PyPI - shieldops-cli - Versions diffs - 1.0.1__tar.gz → 1.0.3__tar.gz - Mend

shieldops-cli 1.0.1tar.gz → 1.0.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

{shieldops_cli-1.0.1/shieldops_cli.egg-info → shieldops_cli-1.0.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: shieldops-cli
-Version: 1.0.1
+Version: 1.0.3
 Summary: ShieldOps AI — Security scanner CLI for Docker, Kubernetes, Compose, SBOM, and more.
 Author-email: ShieldOps AI <support@shieldops.ai>
 License-Expression: MIT
@@ -40,11 +40,11 @@ Dynamic: license-file
 [![Powered by ShieldOps AI](https://img.shields.io/badge/powered%20by-ShieldOps%20AI-8B5CF6)](https://shieldops-ai.dev)
 <p align="center">
-  <img src="docs/screenshots/tui-session.svg" alt="ShieldOps TUI interactive session" width="800">
+  <img src="https://raw.githubusercontent.com/mohammedabdallahcv-creator/shieldops-cli/main/docs/screenshots/tui-session.png" alt="ShieldOps TUI interactive session" width="800">
 </p>
 <p align="center">
-  <img src="docs/screenshots/cli-output.svg" alt="ShieldOps CLI scan results" width="800">
+  <img src="https://raw.githubusercontent.com/mohammedabdallahcv-creator/shieldops-cli/main/docs/screenshots/cli-output.png" alt="ShieldOps CLI scan results" width="800">
 </p>
 ---
@@ -64,7 +64,8 @@ Most Dockerfile/K8s scanners tell you **what** is wrong. ShieldOps CLI also tell
 | Docker image scan | Yes | No | Yes (built-in) |
 | Interactive TUI | Yes | No | No |
 | CI/CD ready (`--fail-on`) | Yes | Yes | Yes |
-| Free tier | Yes (5 scans/day) | Yes | Yes |
+| Free tier (local) | Unlimited scans, no signup | Yes | Yes |
+| Cloud AI analysis | With API key (5 free/day) | — | — |
 ### What makes it different
@@ -81,14 +82,21 @@ Most Dockerfile/K8s scanners tell you **what** is wrong. ShieldOps CLI also tell
 # 1. Install
 pip install shieldops-cli
-# 2. Login (free tier — 5 scans/day)
-shieldops login
-# 3. Scan your Dockerfile
+# 2. Scan your Dockerfile (local — no login needed)
 shieldops analyze Dockerfile
 ```
-That's it. You get severity-graded findings, compliance mapping (CIS, SOC 2, NIST), and AI remediation guidance.
+That's it. You get severity-graded findings with 10+ built-in rules — no signup, no API key.
+For AI-powered analysis with deeper scanning:
+```bash
+# 3. Login (free tier — 5 scans/day)
+shieldops login
+# 4. Scan with cloud AI
+shieldops analyze Dockerfile --api
+```
 ---
@@ -118,11 +126,14 @@ pip install shieldops-cli
 ### `analyze` — Dockerfile Security Scan
+Runs locally by default (no API key). Use `--api` for cloud AI analysis.
