devsecops-radar 0.3.7__tar.gz → 0.3.10__tar.gz

{devsecops_radar-0.3.7/devsecops_radar.egg-info → devsecops_radar-0.3.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devsecops-radar
-Version: 0.3.7
+Version: 0.3.10
 Summary: Unified CI/CD Security Dashboard — Pipeline Sentinel
 Author-email: Mehrdoost <70381337+Mehrdoost@users.noreply.github.com>
 License-Expression: MIT
@@ -23,20 +23,31 @@ Requires-Dist: litellm>=1.50
 Requires-Dist: sqlalchemy>=2.0
 Requires-Dist: pydantic>=2.0
 Requires-Dist: pyjwt>=2.8
-Requires-Dist: pytest>=8.0
-Requires-Dist: pytest-flask>=1.3
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-flask>=1.3; extra == "dev"
+Requires-Dist: pytest-cov>=4.0; extra == "dev"
+Requires-Dist: ruff>=0.3.0; extra == "dev"
+Requires-Dist: mypy>=1.9; extra == "dev"
+Requires-Dist: pre-commit>=3.5; extra == "dev"
 Dynamic: license-file
 
-<!-- markdownlint-disable MD033 MD041 -->
+Here is the fully fixed, standardized, and perfectly formatted English version of your comprehensive `README.md` file. I have corrected the Markdown syntax errors, repaired the broken code blocks, properly aligned the tables, and integrated the new features (such as OPA Rego policies, What-If simulation, Codecov, and VEX support).
+
+You can copy the entire block below using the **Copy** button and paste it directly into your file:
+
+```markdown
 <div align="center">
 
 # 🛡️ Pipeline Sentinel
+
 **The Open‑Source DevSecOps Command Center — Unify, Analyse, Remediate.**
 
 [![PyPI version](https://img.shields.io/pypi/v/devsecops-radar?style=flat-square&color=blue)](https://pypi.org/project/devsecops-radar/)
 [![License](https://img.shields.io/github/license/Mehrdoost/devsecops-radar?style=flat-square)](LICENSE)
 [![GitHub release](https://img.shields.io/github/v/release/Mehrdoost/devsecops-radar?include_prereleases&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/releases)
-[![CI](https://img.shields.io/github/actions/workflow/status/Mehrdoost/devsecops-radar/test-action.yml?branch=main&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/actions)
+[![CI](https://img.shields.io/github/actions/workflow/status/Mehrdoost/devsecops-radar/ci.yml?branch=main&style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/actions)
+[![codecov](https://codecov.io/gh/Mehrdoost/devsecops-radar/branch/main/graph/badge.svg?token=TOKEN)](https://codecov.io/gh/Mehrdoost/devsecops-radar)
 [![Stars](https://img.shields.io/github/stars/Mehrdoost/devsecops-radar?style=flat-square)](https://github.com/Mehrdoost/devsecops-radar/stargazers)
 
 </div>
@@ -46,21 +57,27 @@ Dynamic: license-file
 ---
 
 ## 📖 Table of Contents
+
 1. [What Is Pipeline Sentinel? (Simple Explanation)](#-what-is-pipeline-sentinel-simple-explanation)
 2. [Why You Need It](#-why-you-need-it)
 3. [Where to Run It in Your Network](#-where-to-run-it-in-your-network)
 4. [Dashboard Preview](#-dashboard-preview)
 5. [Quick Start](#-quick-start)
-6. [Installation](#-installation)
-7. [How to Use (Step‑by‑Step)](#-how-to-use-stepbystep)
-8. [Complete Command Reference](#-complete-command-reference)
-9. [Core Capabilities](#-core-capabilities)
-10. [Architecture](#️-architecture)
-11. [Roadmap](#️-roadmap)
-12. [GitHub Action](#-github-action)
-13. [Contributing](#-contributing)
-14. [Author](#-author)
-15. [License](#-license)
+6. [Prerequisites](#-prerequisites)
+7. [Installation](#-installation)
+8. [How to Use (Step‑by‑Step)](#-how-to-use-stepbystep)
+9. [Complete Command Reference](#-complete-command-reference)
+10. [Core Capabilities](#-core-capabilities)
+11. [Community Rules & Online Updates](#-community-rules--online-updates)
+12. [Attack Simulation & What‑If Analysis](#-attack-simulation--what-if-analysis)
+13. [Architecture](#-architecture)
+14. [Roadmap](#-roadmap)
+15. [Testing & CI](#-testing--ci)
+16. [Security Policy](#-security-policy)
+17. [Contributing](#-contributing)
+18. [Code of Conduct](#-code-of-conduct)
+19. [Author](#-author)
+20. [License](#-license)
 
