Modern, opinionated CLI to bootstrap a complete security pipeline for small teams — instantly.
DevSecOps Kit detects your project type, generates a hardened CI/CD security workflow, and runs local scans with actionable results. Designed for small teams and developers who need practical DevSecOps without complexity.
Automatically detects language and framework from your project files:
| Language | Detection files | Frameworks |
|---|---|---|
| Node.js | package.json |
Express, Next.js, NestJS, Fastify, Koa |
| Go | go.mod |
Gin, Echo, Fiber, Chi |
| Python | requirements.txt, pyproject.toml, Pipfile, setup.py |
Django, Flask, FastAPI, Scrapy |
| Java | pom.xml, build.gradle, build.gradle.kts |
Spring Boot, Quarkus, Micronaut |
Docker detection is included for all languages — Trivy image scanning is enabled automatically when a Dockerfile is present.
| Tool | What it scans | When it runs |
|---|---|---|
| Semgrep | SAST — code patterns, security anti-patterns | Always (opt-out) |
| Gitleaks | Secrets — API keys, tokens, passwords in code | Always (opt-out) |
| Trivy | Dependencies, container images, misconfigurations | Always (opt-out) |
| Checkov | IaC — Terraform, CloudFormation, K8s manifests, Dockerfiles | Opt-in |
Generate security pipelines for any CI platform:
devsecops init # GitHub Actions (default)
devsecops init --ci=gitlab # GitLab CI (.gitlab-ci.yml)
devsecops init --ci=bitbucket # Bitbucket Pipelines (bitbucket-pipelines.yml)All generated workflows include parallel scanner execution, configurable fail gates, artifact uploads, and automatic PR security summary comments (GitHub Actions only).
devsecops scan # Run all enabled scanners
devsecops scan --tool=semgrep # Run a specific scanner
devsecops scan --tool=checkov # Run IaC scanning
devsecops scan --format=terminal # Rich terminal output (default)
devsecops scan --format=json # JSON for CI integration
devsecops scan --format=html # HTML report
devsecops scan --format=html --open # HTML report, auto-open in browser
devsecops scan --format=sarif # SARIF for GitHub Code Scanning
devsecops scan --fail-on-threshold # Exit code 1 if thresholds exceededGenerate a Software Bill of Materials for compliance and supply chain visibility:
devsecops sbom # CycloneDX format (default)
devsecops sbom --format=spdx # SPDX formatGet actionable fix suggestions for HIGH and CRITICAL findings, powered by your choice of LLM:
# security-config.yml
ai:
enabled: true
provider: "ollama" # ollama | openai | anthropic
model: "llama3.1" # model name for the selected provider
endpoint: "http://localhost:11434" # ollama onlyWhen enabled, each HIGH/CRITICAL finding in the terminal report includes a 💡 Fix: suggestion. Suggestions are cached per unique rule+finding so identical issues are only sent to the LLM once per session.
For OpenAI or Anthropic, set the API key via environment variable instead of the config file:
export OPENAI_API_KEY=sk-...
export ANTHROPIC_API_KEY=sk-ant-...Block commits or warn on push when security issues exceed thresholds:
devsecops init-hooks # Install pre-commit and pre-push hooks
devsecops init-hooks --uninstall # Remove hookssecurity-config.yml is generated by devsecops init and controls all scanner behavior:
version: "0.6.0"
language: "python"
framework: "django"
severity_threshold: "high"
tools:
semgrep: true
trivy: true
gitleaks: true
checkov: false # opt-in, requires: pip install checkov
exclude_paths:
- "vendor/"
- "node_modules/"
- ".venv/"
- "target/"
fail_on:
gitleaks: 0 # fail if ANY secrets detected
semgrep: 10 # fail if 10+ findings
trivy_critical: 0 # fail if ANY critical CVEs
trivy_high: 5 # fail if 5+ high CVEs
trivy_medium: -1 # disabled (-1 = ignore)
trivy_low: -1
checkov: -1 # disabled by default
licenses:
enabled: false
deny: ["GPL-3.0", "AGPL-3.0"]
allow: ["MIT", "Apache-2.0", "BSD-*"]
notifications:
pr_comment: true
slack: false
email: false
# ai:
# enabled: false
# provider: "ollama"
# model: "llama3.1"devsecops detect # Show detected language and framework
devsecops diagnose # Check installed scanners and environment
devsecops version # Show version
devsecops init --wizard # Interactive guided setupgo install github.com/edgarpsda/devsecops-kit/cmd/devsecops@latestgit clone https://github.com/edgarpsda/devsecops-kit.git
cd devsecops-kit
go build -o devsecops ./cmd/devsecops/The CLI orchestrates external tools that must be installed separately:
| Tool | Install |
|---|---|
| Semgrep | pip install semgrep |
| Gitleaks | releases page |
| Trivy | install script |
| Checkov | pip install checkov (optional) |
| Ollama | ollama.com (optional, for AI suggestions) |
Run devsecops diagnose to check which tools are available.
# 1. Go to your project directory
cd my-project
# 2. Initialize — detects language, generates workflow + config
devsecops init
# 3. Run a local scan
devsecops scan
# 4. Check environment
devsecops diagnose| Version | Features | Status |
|---|---|---|
| 0.3.0 | Fail gates, exclude paths, Docker detection, PR comments | ✅ Released |
| 0.4.0 | Local scans, git hooks, terminal UI, YAML config | ✅ Released |
| 0.4.1 | HTML reports, progress UI | ✅ Released |
| 0.5.0 | Python/Java detection, SBOM, SARIF output, license compliance | ✅ Released |
| 0.6.0 | Multi-CI (GitLab/Bitbucket), IaC scanning (Checkov), AI fix suggestions | ✅ Released |
| 0.7.0 | Vulnerability trending, EPSS/KEV scoring, TruffleHog integration | 📋 Planned |
- Fork the repository
- Create a feature branch (
v<version>/<feature-name>) - Run
go test ./...before submitting - Open a PR
MIT — free for personal and commercial use.
- No telemetry, no tracking, no code uploads
- All scans run locally or in your own CI environment
- AI suggestions are opt-in; Ollama runs fully locally by default