CK tactics
+* `top_remediations` (some with `fix_diff`)
+* `false_positives_likely`
 
 ### 5. Auto‑Remediation (with Human Review)
 ```bash
@@ -233,7 +255,7 @@ devsecops-radar --trivy trivy.json --analyze --fix
 # Review each fix before applying
 devsecops-radar --trivy trivy.json --analyze --fix --review
 ```
-The tool creates a new git branch `auto-fix` and pushes it for review.
+*The tool creates a new git branch `auto-fix` and pushes it for review.*
 
 ### 6. Policy Enforcement
 Create a `policy.json` file:
@@ -247,7 +269,7 @@ Create a `policy.json` file:
 ```bash
 devsecops-radar --trivy trivy.json --policy policy.json
 ```
-If critical findings exceed 5, the command exits with code 1 — perfect for CI/CD gates.
+*If critical findings exceed 5, the command exits with code 1 — perfect for CI/CD gates.*
 
 ### 7. Generate Compliance Reports
 ```bash
@@ -312,18 +334,18 @@ Built‑in support for five scanners with a real plugin system. Third‑party sc
 | **Gitleaks**| Secrets detection | `--gitleaks` |
 
 ### 🧩 Hybrid RuleFusion Engine
-*   **Offline** – Load custom JSON rules from any local directory (`--rules ~/my-rules/`)
-*   **Online** – Pull community‑curated rules from a configurable Git repository (`--update-rules`)
-*   Auto‑detects Trivy, Semgrep, Poutine, Zizmor, and plain‑list formats
-*   Policy evaluation built directly into the engine
-*   Community rules repo: `devsecops-radar-rules` (configurable via `COMMUNITY_RULES_REPO`)
+* **Offline** – Load custom JSON rules from any local directory (`--rules ~/my-rules/`)
+* **Online** – Pull community‑curated rules from a configurable Git repository (`--update-rules`)
+* Auto‑detects Trivy, Semgrep, Poutine, Zizmor, and plain‑list formats
+* Policy evaluation built directly into the engine
+* Community rules repo: `devsecops-radar-rules` (configurable via `COMMUNITY_RULES_REPO`)
 
 ### 🧠 LLM‑Powered Analysis
-*   Retry logic with exponential backoff for unstable endpoints
-*   Few‑shot examples covering real‑world supply chain attack chains
-*   Token‑aware selection (max items configurable via `ANALYZER_MAX_FINDINGS`)
-*   Structured JSON output: `executive_summary`, `risk_score`, `attack_paths` (MITRE ATT&CK), `top_remediations`, `false_positives_likely`
-*   Ollama (local, offline) and LiteLLM (OpenAI, Anthropic, etc.) support
+* Retry logic with exponential backoff for unstable endpoints
+* Few‑shot examples covering real‑world supply chain attack chains
+* Token‑aware selection (max items configurable via `ANALYZER_MAX_FINDINGS`)
+* Structured JSON output: `executive_summary`, `risk_score`, `attack_paths` (MITRE ATT&CK), `top_remediations`, `false_positives_likely`
+* Ollama (local, offline) and LiteLLM (OpenAI, Anthropic, etc.) support
 
 ### 🕸️ Multi‑Step Attack Path Visualization
 Interactive D3.js force graph that chains findings into realistic attack scenarios. Click any node to see detailed finding information. Accepts a topology file to map findings onto your actual infrastructure, showing lateral movement across servers and subnets.
@@ -343,17 +365,17 @@ AI‑suggested fixes can be applied automatically (`--fix`) or reviewed one‑by
 
 ### 📊 Compliance & Executive Reports (with Redaction)
 Generate professional PDF reports (`--report report.pdf`) with:
-*   Executive summary and risk score
-*   Findings table (first 50 items)
-*   Compliance mapping (CIS, PCI‑DSS, ISO 27001)
-*   Automatic redaction of passwords, tokens, JWTs
+* Executive summary and risk score
+* Findings table (first 50 items)
+* Compliance mapping (CIS, PCI‑DSS, ISO 27001)
+* Automatic redaction of passwords, tokens, JWTs
 
 ### 📈 Scan History & Trends (with Pagination)
 SQLAlchemy‑backed database with server‑side pagination (`/api/findings?page=1&per_page=50`). Scan history is stored efficiently, enabling fast trend charts and historical comparisons.
 
 ### 🧪 SBOM & Dependency Confusion Detection
-*   Generate a CycloneDX SBOM from your project using `syft`
-*   Detect dependency confusion risks in `package.json` and `requirements.txt` — internal packages that could be impersonated by public registries
+* Generate a CycloneDX SBOM from your project using `syft`
+* Detect dependency confusion risks in `package.json` and `requirements.txt` — internal packages that could be impersonated by public registries
 
 ### 🔍 RAG‑Powered Security Search
 Ask natural language questions about your scan history: *“When was the last Log4j vulnerability found?”* The built‑in RAG endpoint (`/api/rag?q=...`) searches stored findings and returns matches.
@@ -368,10 +390,34 @@ Beyond CVSS, each finding gets a dynamic risk score based on asset exposure (fro
