Skip to content

SmtTheSE/DevOpsShield

BranchesTags

Repository files navigation

DevOps Shield V2 — The Auditing Platform

Python Coverage Lint Python Code Docker Build Test DevOps Shield CI

DevOps Shield is an institutional-grade, 100% local auditing platform designed for modern DevOps teams. It transforms fragmented security tools into a unified, plugin-based ecosystem for maintaining clean and secure infrastructure-as-code.

Shield V2 Evolution

We have evolved from a simple utility suite into a cohesive Auditing Platform:

  • Unified Platform Audit: Run a full repository scan, Kubernetes linting, and Docker image diffing in one click.
  • Plugin Architecture: Modular "Scanners" (Hunter, Linter, Docker Diff) allow for easy extension.
  • Standardized Reporting: Every finding across the platform follows the unified ShieldFinding model for consistent severity and categorization.
  • Cross-Tool Intelligence: Correlates findings between tools to detect complex risks (e.g., matching unused keys to K8s deployments).
  • Open Extension Layer: Specifically designed to wrap industry-standard engines (Trivy, Checkov, Kubeval) as plugins that normalize results into our 1px-minimalist dashboard.

Core Scanners

  1. Dead Config Hunter — Standardized scanner for orphaned configuration keys.
  2. K8s YAML Linter — Security-focused linter for Kubernetes manifests.
  3. Docker Image Diff — Deep layer inspection and security risk scoring.
  4. Hardcoded Secret Scanner — Entropy-based leakage detection obeying .shieldignore whitelisting constraints.
  5. Cloud IAM Validator — Offline structural policy enforcer analyzing AWS JSON and Terraform HCL for security breaches (e.g., wildcards, missing MFA).
  6. Dependency Vulnerability Scanner — Analyzes requirements.txt and package.json locking systems securely against the OSV (Open Source Vulnerability) database locally without pip or npm.

For a detailed breakdown of Where, When, and What to use each tool, see the User Guide.

Prerequisites & Runtime

To ensure full compatibility across all platform components:

  • Docker Daemon: Must be running locally (e.g., Docker Desktop, Colima) for the Docker Image Diff plugin to pull and inspect filesystem layers.
  • Python Dependencies: The Checkov industry engine is automatically installed alongside the CLI within the virtual environment when utilizing --deep scan mode. No manual binary installations are required!

Professional Installation (Binary Mode)

For a fast, professional experience without needing to manage Python environments or source code, you can use the pre-compiled shield binary.

1. Download & Install

Download the binary for your OS from the Releases page, then move it to your path:

# Example for macOS/Linux
chmod +x shield
sudo mv shield /usr/local/bin/shield

2. Usage

Now you can run the tool from anywhere in your terminal:

# 1. Unified repository scan (runs all of the following)
shield scan .

# 2. Dead config hunting (find unused keys)
shield hunt .

# 3. K8s manifest linting
shield lint k8s/

# 4. Docker image comparison/diff
shield diff python:3.11-slim python:3.12-slim

# 5. Secret leakage detection
shield secrets .

# 6. IAM policy validation
shield iam terraform/

# 7. Dependency vulnerability scanning
shield deps .

3. For Developers: Building the Binary

If you want to package the tool yourself (e.g., to hide your logic before sharing):

bash build_binary.sh
# The binary will be created at ./dist/shield

Quick Start (Microservice Mode)

The recommended way to use DevOps Shield V2 is via the Unified Dashboard.

# 1. Start the Platform
docker-compose up -d

# 2. Access the Dashboard
# Open http://localhost:3000

# 3. Add the 'shield-scan' alias (Optional)
bash setup_alias.sh
source ~/.zshrc

Features

  • One-Button Audit: A consolidated interface for full infrastructure stack analysis.
  • Deep Scan Mode: Optional integration with industry-standard engines (Checkov) for thousands of advanced security rules.
  • High-Contrast Minimalist UI: A professional, "Swiss-style" dashboard designed for clarity and speed.
  • Zero-Friction CLI: Automated alias setup for instant audits from any directory.
  • Institutional Logic: Standardized severity levels (CRITICAL to INFO) for executive reporting.
  • 100% Local: No external API calls, zero data leakage.

Security & Data Privacy

  • Data Locality: The CLI executes 100% locally. Code contents and Kubernetes configurations are never transmitted over the internet unless explicitly integrated with your own private APIs.
  • Secret Protections: The --show-values flag defaults to False. When hunting for dead configurations (e.g. searching .env and AWS configurations), their literal values are deliberately obscured from console output to prevent credential leakage inside GitHub Actions logs.

Best Practices for Teams

  • Standalone Auditor: Mount your target repository as /repo in docker-compose.yml to audit any project without polluting its source code.
  • Gatekeeper Mode: Integrate the CLI into your CI/CD pipelines to block builds with CRITICAL or HIGH findings.

License

SittMinThar @2026

About

local CLI tool written in Python that helps DevOps engineers maintain clean, secure, and optimized infrastructure-as-code and container environments.

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Dev_OPS shield First Release Latest
Mar 31, 2026

Packages

 
 
 

Contributors

Languages