Enterprise CI/CD Pipeline Security Platform
Detect secrets, vulnerable dependencies, container vulnerabilities, and infrastructure misconfigurations in your codebase.
Installation β’ Quick Start β’ Documentation β’ Contributing
SecureFlow is a production-grade security scanning tool designed for DevSecOps pipelines. It provides comprehensive security analysis across multiple dimensions:
| Scanner | Description | Technologies |
|---|---|---|
| π Secrets | Detect hardcoded credentials, API keys, and tokens | 50+ secret patterns |
| π¦ Dependencies | Find vulnerable packages via OSV API | Python, Node.js, Go, Ruby, Rust |
| π³ Docker | Analyze Dockerfiles + image scanning via Trivy | Dockerfile, Container Images |
| ποΈ IaC | Detect insecure infrastructure patterns | Terraform, AWS, Azure, GCP |
- Policy-as-Code: Define security policies in YAML for consistent enforcement
- SARIF Output: Native GitHub Security tab integration
- CI/CD Ready: First-class GitHub Actions support
- Extensible: Add custom rules and patterns
- Fast: Parallel scanning with intelligent caching
- Minimal Dependencies: Lightweight and easy to install
pip install secureflowgit clone https://github.com/chiakiichan/secureflow-scanner.git
cd secureflow
pip install -e .docker run -v $(pwd):/scan secureflow/secureflow scan /scan# Scan current directory
secureflow scan
# Scan specific path
secureflow scan ./src
# Output in JSON format
secureflow scan --format json --output results.json
# Generate SARIF for GitHub Security
secureflow scan --format sarif --output results.sarif# Create .secureflow.yaml and policy file
secureflow init# Only scan for secrets and dependencies
secureflow scan --no-docker --no-iac
# Scan with specific severity threshold
secureflow scan --fail-on critical
# Exclude paths
secureflow scan --exclude "tests/*" --exclude "docs/*"# Scan a Docker image (requires Trivy)
secureflow docker-scan nginx:latestβββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SecureFlow Security Scan Report
Version: 1.0.0
Target: /path/to/project
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Scanner Results:
β secrets: 3 finding(s) in 0.45s
β dependencies: 2 finding(s) in 1.23s
β docker: 5 finding(s) in 0.12s
β iac: 4 finding(s) in 0.08s
Findings Summary:
CRITICAL : 2
HIGH : 5
MEDIUM : 4
LOW : 3
Detailed Findings:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. CRITICAL AWS Secret Access Key
Rule: SF-SEC-002
Location: config/settings.py:42
AWS Secret Access Key detected. This provides full access to AWS account.
Fix: Remove the hardcoded secret and use secure secret management.
2. HIGH Vulnerable dependency: requests
Rule: SF-DEP-GHSA-9wx4-h78v-vm56
Location: requirements.txt:3
Package 'requests' version 2.25.0 has known vulnerability...