 ---
 
@@ -68,9 +85,9 @@ Dynamic: license-file
 
 Imagine you have several security guards, each watching a different door of a building. They all shout their findings in different languages, and you have to run around to understand what’s going on.
 
-**Pipeline Sentinel** puts them all in one room, translates their reports, and shows you a single, clear screen with the full picture. It connects to tools like **Trivy** (checks your containers), **Semgrep** (scans your code), **Poutine** (audits your GitLab pipelines), **Zizmor** (secures your GitHub Actions), and **Gitleaks** (finds secrets). Instead of digging through multiple JSON files, you get a **beautiful, dark‑mode dashboard** that tells you what’s critical, how risks are trending, and even how an attacker might chain several small issues into a big problem.
+**Pipeline Sentinel** puts them all in one room, translates their reports, and shows you a single, clear screen with the full picture. It connects to tools like **Trivy** (checks your containers), **Semgrep** (scans your code), **Poutine** (audits your GitLab pipelines), **Zizmor** (secures your GitHub Actions), and **Gitleaks** (finds secrets). Instead of digging through multiple JSON files, you get a **beautiful, dark‑mode command‑center dashboard** that tells you what’s critical, how risks are trending, and even how an attacker might chain several small issues into a big problem.
 
-Think of it as a **security camera system for your entire CI/CD pipeline** — it watches everything, alerts you, and even suggests fixes, all without needing internet access if you want.
+Think of it as a **security camera system for your entire CI/CD pipeline** — it watches everything, alerts you, suggests fixes, and even lets you simulate attack chains, all without needing internet access if you want.
 
 ---
 
@@ -79,13 +96,15 @@ Think of it as a **security camera system for your entire CI/CD pipeline** — i
 In 2026, **supply chain attacks** have become the #1 threat. Tools like Trivy themselves were compromised, and attackers now inject malicious code directly into build pipelines. **You can no longer just scan your code; you must scan your pipeline.**
 
 Pipeline Sentinel gives you:
-*   **One screen for all scanners** – stop juggling log files.
-*   **AI that understands attack chains** – “A leaked secret + an old library = a disaster.”
-*   **Automatic fixes** – with a single flag, it patches files and opens a pull request.
-*   **Human review mode** – inspect each fix before applying.
-*   **Compliance reports** – generate a PDF for your boss or auditor.
-*   **100% offline capable** – works in air‑gapped environments where security matters most.
-*   **Interactive wizard** – one command to get everything running.
+* **One screen for all scanners** – stop juggling log files.
+* **AI that understands attack chains** – “A leaked secret + an old library = a disaster.”
+* **Automatic fixes** – with a single flag, it patches files and opens a pull request (with **backup**).
+* **Human review mode** – inspect each fix before applying.
+* **Compliance reports** – generate a PDF for your boss or auditor.
+* **Attack simulation** – tick a few findings and see a generated attack script.
+* **100% offline capable** – works in air‑gapped environments where security matters most.
+* **Interactive wizard** – one command to get everything running.
+* **Community rules marketplace** – pull curated detection rules from the community.
 