 ```bash
-shieldops analyze Dockerfile
-shieldops analyze Dockerfile --format json
-shieldops analyze Dockerfile --fail-on high        # CI/CD gate
-shieldops analyze Dockerfile --open-report         # open browser report
+shieldops analyze Dockerfile                          # local (free, unlimited)
+shieldops analyze Dockerfile --api                    # cloud AI (requires login)
+shieldops analyze Dockerfile --format json --output report.json
+shieldops analyze Dockerfile --fail-on high            # CI/CD gate
+shieldops analyze Dockerfile --open-report             # open browser report
 ```
 ### `autofix` — AI-Powered Dockerfile Fix

{shieldops_cli-1.0.1 → shieldops_cli-1.0.3}/README.md RENAMED Viewed

@@ -9,11 +9,11 @@
 [![Powered by ShieldOps AI](https://img.shields.io/badge/powered%20by-ShieldOps%20AI-8B5CF6)](https://shieldops-ai.dev)
 <p align="center">
-  <img src="docs/screenshots/tui-session.svg" alt="ShieldOps TUI interactive session" width="800">
+  <img src="https://raw.githubusercontent.com/mohammedabdallahcv-creator/shieldops-cli/main/docs/screenshots/tui-session.png" alt="ShieldOps TUI interactive session" width="800">
 </p>
 <p align="center">
-  <img src="docs/screenshots/cli-output.svg" alt="ShieldOps CLI scan results" width="800">
+  <img src="https://raw.githubusercontent.com/mohammedabdallahcv-creator/shieldops-cli/main/docs/screenshots/cli-output.png" alt="ShieldOps CLI scan results" width="800">
 </p>
 ---
@@ -33,7 +33,8 @@ Most Dockerfile/K8s scanners tell you **what** is wrong. ShieldOps CLI also tell
 | Docker image scan | Yes | No | Yes (built-in) |
 | Interactive TUI | Yes | No | No |
 | CI/CD ready (`--fail-on`) | Yes | Yes | Yes |
-| Free tier | Yes (5 scans/day) | Yes | Yes |
+| Free tier (local) | Unlimited scans, no signup | Yes | Yes |
+| Cloud AI analysis | With API key (5 free/day) | — | — |
 ### What makes it different
@@ -50,14 +51,21 @@ Most Dockerfile/K8s scanners tell you **what** is wrong. ShieldOps CLI also tell
 # 1. Install
 pip install shieldops-cli
-# 2. Login (free tier — 5 scans/day)
-shieldops login
-# 3. Scan your Dockerfile
+# 2. Scan your Dockerfile (local — no login needed)
 shieldops analyze Dockerfile
 ```
-That's it. You get severity-graded findings, compliance mapping (CIS, SOC 2, NIST), and AI remediation guidance.
+That's it. You get severity-graded findings with 10+ built-in rules — no signup, no API key.
+For AI-powered analysis with deeper scanning:
+```bash
+# 3. Login (free tier — 5 scans/day)
+shieldops login
+# 4. Scan with cloud AI
+shieldops analyze Dockerfile --api
+```
 ---
@@ -87,11 +95,14 @@ pip install shieldops-cli
 ### `analyze` — Dockerfile Security Scan
+Runs locally by default (no API key). Use `--api` for cloud AI analysis.
 ```bash
-shieldops analyze Dockerfile
-shieldops analyze Dockerfile --format json
-shieldops analyze Dockerfile --fail-on high        # CI/CD gate
-shieldops analyze Dockerfile --open-report         # open browser report
+shieldops analyze Dockerfile                          # local (free, unlimited)
+shieldops analyze Dockerfile --api                    # cloud AI (requires login)
+shieldops analyze Dockerfile --format json --output report.json
+shieldops analyze Dockerfile --fail-on high            # CI/CD gate
+shieldops analyze Dockerfile --open-report             # open browser report
 ```
 ### `autofix` — AI-Powered Dockerfile Fix

{shieldops_cli-1.0.1 → shieldops_cli-1.0.3}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "shieldops-cli"
-version = "1.0.1"
+version = "1.0.3"
 description = "ShieldOps AI — Security scanner CLI for Docker, Kubernetes, Compose, SBOM, and more."
 readme = "README.md"
 license = "MIT"

{shieldops_cli-1.0.1 → shieldops_cli-1.0.3}/shieldops_cli/__init__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """ShieldOps AI CLI — Security scanner for Docker, Kubernetes, Compose, SBOM, and more."""
-__version__ = "1.0.1"
+__version__ = "1.0.3"

{shieldops_cli-1.0.1 → shieldops_cli-1.0.3}/shieldops_cli/commands/analyze.py RENAMED Viewed

@@ -1,11 +1,13 @@
-"""shieldops analyze — Dockerfile analysis."""
+"""shieldops analyze — Dockerfile analysis (local or cloud)."""
 import sys
 import click
 from pathlib import Path
 from rich.console import Console
+from shieldops_cli import config as cfg
 from shieldops_cli.api_client import ShieldOpsClient, ApiError
 from shieldops_cli.formatters import format_result
+from shieldops_cli.local_analyzer import analyze_dockerfile as local_analyze
 console = Console()
@@ -19,23 +21,58 @@ SEVERITY_ORDER = {"critical": 0, "high": 1, "medium": 2, "low": 3}
 @click.option("-o", "--output", type=click.Path(), default=None,
               help="Write output to file instead of stdout.")
