codeGROOVE-dev · tstromberg · Aug 10, 2025 · Aug 10, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      dependencies:
+        patterns:
+          - "*"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,36 @@
+name: CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+    types: [ opened, synchronize, reopened ]
+
+permissions: {}  # No default permissions
+
+env:
+  GO_VERSION: '1.23.4'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed  # v5.1.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Test
+        run: |
+          make lint
+          make test
+          make build
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,31 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda  # v3.27.1
+        with:
+          languages: go
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@4f3212b61783c3c68e8309a0f18a699764811cda  # v3.27.1
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda  # v3.27.1
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,22 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Review Dependencies
+        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a  # v4.4.0
+        with:
+          fail-on-severity: critical
diff --git a/README.md b/README.md
@@ -1,5 +1,11 @@
 # gitMDM
 
+![Experimental](https://img.shields.io/badge/status-experimental-orange)
+![Go Version](https://img.shields.io/github/go-mod/go-version/codeGROOVE-dev/gitMDM)
+![License](https://img.shields.io/github/license/codeGROOVE-dev/gitMDM)
+![Go Report Card](https://goreportcard.com/badge/github.com/codeGROOVE-dev/gitMDM)
+![Platform Support](https://img.shields.io/badge/platform-linux%20%7C%20macos%20%7C%20bsd%20%7C%20windows-blue)
+
 A security-first MDM that proves compliance without compromising your infrastructure.
 
 ![logo](./media/logo_small.png "gitMDM logo")
@@ -86,7 +92,7 @@ We love Google Cloud Run for our deployment story - check out `./hacks/deploy.sh
 Attackers can read compliance reports and delete them. That's it. They cannot push commands, install software, or access agent machines.
 
 **Why not just use osquery?**
-osquery is powerful but requires careful configuration to avoid information leakage. gitMDM is purpose-built for compliance with security as the primary design constraint.
+osquery is a great platform to build an MDM on top of, but its cross-platform support is limited.
 
 **How do you prevent supply chain attacks?**
 Agents are built from source, checks are compiled in, and with Sigstore integration, all configurations are cryptographically signed with identity verification. Minimal dependencies.

diff --git a/cmd/agent/checks.yaml.sig b/cmd/agent/checks.yaml.sig
@@ -0,0 +1,3 @@
+MEUCIAjhy9Q4QSM9qrHLvH6JgXPZnERJeKwK1iWKHO7kbsRFAiEAkD2+5NR6XLSyirYZ6WL/PwwXaRO6/GdvBDsKl5mIYeE=
+---
+LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMxekNDQWx5Z0F3SUJBZ0lVZkltMkNkc2hiR05tcW1kQ29jczhYTlhiQTBrd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpVd09ERXdNVGd6TWpBMldoY05NalV3T0RFd01UZzBNakEyV2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVyekVnd2hHdVlVY25Ba3k4Z2ZEbFNMeFFSeVRoWGwxTHZ3Qi8KeHF6SHpqK3dHdFhpbm5QVjBHV2ZhQkhZTlE1MUtJeFJiSHRNNlFPQ2RZRnpxWnBGTHFPQ0FYc3dnZ0YzTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVUyVHh1CmQ5dmd6bERjZDMxK0U3NUw5RkZNOEowd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d0pBWURWUjBSQVFIL0JCb3dHSUVXZEN0bmFYUm9kV0pBYzNSeWIyMWlaWEpuTG05eVp6QXNCZ29yQmdFRQpBWU8vTUFFQkJCNW9kSFJ3Y3pvdkwyZHBkR2gxWWk1amIyMHZiRzluYVc0dmIyRjFkR2d3TGdZS0t3WUJCQUdECnZ6QUJDQVFnREI1b2RIUndjem92TDJkcGRHaDFZaTVqYjIwdmJHOW5hVzR2YjJGMWRHZ3dnWXNHQ2lzR0FRUUIKMW5rQ0JBSUVmUVI3QUhrQWR3RGRQVEJxeHNjUk1tTVpIaHlaWnpjQ29rcGV1TjQ4cmYrSGluS0FMeW51amdBQQpBWmlWUVJMcUFBQUVBd0JJTUVZQ0lRREtud3BzbDMrRzZ6bHRZSExsdnVRQzFvN0d5TCtVdVZSSzBtUzRrQXdXCk9nSWhBTEVRRGNJeFdXYU0xa3hXZ1hjOHp5bmdjQThMYmpBWFNKRURaVno1aUFoTE1Bb0dDQ3FHU000OUJBTUQKQTJrQU1HWUNNUURra2NidjJQN0xEZEgrTWJtMHlWK1gxU21vRWZBK3gwaCtnOVV1cmt3YlJyMXdXenpsZmdQWApwRWhzWnA4ZmNLa0NNUURvNFBwWi9XS0FFUzFydnRKY1lTSlBDTFpnZldRQ24wZmovVGd0amRmWGU1TnVnRXV2Cm5CNnVGZ1AxSW15L3RsTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=