pipeguard-cli 0.1.0__tar.gz

pipeguard_cli-0.1.0/.github/release-drafter.yml

@@ -0,0 +1,52 @@
+name-template: "v$RESOLVED_VERSION"
+tag-template: "v$RESOLVED_VERSION"
+
+categories:
+    - title: "Features"
+      labels:
+          - "feature"
+          - "enhancement"
+    - title: "Bug Fixes"
+      labels:
+          - "bug"
+          - "fix"
+    - title: "Security"
+      labels:
+          - "security"
+    - title: "Documentation"
+      labels:
+          - "documentation"
+          - "docs"
+    - title: "Maintenance"
+      labels:
+          - "chore"
+          - "dependencies"
+          - "ci"
+
+change-template: "- $TITLE @$AUTHOR (#$NUMBER)"
+change-title-escapes: '\<*_&'
+
+version-resolver:
+    major:
+        labels:
+            - "breaking-change"
+    minor:
+        labels:
+            - "feature"
+            - "enhancement"
+    patch:
+        labels:
+            - "bug"
+            - "fix"
+            - "security"
+            - "documentation"
+            - "chore"
+    default: patch
+
+template: |
+    ## Changes
+
+    $CHANGES
+
+    ---
+    **Full Changelog**: $PREVIOUS_TAG...v$RESOLVED_VERSION

pipeguard_cli-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,50 @@
+name: CI
+
+on:
+    push:
+        branches: [master, main]
+    pull_request:
+
+permissions:
+    contents: read
+
+jobs:
+    lint:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+            - name: Set up Python
+              uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+              with:
+                  python-version: "3.11"
+
+            - name: Install dependencies
+              run: pip install -e ".[dev]"
+
+            - name: Ruff
+              run: ruff check pipeguard tests
+
+            - name: Mypy
+              run: mypy pipeguard
+
+    test:
+        runs-on: ubuntu-latest
+        strategy:
+            fail-fast: false
+            matrix:
+                python-version: ["3.11", "3.12", "3.13"]
+
+        steps:
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+            - name: Set up Python ${{ matrix.python-version }}
+              uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+              with:
+                  python-version: ${{ matrix.python-version }}
+
+            - name: Install dependencies
+              run: pip install -e ".[dev]"
+
+            - name: Test
+              run: pytest --cov=pipeguard --cov-report=term-missing

pipeguard_cli-0.1.0/.github/workflows/deploy.yml

@@ -0,0 +1,47 @@
+name: Deploy to PyPI
+
+on:
+    push:
+        tags:
+            - "v*.*.*"
+
+permissions:
+    contents: write  # required for publishing GitHub release
+    id-token: write  # required for PyPI trusted publishing
+
+jobs:
+    build-and-publish:
+        runs-on: ubuntu-latest
+        environment: pypi
+
+        steps:
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+              with:
+                  fetch-depth: 0  # required for hatch-vcs version detection
+
+            - name: Set up Python
+              uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+              with:
+                  python-version: "3.11"
+
+            - name: Install build tools
+              run: pip install hatch hatch-vcs
+
+            - name: Run tests
+              run: |
+                  pip install -e ".[dev]"
+                  pytest
+
+            - name: Build package
+              run: hatch build
+
+            - name: Publish to PyPI
+              uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
+
+            - name: Publish GitHub release
+              uses: release-drafter/release-drafter@67e173cadb2fbd3de94f4a861e0c48c913b462ae # v6.4.0
+              with:
+                  publish: true
+                  tag: ${{ github.ref_name }}
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

pipeguard_cli-0.1.0/.github/workflows/release-drafter.yml

@@ -0,0 +1,19 @@
+name: Release Drafter
+
+on:
+    push:
+        branches: [master]
+    pull_request:
+        types: [opened, reopened, synchronize]
+
+permissions:
+    contents: write
+    pull-requests: write
+
+jobs:
+    draft-release:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: release-drafter/release-drafter@67e173cadb2fbd3de94f4a861e0c48c913b462ae # v6.4.0
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