 @click.option("--open-report", is_flag=True, default=False,
-              help="Open the full report in browser after scan.")
+              help="Open the full report in browser after scan (cloud only).")
 @click.option("--fail-on", type=click.Choice(["critical", "high", "medium", "low", "none"]),
               default="none", help="Exit with code 1 if issues >= severity (for CI/CD).")
-def analyze(file, fmt, output, open_report, fail_on):
+@click.option("--api", "force_api", is_flag=True, default=False,
+              help="Force cloud analysis (requires login).")
+def analyze(file, fmt, output, open_report, fail_on, force_api):
     """Analyze a Dockerfile for security and best-practice issues.
+    Runs locally by default (no API key needed). Use --api for cloud analysis.
     \b
     Examples:
       shieldops analyze Dockerfile
+      shieldops analyze Dockerfile --api          # cloud (requires login)
       shieldops analyze Dockerfile --format json --output report.json
-      shieldops analyze Dockerfile --fail-on high    # CI/CD gate
-      shieldops analyze Dockerfile --open-report
+      shieldops analyze Dockerfile --fail-on high  # CI/CD gate
     """
     path = Path(file)
     content = path.read_text(encoding="utf-8")
     filename = path.name
+    api_key = cfg.get_api_key()
+    if api_key or force_api:
+        if not api_key:
+            console.print("[red]Cloud analysis requires login. Run: shieldops login --key <YOUR_KEY>[/red]")
+            sys.exit(2)
+        _run_cloud_analysis(content, filename, fmt, output, open_report, fail_on)
+    else:
+        _run_local_analysis(content, filename, fmt, output, fail_on)
+def _run_local_analysis(content: str, filename: str, fmt, output, fail_on):
+    result = local_analyze(content, filename)
+    formatted = format_result("analyze", result, fmt=fmt or "table")
+    if output:
+        Path(output).write_text(formatted, encoding="utf-8")
+        console.print(f"[green]\u2705 Report saved to {output}[/green]")
+    else:
+        console.print(formatted)
+    console.print("\n[dim][Local analysis - 10 rules] Sign up for cloud analysis with AI:[/dim]")
+    console.print(f"[dim]  {cfg.get_api_url()}/settings/api-keys[/dim]")
+    if fail_on != "none":
+        if check_severity_gate(result, fail_on):
+            console.print(f"\n[red]\u274c Issues found at {fail_on.upper()} or above. Failing.[/red]")
+            sys.exit(1)
+def _run_cloud_analysis(content: str, filename: str, fmt, output, open_report, fail_on):
     client = ShieldOpsClient()
     with console.status("[bold blue]Analyzing...", spinner="dots"):
@@ -47,7 +84,6 @@ def analyze(file, fmt, output, open_report, fail_on):
     result = payload.get("result", {})
-    # ── Format output ──
     formatted = format_result("analyze", result, fmt=fmt or "table")
     if output:
@@ -56,7 +92,6 @@ def analyze(file, fmt, output, open_report, fail_on):
     else:
         console.print(formatted)
-    # ── Report URL (canonical: result.report_url → top-level route → scan_id fallback) ──
     report_url = (
         result.get("report_url")
         or payload.get("route")
@@ -70,14 +105,12 @@ def analyze(file, fmt, output, open_report, fail_on):
         base = client.api_url
         full_url = report_url if report_url.startswith("http") else f"{base}{report_url}"
         print(f"\nFull report: {full_url}")
         if open_report:
             import webbrowser
             webbrowser.open(full_url)
     else:
         print("\nNo report URL returned for this scan.")
-    # ── CI/CD exit code ──
     if fail_on != "none":
         if check_severity_gate(result, fail_on):
             console.print(f"\n[red]\u274c Issues found at {fail_on.upper()} or above. Failing.[/red]")

shieldops_cli-1.0.3/shieldops_cli/local_analyzer.py ADDED Viewed

@@ -0,0 +1,218 @@
+"""Local Dockerfile analyzer — works offline, no API key needed."""
