Modern, opinionated CLI to bootstrap a complete security pipeline for small teams — instantly. DevSecOps Kit detects your project (Node.js or Go), generates a hardened GitHub Actions workflow, and produces a centralized security configuration that evolves with your needs.
Designed for small teams, freelancers, and agencies who need practical DevSecOps without complexity.
Works out-of-the-box with:
- Node.js (
package.json) - Go (
go.mod) - Docker (Dockerfile detection) 🆕
Generates a ready-to-run GitHub Actions workflow including:
- Semgrep (SAST)
- Gitleaks (Secrets detection)
- Trivy (FS + dependency scanning)
- Trivy Image Scanning (when Dockerfile present) 🆕
- Hardened permissions
- Artifact uploads
- Timeout protections
Define thresholds that automatically fail CI builds:
fail_on:
gitleaks: 0 # Fail if ANY secrets detected
semgrep: 10 # Fail if 10+ findings
trivy_critical: 0 # Fail if ANY critical vulnerabilities
trivy_high: 5 # Fail if 5+ high severity vulnerabilitiesReduce noise by excluding directories from scans:
exclude_paths:
- "vendor/"
- "node_modules/"
- "test/"
- "*.test.js"Get detailed, actionable feedback directly on your code:
- File/line-specific comments for security issues
- Remediation guidance for each finding
- References to security best practices
- Automatic comment placement on changed files only
Run security scans locally before pushing:
devsecops scan # Run all enabled scanners
devsecops scan --tool=semgrep # Run specific tool
devsecops scan --format=json # JSON output for CI integration
devsecops scan --fail-on-threshold # Exit code 1 if thresholds exceededFeatures:
- Parallel execution of Semgrep, Gitleaks, and Trivy
- Rich color-coded terminal output
- Respects
security-config.ymlthresholds and exclusions - Docker image scanning when Dockerfile detected
- JSON output format for integrations
Automatically run security scans before commits and pushes:
devsecops init-hooks # Install pre-commit and pre-push hooks
devsecops init-hooks --uninstall # Remove hooksBehavior:
- Pre-commit hook: Blocks commits if security issues exceed thresholds
- Pre-push hook: Warns about issues but allows push to proceed
- Both use the same
security-config.ymlconfiguration
devsecops init --wizardA guided setup for new users:
- Select tools
- Choose severity gates
- Preview settings before generating
devsecops diagnoseChecks system readiness:
- Installed scanners
- Docker availability
- Project detection
- CI/CD compatibility
Each workflow produces:
artifacts/security/
gitleaks-report.json
semgrep-report.json
trivy-fs.json
trivy-image.json # When Dockerfile present
summary.json # v0.3.0 schema
The summary.json contains:
- Total secrets leaks
- Vulnerability counts by severity
- PASS/FAIL status based on thresholds 🆕
- Blocking issue count 🆕
Every pull request receives:
-
Summary Comment (updated, not duplicated):
- Secrets found
- FS & Image vulnerabilities
- Clear PASS/FAIL status
- Blocking issue count
-
Inline Fix-it Comments:
- Specific file/line comments
- Remediation guidance
- Security references
Generated automatically as:
version: "0.3.0"
language: "golang"
framework: ""
severity_threshold: "high"
tools:
semgrep: true
trivy: true
gitleaks: true
# Exclude paths from scanning (reduces noise)
exclude_paths:
- "vendor/"
- "node_modules/"
- "test/"
# Fail gates - CI fails if thresholds exceeded
fail_on:
gitleaks: 0 # Fail if ANY secrets detected
semgrep: 10 # Fail if 10+ Semgrep findings
trivy_critical: 0 # Fail if ANY critical vulnerabilities
trivy_high: 5 # Fail if 5+ high severity vulnerabilities
trivy_medium: -1 # Disabled (set to number to enable)
trivy_low: -1 # Disabled
notifications:
pr_comment: true
slack: false
email: falseHow to customize:
- Run
devsecops initto generate the config - Edit
security-config.ymlto adjust thresholds and exclusions - Commit changes - they take effect on next CI run
go install github.com/edgarpsda/devsecops-kit/cmd/devsecops@latestVerify:
devsecops versiongit clone https://github.com/edgarpsda/devsecops-kit.git
cd devsecops-kit
make build
./devsecops versiondevsecops init --wizarddevsecops initThis generates:
security-config.yml
.github/workflows/security.yml
devsecops diagnose| Flag | Description |
|---|---|
--wizard |
Launch interactive configuration |
--severity |
Set severity threshold |
--no-semgrep |
Disable Semgrep |
--no-gitleaks |
Disable Gitleaks |
--no-trivy |
Disable Trivy |
--verbose |
Verbose mode |
### 🔐 DevSecOps Kit Security Summary
- **Gitleaks:** 0 leaks
- **Trivy vulnerabilities:**
- CRITICAL: 0
- HIGH: 2
- MEDIUM: 7
✅ Status: No blocking issues detected.security-reports/
trivy-fs.json
gitleaks-report.json
summary.json
| Version | Features | Status |
|---|---|---|
| 0.3.0 | Config-driven fail gates, exclude paths, Docker detection, image scanning, inline PR comments | ✅ Released |
| 0.4.0 | Local CLI scans (devsecops scan), git hooks, rich terminal UI, YAML config parsing |
✅ Released |
| 0.4.1 | HTML report generation, progress bars, performance optimization | 🚧 In Progress |
| 0.5.0 | Python/Java detection, expanded framework support | 📋 Planned |
| 1.0.0 | Full onboarding UX, multi-CI support (GitLab, Jenkins) | 📋 Planned |
Contributions are welcome!
- Fork the repository
- Create a feature branch
- Run
make buildbefore submitting - Follow conventional commits
- Open a PR 🎉
MIT — free for personal and commercial use.
- No telemetry
- No tracking
- No code uploads
- All scans run locally or in your own CI
- OSS tools with strong community support
No — unless you explicitly approve it.
Coming soon (planned in v0.4.x).
Yes, Python, Java, Dockerfile detection is planned for v0.5.0.