pipeguard_cli-0.1.0/.github/workflows/update-cve-db.yml

@@ -0,0 +1,58 @@
+name: Update CVE Database
+
+on:
+    schedule:
+        - cron: "0 6 * * *"  # daily at 06:00 UTC
+    workflow_dispatch:        # allow manual trigger
+
+permissions:
+    contents: write
+    pull-requests: write
+
+jobs:
+    update:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+
+            - name: Set up Python
+              uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
+              with:
+                  python-version: "3.11"
+
+            - name: Fetch new CVEs from NVD
+              env:
+                  NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+              run: |
+                  python scripts/update_cve_db.py \
+                      --db pipeguard/scanner/github_actions/cve_db.json \
+                      --readme README.md \
+                      --min-cvss 9.0
+
+            - name: Check for changes
+              id: diff
+              run: |
+                  if git diff --quiet pipeguard/scanner/github_actions/cve_db.json README.md; then
+                      echo "changed=false" >> $GITHUB_OUTPUT
+                  else
+                      echo "changed=true" >> $GITHUB_OUTPUT
+                      echo "### CVE DB changes:" >> $GITHUB_STEP_SUMMARY
+                      git diff pipeguard/scanner/github_actions/cve_db.json README.md >> $GITHUB_STEP_SUMMARY
+                  fi
+
+            - name: Create pull request
+              if: steps.diff.outputs.changed == 'true'
+              env:
+                  GH_TOKEN: ${{ github.token }}
+              run: |
+                  BRANCH="chore/cve-db-$(date +%Y-%m-%d)"
+                  git config user.name "github-actions[bot]"
+                  git config user.email "github-actions[bot]@users.noreply.github.com"
+                  git checkout -b "$BRANCH"
+                  git add pipeguard/scanner/github_actions/cve_db.json README.md
+                  git commit -m "chore: update CVE database $(date +%Y-%m-%d)"
+                  git push origin "$BRANCH"
+                  gh pr create \
+                      --title "chore: update CVE database $(date +%Y-%m-%d)" \
+                      --body "Automated daily CVE database update from NVD."

pipeguard_cli-0.1.0/.gitignore

@@ -0,0 +1,45 @@
+# Business context
+CLAUDE.private.md
+docs/private/
+
+# Secrets & Umgebung
+.env
+.env.local
+.env.*.local
+
+# Python
+pipeguard/_version.py
+__pycache__/
+*.py[cod]
+*.pyo
+.venv/
+venv/
+env/
+dist/
+build/
+*.egg-info/
+.eggs/
+*.egg
+
+# Testing & Coverage
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+
+# IDE
+.vscode/settings.json
+.idea/
+*.swp
+*.swo
+
+# PipeGuard-spezifisch
+.pipeguard-cache/
+.pipeguard/tmp/
+
+# macOS
+.DS_Store
+
+# Distribution
+*.tar.gz
+*.whl