 ---
 
@@ -110,15 +129,16 @@ Pipeline Sentinel is designed to be **flexible** — you decide where it fits be
 [Gitleaks scan] ┘
 ```
 
-> **📌 Diagram Placeholder:**  
-![Network Flow Diagram](docs/architecture.png)
+> **📌 Diagram Placeholder:** Add your network flow diagram here as `docs/network_flow.png`.  
+> `![Network Flow Diagram](docs/network_flow.png)`
 
 ---
 
 ## 📸 Dashboard Preview
 
 ![Pipeline Sentinel Dashboard](docs/Demo.gif)
-*(Severity doughnut, trend line chart, attack‑path graph (clickable nodes), topology view, executive summary — all fully offline.)*
+
+*Severity doughnut, trend line chart, attack‑path graph (clickable nodes), topology view, executive summary, and attack simulation panel — all fully offline.*
 
 ---
 
@@ -135,7 +155,7 @@ devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json
 devsecops-radar-web
 ```
 
-Open http://localhost:8080 — your unified dashboard is live with sample findings.
+Open http://localhost:8080 — your unified command center is live with sample findings.
 
 🧙 **Want a fully guided setup? Run the wizard:**
 ```bash
@@ -144,6 +164,26 @@ devsecops-radar --wizard
 
 ---
 
+## 📋 Prerequisites
+
+Pipeline Sentinel relies on external security tools to produce the JSON reports it consumes. You must install these tools separately according to your needs.
+
+**Required for offline scanning:**
+* Trivy (installation)
+* Semgrep (installation)
+* Poutine (installation)
+* Zizmor (installation)
+* Gitleaks (installation)
+
+**Optional:**
+* Ollama – for AI‑powered analysis (installation)
+* Docker – for attack sandboxing and container scanning
+* OPA – for advanced Rego policy evaluation
+
+> 📖 **See `PREREQUISITES.md` for more details.**
+
+---
+
 ## 📦 Installation
 
 ### Option 1 — PyPI (Recommended)
@@ -155,7 +195,7 @@ pip install devsecops-radar
 ```bash
 git clone [https://github.com/Mehrdoost/devsecops-radar.git](https://github.com/Mehrdoost/devsecops-radar.git)
 cd devsecops-radar
-pip install -e .
+pip install -e ".[dev]"
 ```
 
 ### Option 3 — Docker
@@ -199,19 +239,19 @@ gitleaks detect --source . --report-format json --report-path gitleaks.json
 ```bash
 devsecops-radar --trivy trivy.json --semgrep semgrep.json --poutine poutine.json --zizmor zizmor.json --gitleaks gitleaks.json
 ```
-This produces a single `findings.json` with all findings merged and normalised.
+*This produces a single findings.json with all findings merged and normalised.*
 
 ### 3. View the Dashboard
 ```bash
 devsecops-radar-web
 ```
 The dashboard shows:
-*   **Severity Breakdown** – Doughnut chart
-*   **Trend Over Time** – Line chart from scan history
-*   **Pipeline Security** – Poutine + Zizmor statistics card
-*   **Attack Path Graph** – Interactive D3.js graph (click nodes for details)
-*   **Executive Summary** – Risk score and AI‑generated summary
-*   **Findings Table** – Searchable, filterable, paginated
+* **Severity Breakdown** – Doughnut chart
+* **Trend Over Time** – Line chart from scan history
+* **Pipeline Security** – Poutine + Zizmor statistics card
+* **Attack Path Graph** – Interactive D3.js graph (click nodes for details)
+* **Executive Summary** – Risk score and AI‑generated summary
+* **Findings Table** – Searchable, filterable, paginated, with checkboxes for simulation
 
 ### 4. Enable AI Analysis (Optional)
 ```bash
@@ -220,10 +260,10 @@ devsecops-radar --trivy trivy.json --analyze
 devsecops-radar-web
 ```
 The LLM generates `findings_ai_summary.json` containing:
-*   `executive_summary`, `risk_score`
-*   `attack_paths` with MITRE ATT&CK tactics
-*   `top_remediations` (some with `fix_diff`)
-*   `false_positives_likely`
+* `executive_summary`, `risk_score`
+* `attack_paths` with MITRE ATT&CK tactics
+* `top_remediations` (some with `fix_diff`)
+* `false_positives_likely`
 
 ### 5. Auto‑Remediation (with Human Review)
 ```bash
@@ -233,21 +273,22 @@ devsecops-radar --trivy trivy.json --analyze --fix
 # Review each fix before applying
 devsecops-radar --trivy trivy.json --analyze --fix --review
 ```
-The tool creates a new git branch `auto-fix` and pushes it for review.
+*All modified files are backed up to `~/.devsecops-radar/backups/` before any change. The tool creates a new git branch `auto-fix` and pushes it for review.*
 
 ### 6. Policy Enforcement
 Create a `policy.json` file:
 ```json
-{
-  "max_critical": 5, 
-  "on_violation": "fail"
-}
+{"max_critical": 5, "on_violation": "fail"}
 ```
-
 ```bash
 devsecops-radar --trivy trivy.json --policy policy.json
 ```
-If critical findings exceed 5, the command exits with code 1 — perfect for CI/CD gates.
+*If critical findings exceed 5, the command exits with code 1 — perfect for CI/CD gates.*
+
+**You can also use OPA Rego policies:**
+```bash
+devsecops-radar --trivy trivy.json --rego-policy policy.rego
+```
 
 ### 7. Generate Compliance Reports
 ```bash
@@ -256,7 +297,7 @@ devsecops-radar --trivy trivy.json --analyze --compliance CIS --report cis-repor
 A PDF report is created with an executive summary, risk score, findings table, and compliance mapping. Sensitive data can be redacted automatically.
 