+from __future__ import annotations
+import re
+from pathlib import Path
+RULES: list[dict] = [
+    # ── DL3007: latest tag ──
+    {
+        "rule_id": "DL3007",
+        "severity": "critical",
+        "pattern": re.compile(r"^FROM\s+\S+?:\s*latest\s*$", re.IGNORECASE | re.MULTILINE),
+        "message": "Using `latest` tag is dangerous — pinned versions ensure reproducible builds",
+        "fix": "Replace `latest` with a specific version tag (e.g. `python:3.11-slim`)",
+        "category": "best_practice",
+    },
+    # ── DL3008: pin apt-get versions ──
+    {
+        "rule_id": "DL3008",
+        "severity": "critical",
+        "pattern": re.compile(
+            r"RUN\s+(apt-get\s+install\s+)(?!.*\s=\s)",
+            re.IGNORECASE | re.MULTILINE,
+        ),
+        "message": "Pin package versions in `apt-get install` for reproducible builds",
+        "fix": "Add `=version` to each package (e.g. `build-essential=12.9`)",
+        "category": "best_practice",
+    },
+    # ── DL3009: apt-get lists not cleaned ──
+    {
+        "rule_id": "DL3009",
+        "severity": "medium",
+        "pattern": re.compile(
+            r"RUN\s+apt-get\s+install",
+            re.IGNORECASE,
+        ),
+        "message": "Delete apt-get lists after install to reduce image size",
+        "fix": "Add `&& rm -rf /var/lib/apt/lists/*` after apt-get install",
+        "category": "best_practice",
+        "_needs_clean": True,
+    },
+    # ── DL3013: pin pip versions ──
+    {
+        "rule_id": "DL3013",
+        "severity": "high",
+        "pattern": re.compile(
+            r"RUN\s+pip\s+install\s+(?!.*==)",
+            re.IGNORECASE | re.MULTILINE,
+        ),
+        "message": "Pin package versions in pip install for reproducible builds",
+        "fix": "Use `pip install flask==3.0.0` instead of `pip install flask`",
+        "category": "best_practice",
+    },
+    # ── DL4006: SHELL selected by default ──
+    {
+        "rule_id": "DL4006",
+        "severity": "high",
+        "pattern": re.compile(r"^SHELL\s+\[", re.IGNORECASE | re.MULTILINE),
+        "message": "SHELL is already selected by default — remove redundant SHELL directive",
+        "fix": "Remove the SHELL directive unless you need a non-default shell",
+        "category": "style",
+    },
+    # ── DL4001: Windows line endings ──
+    {
+        "rule_id": "DL4001",
+        "severity": "low",
+        "pattern": re.compile(r"\r\n"),
+        "message": "Windows-style line endings detected — use LF for Dockerfiles",
+        "fix": "Convert to Unix line endings (LF)",
+        "category": "style",
+    },
+    # ── DL3003: no WORKDIR before COPY ──
+    {
+        "rule_id": "DL3003",
+        "severity": "low",
+        "pattern": re.compile(r"^COPY\s+\.\s+/"),
+        "message": "COPY without prior WORKDIR — files may land in unexpected location",
+        "fix": "Add `WORKDIR /app` before COPY",
+        "category": "best_practice",
+    },
+    # ── USER root ──
+    {
+        "rule_id": "SC1001",
+        "severity": "critical",
+        "pattern": re.compile(r"^USER\s+root\b", re.IGNORECASE | re.MULTILINE),
+        "message": "Running as root increases blast radius in case of container escape",
+        "fix": "Use `USER nonroot` or create a dedicated user with `RUN adduser -D appuser && USER appuser`",
+        "category": "security",
+    },
+    # ── EXPOSE without port number ──
+    {
+        "rule_id": "DL4000",
+        "severity": "low",
+        "pattern": re.compile(r"^EXPOSE\s*$", re.MULTILINE),
+        "message": "EXPOSE without port number has no effect",
+        "fix": "Specify a port: `EXPOSE 8080`",
+        "category": "best_practice",
+    },
+    # ── ENV with debug mode in production ──
+    {
+        "rule_id": "SC1002",
+        "severity": "medium",
+        "pattern": re.compile(
+            r"ENV\s+(FLASK_DEBUG|NODE_ENV|DJANGO_DEBUG|APP_DEBUG)\s*=\s*(1|true|development)\b",
+            re.IGNORECASE | re.MULTILINE,
+        ),
+        "message": "Debug/development mode enabled in production image",
+        "fix": "Set `ENV FLASK_DEBUG=0` or remove the ENV line for production images",