pipeguard_cli-0.1.0/CLAUDE.md

@@ -0,0 +1,102 @@
+# PipeGuard — CLAUDE.md
+
+> **"Catch problems before they reach your runners — not after."**
+> Pre-commit security scanner + cloud sandbox for GitHub Actions workflows.
+
+---
+
+## Was ist PipeGuard?
+
+PipeGuard analysiert GitHub Actions Workflows **vor dem Push** auf Security-Risiken und testet sie in einer vollwertigen Cloud-Sandbox. Es positioniert sich als fehlende Schicht zwischen Authoring und Execution — nicht als Ersatz für actionlint, StepSecurity oder act, sondern als Ergänzung.
+
+---
+
+## Architektur & Module
+
+### Modul A: Deep Security Scanner (Pre-Commit)
+Statische Analyse in der IDE oder als Git-Hook, bevor Code gepusht wird.
+
+- **Action Supply-Chain Audit** — Dependency-Graph aller Actions inkl. transitiver Abhängigkeiten mit Risiko-Score
+- **Permission-Explosion Detector** — simuliert effektiven Permission-Scope, warnt bei Over-Provisioning
+- **Secrets-Flow-Analyse** — trackt Datenfluss von Secrets durch Steps, erkennt potenzielle Lecks
+- **Maintainer Trust Score** — bewertet Third-Party Actions nach Aktivität, CVE-Historie, Repository-Hygiene
+- **Auto-Fix PRs** — generiert automatisch PRs für SHA-Pinning und Permission-Einschränkungen
+
+### Modul B: Workflow Test Lab (Cloud-Sandbox)
+Vollwertiges Workflow-Testing ohne Commit/Push-Zyklus.
+
+- **Full-Fidelity Cloud-Sandbox** — GitHub-Actions-kompatible Umgebung inkl. Services, Caches, Artifacts, Matrix-Strategien
+- **One-Click Test aus der IDE** — VS Code / JetBrains: Workflow ändern → Strg+Shift+T → Run in Sandbox
+- **Interactive Debugging** — Breakpoints setzen, SSH / Web-Terminal auf Runner
+- **Cost Estimator** — schätzt Kosten vor Ausführung (Runner-Typ, Matrix-Größe, historische Daten)
+- **Diff & Replay** — zwei Workflow-Versionen vergleichen, fehlgeschlagene Runs wiederholen
+
+---
+
+## Tech Stack
+
+```
+CLI:         Python — ruft actionlint als subprocess auf, erweitert die Ausgabe
+IDE-Plugin:  VS Code Extension (TypeScript) + JetBrains Plugin (Kotlin) — geplant
+Backend:     TBD — API für Cloud-Sandbox, Security-Analyse-Engine
+Cloud-Infra: Partner-Runner für Sandbox-Umgebung (TBD)
+Auth:        GitHub OAuth (Personal / Org-Level)
+```
+
+---
+
+## Repo-Struktur
+
+```
+pipeguard/
+├── CLAUDE.md                          ← dieser File
+├── CLAUDE.private.md                  
+├── README.md
+├── pyproject.toml
+├── pipeguard/
+│   ├── __init__.py
+│   ├── cli.py                         (Einstiegspunkt: pipeguard scan)
+│   ├── scanner/
+│   │   ├── actionlint_runner.py       (ruft actionlint als subprocess auf)
+│   │   ├── sha_pinning.py             (prüft & pinnt Action-Versionen)
+│   │   ├── supply_chain.py            (Dependency-Graph, Trust Score)
+│   │   └── secrets_flow.py            (Secrets-Leak-Erkennung)
+│   └── output/
+│       ├── formatter.py               (Terminal-Output, JSON, SARIF)
+│       └── autofix.py                 (generiert Fix-Vorschläge)
+├── tests/
+│   └── fixtures/                      (Beispiel-Workflows für Tests)
+└── .github/
+    └── workflows/
+        └── ci.yml
+```
+
+---
+
+## Design-Prinzipien
+
+- **Standard-YAML-Kompatibilität** — kein proprietäres Format, kein Lock-in
+- **Security first** — Security-Features haben Priorität vor UX-Features
+- **OSS-Kern bleibt kostenlos** — Basis-Security-Checks sind immer öffentlich und gratis
+- **Aufbauen, nicht ersetzen** — actionlint erweitern
+- **Fail fast, fail loud** — Fehler sollen früh und klar sichtbar sein, nie still ignoriert werden
+
+---
+
+## Coding-Regeln
+
+- Alle neuen Scanner-Module brauchen Fixtures in `tests/fixtures/` — echte Workflow-Beispiele, keine synthetischen
+- Output immer in drei Formaten unterstützen: Terminal (human-readable), JSON (maschinenlesbar), SARIF (IDE-Integration)
+- Externe Abhängigkeiten minimal halten — actionlint muss lokal installiert sein, alles andere optional
+- Keine Secrets oder API-Keys im Code oder in Tests — Fixtures verwenden ausschließlich Mock-Daten
+- Vor jedem neuen Feature: Issue öffnen mit konkretem Workflow-Beispiel das das Problem demonstriert
+
+---
+
+## Wichtige Referenzen
+
+- [actionlint](https://github.com/rhysd/actionlint) — Basis-Linter, auf dem PipeGuard aufbaut
+- [StepSecurity Harden-Runner](https://github.com/step-security/harden-runner) — komplementäres Runtime-Tool
+- [nektos/act](https://github.com/nektos/act) — lokales Testing-Tool (Inspiration + Limitation)
+- [CVE-2025-30066](https://github.com/advisories/GHSA-mrrh-fwg3-99v7) — tj-actions Supply-Chain-Angriff, Hauptmotivation für PipeGuard
+- [CISA Advisory](https://www.cisa.gov/news-events/alerts) — offizielle Warnungen zu GitHub Actions Security