 ### 8. Security Badge for Your Project
-After running a scan, you can embed a dynamic security badge in your `README`:
+After running a scan, you can embed a dynamic security badge in your README:
 ```markdown
 [![Security Status](https://your-server/badge/1.svg)](https://github.com/Mehrdoost/devsecops-radar)
 ```
@@ -277,10 +318,11 @@ The badge color changes based on the number of critical findings (green/yellow/r
 | `--gitleaks` | Gitleaks JSON file or repo path | `--gitleaks results.json` or `--gitleaks ./repo` |
 | `--rules` | Directory with custom JSON rule files | `--rules ~/my-security-rules/` |
 | `--policy` | Policy JSON file for gating | `--policy policy.json` |
+| `--rego-policy` | OPA Rego policy file | `--rego-policy policy.rego` |
 | `--analyze` | Enable LLM analysis (Ollama required) | `--analyze` |
 | `--llm-backend` | `ollama` (default) or `litellm` | `--llm-backend litellm` |
 | `--llm-model` | Model name | `--llm-model gpt-4o-mini` |
-| `--fix` | Auto‑apply AI‑suggested fixes | `--fix` |
+| `--fix` | Auto‑apply AI‑suggested fixes (with backup) | `--fix` |
 | `--review` | Review each AI fix before applying | `--review` |
 | `--topology` | Path to topology JSON file | `--topology topology.json` |
 | `--compliance` | Framework: `CIS`, `PCI-DSS`, `ISO27001` | `--compliance CIS` |
@@ -291,11 +333,37 @@ The badge color changes based on the number of critical findings (green/yellow/r
 ### `devsecops-radar-web` — Web Server
 
 ```bash
-devsecops-radar-web                          # Launch on http://localhost:8080
-FINDINGS_FILE=my.json devsecops-radar-web    # Use a custom findings file
+devsecops-radar-web                       # Launch on http://localhost:8080
+FINDINGS_FILE=my.json devsecops-radar-web # Use a custom findings file
 PIPELINE_API_KEY=secret devsecops-radar-web  # Enable API authentication
 ```
 