Fix: Update requests to version 2.31.0 or later
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PIPELINE FAILED - Security issues must be resolved
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# Output settings
output:
format: console # console, json, sarif
# file: secureflow-report.json
# Policy settings
policy:
file: .secureflow-policy.yaml
fail_on_severity: HIGH
# Scanner settings
scanners:
secrets:
enabled: true
exclude_patterns:
- "*.test.js"
- "*_test.py"
dependencies:
enabled: true
docker:
enabled: true
iac:
enabled: true
# Global exclusions
exclude_paths:
- node_modules
- .git
- __pycache__
- venvversion: "1.0"
name: "Production Security Policy"
settings:
fail_on_severity: HIGH
default_action: warn
rules:
# Block all critical findings
- id: block_critical
severity: CRITICAL
action: fail
# Block high severity findings
- id: block_high
severity: HIGH
action: fail
# Allow secrets in test files
- id: allow_test_secrets
file_patterns:
- ".*test.*"
- ".*spec.*"
tags:
- secret
action: allow
priority: 100 # Higher priority than block rules
# Suppress info findings
- id: suppress_info
severity: INFO
action: suppressname: Chiakii
on: [push, pull_request]
permissions:
contents: read
security-events: write
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install SecureFlow
run: pip install secureflow
- name: Run Security Scan
run: |
secureflow scan . \
--format sarif \
--output results.sarif \
--fail-on high \
--ci
continue-on-error: true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifSee .github/workflows/secureflow.yml for a complete example with:
- Dependency review
- Container scanning
- Artifact upload
- PR comments
Detects 50+ types of secrets including:
| Category | Examples |
|---|---|
| Cloud Providers | AWS, GCP, Azure credentials |
| Version Control | GitHub, GitLab tokens |
| Payment | Stripe, PayPal keys |
| Communication | Slack, Discord, Twilio tokens |
| Databases | Connection strings with credentials |
| Authentication | JWT secrets, API keys |
Uses the OSV (Open Source Vulnerabilities) database to check:
- Python packages (requirements.txt, pyproject.toml)
- Node.js packages (package.json, package-lock.json)
- Go modules (go.mod)
- Ruby gems (Gemfile.lock)
- Rust crates (Cargo.lock)
Analyzes Dockerfiles for:
- Using
:latesttag - Running as root
- Curl-pipe-bash patterns
- Hardcoded secrets in ENV/ARG
- Missing HEALTHCHECK
- Insecure file permissions
For image vulnerability scanning, requires Trivy installation.
Detects misconfigurations in Terraform:
| Category | Examples |
|---|---|
| Network | Open security groups, public access |
| Storage | Public S3 buckets, unencrypted volumes |
| Database | Publicly accessible RDS, missing encryption |
| IAM | Wildcard permissions, inline policies |
| Logging | Missing CloudTrail, disabled logging |
Human-readable colored output for local development.
Machine-readable format for programmatic consumption:
{
"version": "1.0",
"summary": {
"total_findings": 14,
"by_severity": {"CRITICAL": 2, "HIGH": 5}
},
"findings": [...]
}Static Analysis Results Interchange Format for:
- GitHub Code Scanning
- Azure DevOps
- Visual Studio / VSCode
# Clone repository
git clone https://github.com/secureflow/secureflow.git
cd secureflow
# Create virtual environment
python -m venv venv
source venv/bin/activate # or `venv\Scripts\activate` on Windows
# Install with dev dependencies
pip install -e ".[dev]"
# Install pre-commit hooks
pre-commit install# Run all tests
pytest
# Run with coverage
pytest --cov=secureflow --cov-report=html
# Run specific test file
pytest tests/test_secrets_scanner.py -v# Format code
black secureflow tests
# Lint code
ruff check secureflow tests
# Type checking
mypy secureflowsecureflow/
βββ secureflow/
β βββ __init__.py
β βββ cli.py # CLI entrypoint
β βββ core/
β β βββ config.py # Configuration management
β β βββ finding.py # Finding data model
β β βββ scanner.py # Base scanner class
β βββ scanners/
β β βββ secrets.py # Secrets detection
β β βββ dependencies.py # Dependency scanning
β β βββ docker.py # Docker/container analysis
β β βββ iac.py # Infrastructure-as-Code
β βββ policy/
β β βββ engine.py # Policy evaluation engine
β β βββ loader.py # YAML policy loader
β βββ reporting/
β β βββ console.py # Console output
β β βββ json_reporter.py # JSON output
β β βββ sarif.py # SARIF output
β βββ integrations/
β βββ github.py # GitHub Actions integration
βββ tests/
βββ docs/
βββ .github/workflows/
βββ pyproject.toml
βββ README.md
We welcome contributions! Please see our Contributing Guide for details.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
- OSV for the vulnerability database
- Trivy for container scanning
- SARIF specification
- The open-source security community
Built with β€οΈ by Chiakii Chan
Report Bug β’ Request Feature β’ Security Policy