+        "category": "security",
+    },
+    # ── No HEALTHCHECK ──
+    {
+        "rule_id": "DL4002",
+        "severity": "low",
+        "pattern": re.compile(r"^(?!.*HEALTHCHECK)", re.MULTILINE),
+        "message": "No HEALTHCHECK defined — container health won't be monitored",
+        "fix": "Add `HEALTHCHECK CMD curl -f http://localhost:8080/health || exit 1`",
+        "category": "best_practice",
+        "_negate": True,
+    },
+    # ── RUN npm install without cache cleanup ──
+    {
+        "rule_id": "DL3014",
+        "severity": "medium",
+        "pattern": re.compile(
+            r"RUN\s+npm\s+install\s+(?!.*npm\s+cache\s+clean)",
+            re.IGNORECASE | re.MULTILINE,
+        ),
+        "message": "npm install without cache cleanup increases image size",
+        "fix": "Add `&& npm cache clean --force` to the RUN command",
+        "category": "best_practice",
+    },
+]
+FINDING_TEMPLATE = {
+    "type": "dockerfile",
+    "category": "",
+    "severity": "info",
+    "rule_id": "",
+    "message": "",
+    "fix": "",
+    "line": 1,
+    "column": 1,
+    "source": "shieldops-local",
+}
+def analyze_dockerfile(content: str, filename: str = "Dockerfile") -> dict:
+    lines = content.split("\n")
+    findings = []
+    for rule in RULES:
+        pattern = rule["pattern"]
+        negate = rule.get("_negate", False)
+        if negate:
+            if not pattern.search(content):
+                finding = dict(FINDING_TEMPLATE)
+                finding.update(
+                    severity=rule["severity"],
+                    rule_id=rule["rule_id"],
+                    message=rule["message"],
+                    fix=rule["fix"],
+                    category=rule["category"],
+                    line=1,
+                )
+                findings.append(finding)
+            continue
+        for match in pattern.finditer(content):
+            line_num = content[: match.start()].count("\n") + 1
+            raw_line = lines[line_num - 1] if line_num <= len(lines) else ""
+            if rule.get("_needs_clean"):
+                block = content[match.start() : min(match.start() + 300, len(content))]
+                if "rm -rf" in block and "apt/lists" in block:
+                    continue
+            if rule["rule_id"] == "DL3013":
+                rest_of_line = raw_line[match.end() - len(raw_line) :]
+                if "==" in rest_of_line or "requirements.txt" in rest_of_line or "-r" in rest_of_line:
+                    continue
+            if rule["rule_id"] == "DL3008":
+                rest = raw_line[match.end() - len(raw_line) :]
+                if "=" in rest:
+                    continue
+            finding = dict(FINDING_TEMPLATE)
+            finding.update(
+                severity=rule["severity"],
+                rule_id=rule["rule_id"],
+                message=rule["message"],
+                fix=rule["fix"],
+                category=rule["category"],
+                line=line_num,
+            )
+            findings.append(finding)
+    critical = sum(1 for f in findings if f["severity"] == "critical")
+    high = sum(1 for f in findings if f["severity"] == "high")
+    medium = sum(1 for f in findings if f["severity"] == "medium")
+    low = sum(1 for f in findings if f["severity"] == "low")
+    score = max(0, 100 - (critical * 25 + high * 10 + medium * 5 + low * 2))
+    return {
+        "findings": findings,
+        "report_contract": {
+            "critical_count": critical,
+            "high_count": high,
+            "medium_count": medium,
+            "low_count": low,
+        },
+        "security_score": score,
+        "security_score_grade": "A" if score >= 90 else "B" if score >= 70 else "C" if score >= 50 else "D" if score >= 30 else "F",
+        "source": "local",
+        "filename": filename,
+    }

{shieldops_cli-1.0.1 → shieldops_cli-1.0.3/shieldops_cli.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: shieldops-cli
-Version: 1.0.1
+Version: 1.0.3
 Summary: ShieldOps AI — Security scanner CLI for Docker, Kubernetes, Compose, SBOM, and more.