+### Usage Examples
+
+```bash
+# Merge multiple scanner outputs
+devsecops-radar --trivy trivy_scan.json --semgrep semgrep_scan.json
+
+# Scan directly (if tools are installed)
+devsecops-radar --trivy nginx:latest --semgrep ./src --poutine ./repo
+
+# Merge built‑in scanners with custom rules
+devsecops-radar --trivy trivy_scan.json --rules ~/my-security-rules/
+
+# Enable AI analysis (Ollama must be running)
+ollama pull llama3.2:latest
+devsecops-radar --trivy trivy_scan.json --semgrep semgrep_scan.json --analyze
+
+# Use OpenAI via LiteLLM
+export OPENAI_API_KEY=sk-...
+devsecops-radar --trivy trivy_scan.json --analyze --llm-backend litellm --llm-model gpt-4o-mini
+
+# Build scan history and view trends
+devsecops-radar --trivy sample_trivy.json --semgrep sample_semgrep.json
+devsecops-radar --trivy sample_trivy.json --poutine sample_poutine.json
+devsecops-radar-web    # Trend chart now shows multiple data points
+```
+
 ---
 
 ## ✨ Core Capabilities
@@ -312,66 +380,97 @@ Built‑in support for five scanners with a real plugin system. Third‑party sc
 | **Gitleaks**| Secrets detection | `--gitleaks` |
 
 ### 🧩 Hybrid RuleFusion Engine
-*   **Offline** – Load custom JSON rules from any local directory (`--rules ~/my-rules/`)
-*   **Online** – Pull community‑curated rules from a configurable Git repository (`--update-rules`)
-*   Auto‑detects Trivy, Semgrep, Poutine, Zizmor, and plain‑list formats
-*   Policy evaluation built directly into the engine
-*   Community rules repo: `devsecops-radar-rules` (configurable via `COMMUNITY_RULES_REPO`)
+* **Offline** – Load custom JSON rules from any local directory (`--rules ~/my-rules/`)
+* **Online** – Pull community‑curated rules from a configurable Git repository (`--update-rules`)
+* Auto‑detects Trivy, Semgrep, Poutine, Zizmor, and plain‑list formats
+* Policy evaluation built directly into the engine (JSON and OPA Rego)
+* Community rules repo: `devsecops-radar-rules` (configurable via `COMMUNITY_RULES_REPO`)
 
 ### 🧠 LLM‑Powered Analysis
-*   Retry logic with exponential backoff for unstable endpoints
-*   Few‑shot examples covering real‑world supply chain attack chains
-*   Token‑aware selection (max items configurable via `ANALYZER_MAX_FINDINGS`)
-*   Structured JSON output: `executive_summary`, `risk_score`, `attack_paths` (MITRE ATT&CK), `top_remediations`, `false_positives_likely`
-*   Ollama (local, offline) and LiteLLM (OpenAI, Anthropic, etc.) support
+* Retry logic with exponential backoff for unstable endpoints
+* Few‑shot examples covering real‑world supply chain attack chains
+* Token‑aware selection (max items configurable via `ANALYZER_MAX_FINDINGS`)
+* Structured JSON output: `executive_summary`, `risk_score`, `attack_paths` (MITRE ATT&CK), `top_remediations`, `false_positives_likely`
+* Ollama (local, offline) and LiteLLM (OpenAI, Anthropic, etc.) support
 
 ### 🕸️ Multi‑Step Attack Path Visualization
-Interactive D3.js force graph that chains findings into realistic attack scenarios. Click any node to see detailed finding information. Accepts a topology file to map findings onto your actual infrastructure, showing lateral movement across servers and subnets.
+Interactive D3.js force graph that chains findings into realistic attack scenarios. Click any node to see detailed finding information or to trigger a simulation. Accepts a topology file to map findings onto your actual infrastructure, showing lateral movement across servers and subnets.
 