pipeguard_cli-0.1.0/LICENSE

@@ -0,0 +1,178 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship made available under
+      the License, as indicated by a copyright notice that is included in
+      or attached to the work (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other
+      transformations represent, as a whole, an original work of authorship.
+      For the purposes of this License, Derivative Works shall not include
+      works that remain separable from, or merely link (or bind by name)
+      to the interfaces of, the Work and Derivative Works thereof.
+
+      "Contribution" shall mean, as submitted to the Licensor for inclusion
+      in the Work by the copyright owner or by an individual or Legal Entity
+      authorized to submit on behalf of the copyright owner. For the purposes
+      of this definition, "submitted" means any form of electronic, verbal,
+      or written communication sent to the Licensor or its representatives,
+      including but not limited to communication on electronic mailing lists,
+      source code control systems, and issue tracking systems that are managed
+      by, or on behalf of, the Licensor for the purpose of developing the Work,
+      but excluding communication that is conspicuously marked or designated in
+      writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any Legal Entity on behalf of
+      whom a Contribution has been received by the Licensor and included
+      within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by the combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a cross-claim
+      or counterclaim in a lawsuit) alleging that the Work or any Work
+      incorporated within the Work constitutes direct or contributory patent
+      infringement, then any patent licenses granted to You under this License
+      for that Work shall terminate as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the Work
+      or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You meet
+      the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative Works
+          a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices stating
+          that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works that
+          You distribute, all copyright, patent, trademark, and attribution
+          notices from the Source form of the Work, excluding those notices
+          that do not pertain to any part of the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, You must include a readable copy of the attribution
+          notices contained within such NOTICE file, in at least one of the
+          following places: within a NOTICE text file distributed as part of
+          the Derivative Works; within the Source form or documentation, if
+          provided along with the Derivative Works; or, within a display
+          generated by the Derivative Works, if and wherever such third-party
+          notices normally appear. The contents of the NOTICE file are for
+          informational purposes only and do not modify the License. You may
+          add Your own attribution notices within Derivative Works that You
+          distribute, alongside or in addition to the NOTICE text from the
+          Work, provided that such additional attribution notices cannot be
+          construed as modifying the License.
+
+      You may add Your own license statement for Your modifications and may
+      provide additional grant of rights to use, copy, modify, merge,
+      publish, distribute, sublicense, and/or sell copies of the Work,
+      and to permit persons to whom the Work is furnished to do so.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work by
+      You to the Licensor shall be under the terms and conditions of this
+      License, without any additional terms or conditions. Notwithstanding
+      the above, nothing herein shall supersede or modify the terms of any
+      separate license agreement you may have executed with Licensor regarding
+      such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or agreed
+      to in writing, Licensor provides the Work (and each Contributor
+      provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES
+      OR CONDITIONS OF ANY KIND, either express or implied, including,
+      without limitation, any warranties or conditions of TITLE,
+      NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+      You are solely responsible for determining the appropriateness of using
+      or reproducing the Work and assume any risks associated with Your
+      exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory, whether
+      in tort (including negligence), contract, or otherwise, unless required
+      by applicable law (such as deliberate and grossly negligent acts) or
+      agreed to in writing, shall any Contributor be liable to You for
+      damages, including any direct, indirect, special, incidental, or
+      consequential damages of any character arising as a result of this
+      License or out of the use or inability to use the Work (including but
+      not limited to damages for loss of goodwill, work stoppage, computer
+      failure or malfunction, or all other commercial damages or losses), even
+      if such Contributor has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Liability. While redistributing the Work or
+      Derivative Works thereof, You may choose to offer, and charge a fee for,
+      acceptance of support, warranty, indemnity, or other liability
+      obligations and/or rights consistent with this License. However, in
+      accepting such obligations, You may offer such obligations only on Your
+      own behalf and on Your behalf of each Contributor, and on Your sole
+      responsibility, not on behalf of any other Contributor, and only if You
+      agree to indemnify, defend, and hold each Contributor harmless for any
+      liability incurred by, or claims asserted against, such Contributor by
+      reason of your accepting any such warranty or liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 Alex Jung
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.