 A `--wizard` flag walks new users through installing dependencies, pulling AI models, and running their first scan — all in one go.
 
 ### 🔒 Privacy & Offline‑First
-*   All assets (CSS, JS) are embedded — zero CDN calls
-*   LLM analysis runs locally with Ollama; no data leaves your network
-*   Optional API key authentication for the dashboard
-*   Docker image runs as non‑root user
+* All assets (CSS, JS) are embedded — zero CDN calls
+* LLM analysis runs locally with Ollama; no data leaves your network
+* Optional API key authentication for the dashboard (JWT supported)
+* Docker image runs as non‑root user
+
+---
+
+## 🌍 Community Rules & Online Updates
+
+Pipeline Sentinel features a community‑driven rule marketplace housed in a separate repository: `devsecops-radar-rules`.
+
+### How It Works
+The repository contains curated JSON rule files for all supported scanners (Trivy, Semgrep, Poutine, Zizmor, Gitleaks) and generic compliance checks. Anyone can contribute by submitting a Pull Request with new or improved rules. 
+
+Users can pull the latest rules with a single command:
+```bash
+devsecops-radar --update-rules
+```
+Rules are stored locally in `~/.devsecops-radar/community-rules/`. To use them alongside your scanner results:
+```bash
+devsecops-radar --trivy scan.json --rules ~/.devsecops-radar/community-rules/
+```
+You can even point to your own fork or a private repository by setting the `COMMUNITY_RULES_REPO` environment variable. This turns Pipeline Sentinel into a living, community‑improved security platform — just like Nuclei Templates or Semgrep Registry.
+
+### Contributing a Rule
+1. Fork the `devsecops-radar-rules` repository.
+2. Add a new JSON file to the `rules/` directory (or modify an existing one). Follow the standard Pipeline Sentinel finding format (see the repo’s README).
+3. Open a Pull Request — our maintainers will review and merge.
 
 ---
 
@@ -421,44 +467,42 @@ devsecops_radar/
 | ✅ **Phase 3** | Human review mode (`--review`) | Done |
 | ✅ **Phase 3** | Gitleaks secret scanner | Done |
 | ✅ **Phase 3** | Security badge endpoint | Done |
+| ✅ **Phase 3** | Full test suite & CI pipeline | Done |
 | 🔲 **Phase 4** | Jira / Slack integration | Planned |
 | 🔲 **Phase 4** | SARIF & CycloneDX support | Planned |
-| 🔲 **Phase 4** | Rule Marketplace (community YAML rules) | Planned |
 | 🔲 **Phase 4** | Pull Request assistant (GitHub App) | Planned |
 
-> See the [open issues](https://github.com/Mehrdoost/devsecops-radar/issues) for a full list of proposed features.
-
 ---
 
-## 🤖 GitHub Action
-
-```yaml
-- name: Pipeline Sentinel
-  uses: Mehrdoost/devsecops-radar/action@main
-  with:
-    trivy_report: trivy-results.json
-    semgrep_report: semgrep-results.json
-    poutine_report: poutine-results.json
-    zizmor_report: zizmor-results.json
-    gitleaks_report: gitleaks-results.json
+## 🧪 Testing & CI
+
+Pipeline Sentinel is thoroughly tested to ensure reliability for production use.
+* **Unit & Integration Tests:** 23 tests covering scanners, rule engine, database, analyzer, API, and CLI.
+* **CI Pipeline:** Every push and pull request triggers automated testing (pytest) and linting (ruff) via GitHub Actions.
+
+You can run the tests locally:
+```bash
+pip install -e .
+pip install pytest pytest-flask ruff
+pytest tests/ -v
+ruff check .
 ```
-*The action merges findings, creates a job summary, and outputs CRITICAL/HIGH counts.*
 
 ---
 
 ## 🤝 Contributing
 
-Pull requests and issues are warmly welcome!
-If you would like to integrate a new scanner, open an issue with a sample of its JSON output.
-For permanent scanner plugins, extend the `ScannerPlugin` class and register it via entry points.
+We welcome contributions of all kinds! Please read our `CONTRIBUTING.md` for detailed guidelines on how to set up the project, add new scanners, or submit rule changes. For contributing community rules, see the Community Rules section above.
 
 ---
 
 ## 👨‍💻 Author
 
-**Mehrdoost** 
+**ReverseForge** — ( Mehrdoost And Mi0r4 ) 
 
-[![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost)
+[cite_start][![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/ReverseForge) 
+[cite_start][![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost) 
+[cite_start][![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/miora-sora) 
 
 
 ---

{devsecops_radar-0.3.6 → devsecops_radar-0.3.9}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "devsecops-radar"
-version = "0.3.6"
+version = "0.3.9"
 description = "Unified CI/CD Security Dashboard — Pipeline Sentinel"
 readme = "README.md"
 license = "MIT"