-### 🛡️ Policy‑as‑Code
-Define security gates as simple JSON:
-```json
-{
-  "max_critical": 5, 
-  "on_violation": "fail"
-}
-```
-*If critical findings exceed the threshold, the CLI exits with code 1 — perfect for failing CI/CD pipelines.*
+### 🛡️ Policy‑as‑Code (JSON & Rego)
+Define simple security gates with a JSON file, or write complex rules in Rego for OPA. Fail the pipeline when policies are violated.
 
-### 🛠️ Auto‑Remediation with Human‑in‑the‑Loop
-AI‑suggested fixes can be applied automatically (`--fix`) or reviewed one‑by‑one (`--review`). The tool creates a new git branch and pushes it for review. A `fix.sh` script is also generated for manual commands.
+### 🛠️ Auto‑Remediation with Backup & Human‑in‑the‑Loop
+AI‑suggested fixes are applied automatically (`--fix`) or reviewed one‑by‑one (`--review`). Every modified file is backed up to `~/.devsecops-radar/backups/` before any change. A new git branch is pushed for review.
 
 ### 📊 Compliance & Executive Reports (with Redaction)
 Generate professional PDF reports (`--report report.pdf`) with:
-*   Executive summary and risk score
-*   Findings table (first 50 items)
-*   Compliance mapping (CIS, PCI‑DSS, ISO 27001)
-*   Automatic redaction of passwords, tokens, JWTs
+* Executive summary and risk score
+* Findings table (first 50 items)
+* Compliance mapping (CIS, PCI‑DSS, ISO 27001)
+* Automatic redaction of passwords, tokens, JWTs
 
 ### 📈 Scan History & Trends (with Pagination)
 SQLAlchemy‑backed database with server‑side pagination (`/api/findings?page=1&per_page=50`). Scan history is stored efficiently, enabling fast trend charts and historical comparisons.
 
 ### 🧪 SBOM & Dependency Confusion Detection
-*   Generate a CycloneDX SBOM from your project using `syft`
-*   Detect dependency confusion risks in `package.json` and `requirements.txt` — internal packages that could be impersonated by public registries
+* Generate a CycloneDX SBOM from your project using `syft`
+* Apply VEX (Vulnerability Exploitability eXchange) files to filter false positives
+* Detect dependency confusion risks in `package.json` and `requirements.txt` — internal packages that could be impersonated by public registries
 
 ### 🔍 RAG‑Powered Security Search
 Ask natural language questions about your scan history: *“When was the last Log4j vulnerability found?”* The built‑in RAG endpoint (`/api/rag?q=...`) searches stored findings and returns matches.
 
-### ⚔️ Attack Simulation (Sandbox)
-Generate a simple proof‑of‑concept script for any finding and execute it inside a disposable Docker container to demonstrate the risk without harming your system.
-
 ### 📉 Dynamic Risk Scoring
-Beyond CVSS, each finding gets a dynamic risk score based on asset exposure (from topology) and exploit availability — helping teams prioritise what to fix first.
+Beyond CVSS, each finding gets a dynamic risk score based on:
+* Asset exposure (from topology)
+* Exploit availability
+* Active threat intelligence feeds
 
 ### 🧙 Interactive Wizard
 A `--wizard` flag walks new users through installing dependencies, pulling AI models, and running their first scan — all in one go.
 