 Author-email: ShieldOps AI <support@shieldops.ai>
 License-Expression: MIT
@@ -40,11 +40,11 @@ Dynamic: license-file
 [![Powered by ShieldOps AI](https://img.shields.io/badge/powered%20by-ShieldOps%20AI-8B5CF6)](https://shieldops-ai.dev)
 <p align="center">
-  <img src="docs/screenshots/tui-session.svg" alt="ShieldOps TUI interactive session" width="800">
+  <img src="https://raw.githubusercontent.com/mohammedabdallahcv-creator/shieldops-cli/main/docs/screenshots/tui-session.png" alt="ShieldOps TUI interactive session" width="800">
 </p>
 <p align="center">
-  <img src="docs/screenshots/cli-output.svg" alt="ShieldOps CLI scan results" width="800">
+  <img src="https://raw.githubusercontent.com/mohammedabdallahcv-creator/shieldops-cli/main/docs/screenshots/cli-output.png" alt="ShieldOps CLI scan results" width="800">
 </p>
 ---
@@ -64,7 +64,8 @@ Most Dockerfile/K8s scanners tell you **what** is wrong. ShieldOps CLI also tell
 | Docker image scan | Yes | No | Yes (built-in) |
 | Interactive TUI | Yes | No | No |
 | CI/CD ready (`--fail-on`) | Yes | Yes | Yes |
-| Free tier | Yes (5 scans/day) | Yes | Yes |
+| Free tier (local) | Unlimited scans, no signup | Yes | Yes |
+| Cloud AI analysis | With API key (5 free/day) | — | — |
 ### What makes it different
@@ -81,14 +82,21 @@ Most Dockerfile/K8s scanners tell you **what** is wrong. ShieldOps CLI also tell
 # 1. Install
 pip install shieldops-cli
-# 2. Login (free tier — 5 scans/day)
-shieldops login
-# 3. Scan your Dockerfile
+# 2. Scan your Dockerfile (local — no login needed)
 shieldops analyze Dockerfile
 ```
-That's it. You get severity-graded findings, compliance mapping (CIS, SOC 2, NIST), and AI remediation guidance.
+That's it. You get severity-graded findings with 10+ built-in rules — no signup, no API key.
+For AI-powered analysis with deeper scanning:
+```bash
+# 3. Login (free tier — 5 scans/day)
+shieldops login
+# 4. Scan with cloud AI
+shieldops analyze Dockerfile --api
+```
 ---
@@ -118,11 +126,14 @@ pip install shieldops-cli
 ### `analyze` — Dockerfile Security Scan
+Runs locally by default (no API key). Use `--api` for cloud AI analysis.
 ```bash
-shieldops analyze Dockerfile
-shieldops analyze Dockerfile --format json
-shieldops analyze Dockerfile --fail-on high        # CI/CD gate
-shieldops analyze Dockerfile --open-report         # open browser report
+shieldops analyze Dockerfile                          # local (free, unlimited)
+shieldops analyze Dockerfile --api                    # cloud AI (requires login)
+shieldops analyze Dockerfile --format json --output report.json
+shieldops analyze Dockerfile --fail-on high            # CI/CD gate
+shieldops analyze Dockerfile --open-report             # open browser report
 ```
 ### `autofix` — AI-Powered Dockerfile Fix

{shieldops_cli-1.0.1 → shieldops_cli-1.0.3}/shieldops_cli.egg-info/SOURCES.txt RENAMED Viewed

@@ -5,6 +5,7 @@ shieldops_cli/__init__.py
 shieldops_cli/api_client.py
 shieldops_cli/auth.py
 shieldops_cli/config.py
+shieldops_cli/local_analyzer.py
 shieldops_cli/main.py
 shieldops_cli.egg-info/PKG-INFO
 shieldops_cli.egg-info/SOURCES.txt