 ### 🔒 Privacy & Offline‑First
-*   All assets (CSS, JS) are embedded — zero CDN calls
-*   LLM analysis runs locally with Ollama; no data leaves your network
-*   Optional API key authentication for the dashboard
-*   Docker image runs as non‑root user
+* All assets (CSS, JS) are embedded — zero CDN calls
+* LLM analysis runs locally with Ollama; no data leaves your network
+* Optional API key authentication for the dashboard (JWT supported)
+* Docker image runs as non‑root user
+
+---
+
+## 🌍 Community Rules & Online Updates
+
+Pipeline Sentinel features a community‑driven rule marketplace housed in a separate repository: `devsecops-radar-rules`.
+
+### How It Works
+The repository contains curated JSON rule files for all supported scanners (Trivy, Semgrep, Poutine, Zizmor, Gitleaks) and generic compliance checks. Anyone can contribute by submitting a Pull Request with new or improved rules. Users can pull the latest rules with a single command:
+
+```bash
+devsecops-radar --update-rules
+```
+Rules are stored locally in `~/.devsecops-radar/community-rules/`. To use them alongside your scanner results:
+```bash
+devsecops-radar --trivy scan.json --rules ~/.devsecops-radar/community-rules/
+```
+You can even point to your own fork or a private repository by setting the `COMMUNITY_RULES_REPO` environment variable. This turns Pipeline Sentinel into a living, community‑improved security platform — just like Nuclei Templates or Semgrep Registry.
+
+### Contributing a Rule
+1. Fork the `devsecops-radar-rules` repository.
+2. Add a new JSON file to the `rules/` directory (or modify an existing one). Follow the standard Pipeline Sentinel finding format (see the repo’s README).
+3. Open a Pull Request — our maintainers will review and merge.
+
+---
+
+## ⚔️ Attack Simulation & What‑If Analysis
+
+**New in v0.4.0:** Interactive attack simulation directly from the dashboard.
+1. Tick the checkboxes next to the findings you want to investigate.
+2. Click **“⚡ Simulate Selected”**.
+3. A modal will display a generated attack script (`bash`), a description of the attack chain, and — if Docker is available — the output of running the script in a sandbox container.
+
+You can also click any node in the Attack Path Graph and press **“Simulate this attack”** for the same functionality. This feature helps security teams:
+* Understand how multiple vulnerabilities can be chained.
+* Generate proof‑of‑concept scripts for stakeholders.
+* Test mitigations without risking production systems.
 
 ---
 
@@ -391,8 +490,8 @@ devsecops_radar/
     └── sentry/     # Live webhook agent for CI/CD
 ```
 
-> **📌 Diagram Placeholder:**  
-![Architecture Diagram](docs/architecture.png)
+> **📌 Diagram Placeholder:** Add your architecture diagram here as `docs/architecture.png`.  
+> `![Architecture Diagram](docs/architecture.png)`
 
 ---
 
@@ -407,7 +506,7 @@ devsecops_radar/
 | ✅ **Phase 1** | Docker image (multi‑stage, non‑root) | Done |
 | ✅ **Phase 2** | Attack‑path visualization with MITRE ATT&CK & topology | Done |
 | ✅ **Phase 2** | Policy‑as‑Code engine (`--policy`) | Done |
-| ✅ **Phase 2** | Auto‑remediation engine (`--fix`) | Done |
+| ✅ **Phase 2** | Auto‑remediation engine (`--fix`) with backup | Done |
 | ✅ **Phase 2** | Compliance reports (PDF) with redaction | Done |
 | ✅ **Phase 2** | Hybrid RuleFusion engine (local + community rules) | Done |
 | ✅ **Phase 3** | Web dashboard Blueprint refactor (modular Flask) | Done |
@@ -415,51 +514,66 @@ devsecops_radar/
 | ✅ **Phase 3** | SQLAlchemy ORM with pagination | Done |
 | ✅ **Phase 3** | SBOM & Dependency Confusion Detection | Done |
 | ✅ **Phase 3** | RAG‑powered security search | Done |
-| ✅ **Phase 3** | Attack Simulation (sandbox) | Done |
 | ✅ **Phase 3** | Dynamic Risk Scoring | Done |
 | ✅ **Phase 3** | Interactive wizard (`--wizard`) | Done |
 | ✅ **Phase 3** | Human review mode (`--review`) | Done |
 | ✅ **Phase 3** | Gitleaks secret scanner | Done |
 | ✅ **Phase 3** | Security badge endpoint | Done |
-| 🔲 **Phase 4** | Jira / Slack integration | Planned |
-| 🔲 **Phase 4** | SARIF & CycloneDX support | Planned |
-| 🔲 **Phase 4** | Rule Marketplace (community YAML rules) | Planned |
-| 🔲 **Phase 4** | Pull Request assistant (GitHub App) | Planned |
+| ✅ **Phase 3** | Full test suite & CI pipeline | Done |
+| ✅ **Phase 4** | Advanced attack simulation (What‑If) | Done |
+| ✅ **Phase 4** | VEX filtering & OPA Rego policies | Done |
+| 🔲 **Phase 5** | Jira / Slack integration | Planned |
+| 🔲 **Phase 5** | SARIF & CycloneDX support | Planned |
+| 🔲 **Phase 5** | Pull Request assistant (GitHub App) | Planned |
+| 🔲 **Phase 5** | eBPF runtime security agent | Planned |
 
 > See the [open issues](https://github.com/Mehrdoost/devsecops-radar/issues) for a full list of proposed features.
 
 ---
 
-## 🤖 GitHub Action
-
-```yaml
-- name: Pipeline Sentinel
-  uses: Mehrdoost/devsecops-radar/action@main
-  with:
-    trivy_report: trivy-results.json
-    semgrep_report: semgrep-results.json
-    poutine_report: poutine-results.json
-    zizmor_report: zizmor-results.json
-    gitleaks_report: gitleaks-results.json
+## 🧪 Testing & CI
+
+Pipeline Sentinel is thoroughly tested to ensure reliability for production use.
+* **Unit & Integration Tests:** 23+ tests covering scanners, rule engine, database, analyzer, API, and CLI.
+* **CI Pipeline:** Every push and pull request triggers automated testing (`pytest` with coverage) and linting (`ruff`, `mypy`) via GitHub Actions.
+* **Code Coverage:** We track coverage with Codecov (see badge above).
+
+You can run the tests locally:
+```bash
+pip install -e ".[dev]"
+pip install pytest pytest-flask ruff
+pytest tests/ -v --cov=devsecops_radar --cov-report=term-missing
+ruff check .
+mypy .
 ```
-*The action merges findings, creates a job summary, and outputs CRITICAL/HIGH counts.*
+
+---
+
+## 🔒 Security Policy
+
+We take security seriously. If you discover a vulnerability, please report it privately. See our full Security Policy for details on reporting, supported versions, and disclosure procedures.
 
 ---
 
 ## 🤝 Contributing
 
-Pull requests and issues are warmly welcome!
-If you would like to integrate a new scanner, open an issue with a sample of its JSON output.
-For permanent scanner plugins, extend the `ScannerPlugin` class and register it via entry points.
+We welcome contributions of all kinds! Please read our Contributing Guide for detailed guidelines on how to set up the project, add new scanners, or submit rule changes. For contributing community rules, see the Community Rules section above. We also have Issue Templates and a Pull Request Template to make the process smooth for everyone.
 
 ---
 
-## 👨‍💻 Author
+## 💬 Code of Conduct
+
+This project adheres to the Contributor Covenant Code of Conduct. By participating, you are expected to uphold this code. Please report unacceptable behavior to the maintainers.
 
-**Mehrdoost** 
+---
 
-[![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost)
+## 👨‍💻 Author
 
+**ReverseForge** — ( Mehrdoost And Mi0r4 ) 
+
+[![GitHub](https://img.shields.io/badge/GitHub-ReverseForge-181717?logo=github)](https://github.com/ReverseForge) 
+[![GitHub](https://img.shields.io/badge/GitHub-Mehrdoost-181717?logo=github)](https://github.com/Mehrdoost) 
+[![GitHub](https://img.shields.io/badge/GitHub-miora-sora?logo=github)](https://github.com/miora-sora) 
 
 ---
 
@@ -470,3 +584,5 @@ MIT — see [LICENSE](LICENSE).
 <div align="center">
 ⭐ If this project helps your team ship safer software, drop a star — it makes a real difference.
 </div>
+
+```