CIGuard
CI/CD security · self-hosted · Apache-2.0

Audit-grade visualisations of
your CI/CD security posture.

CIGuard is a self-hosted security auditor for GitLab CI, GitHub Actions, and Jenkins pipelines. It produces single-file HTML deliverables — the kind you can email to a customer or attach to an audit report — covering per-pipeline maps, infrastructure inventory, multi-environment topology, and org-wide posture.

Get started → View on GitHub
What it produces

Four audit deliverables, one toolchain.

Every artifact is a self-contained HTML file with vendored D3 inline. Open it in any browser, no server needed. Print to PDF for the audit pack.

Per-pipeline visualiser — example output
Per-pipeline visualiser DAG, severity, click-to-detail
Multi-environment topology — example output
Multi-environment topology services × envs, gates, drift
Infrastructure inventory — example output
Infrastructure inventory Jenkins, GitLab, Nexus, ArgoCD…
Org-level audit dashboard — example output
Org-level audit dashboard every repo, image inventory, drill-down

Pipeline visualiser

Interactive D3 map of one pipeline's job DAG. Severity-coloured cards, gate iconography, click-to-detail YAML + remediation, diff mode against a previous scan, fully keyboard-accessible.

3 platforms 46 rules 17 policies

Infrastructure inventory

Operator-supplied admin-API audit of CI/CD tooling versions — Jenkins, GitLab, GHE, Nexus, Artifactory, SonarQube, ArgoCD, Harbor — cross-referenced with endoflife.date for EOL/EOS warnings.

8 probes EOL · EOS env-var auth

Multi-environment topology

Cross-pipeline swimlane: services × environments + promotion transitions + secret scopes + network reachability. Live-API verification flags drift between asserted gates and actual GitHub deployment-environment / branch-protection state.

scan overlay live-API verify drift panel

Org-level audit dashboard

Walk every repo in a GitHub org, scan every pipeline file, roll into one posture dashboard with grade distribution, cross-org image inventory, pin-discipline mix, and per-repo drill-down maps.

image dedup pin-discipline % drill-down
See the deliverable

Live, in your browser. No install required.

The frame below is the actual HTML output of running ciguard scan --format html-interactive against a deliberately-flawed GitLab pipeline. Click the per-job cards, try the severity filters, search the findings, open the new Pipeline-level filter — every interaction works exactly as it does on the auditor's laptop.

Per-pipeline visualiser · scan against a deliberately-flawed GitLab pipeline · showing the v0.11.2 pipeline-globals banner + every interactive surface Open in new tab ↗
Shape comparison

Monolith vs. microservices.

Two repos, same toolchain, very different posture. Both demos below are live CIGuard output running in your browser — interact with them the same way an auditor would on their laptop.

monolith

One repo, one pipeline, one set of versions.

The monolith repo has a single .gitlab-ci.yml: lint → test → build → deploy-staging → deploy-production. Every job shares one set of pinned base images (python:3.11.4-slim, docker:25.0, alpine:3.19) and the production deploy is gated behind when: manual. The diagram below renders that DAG — severity-coloured cards for any in-pipeline findings, gate flags on each node, click any card for the YAML excerpt and remediation.

Monolith · single pipeline file · 5 jobs · consistent pinning Open in new tab ↗
microservices fleet

Three repos, three pipelines, three versions of everything.

The microservices repo has separate pipelines for the api, web, and worker services. From inside any one pipeline you can't see drift — you only see your own job graph. The dashboard below is the cross-pipeline view: it scans all three, then surfaces the image inventory panel showing 4 distinct images, 3 of them inconsistent across services (python appears as both 3.11.4-slim and 3.12; docker as 24.0 and 25.0; alpine as 3.18 and 3.19). Three SCA-PIN-003 cross-pipeline drift findings the monolith above can't have by construction — "different runners boot different runtimes; CVEs patched in one variant may still be live in another."

Org-level audit · 2 repos · 4 distinct images · 3 inconsistent across services · per-repo grade rollup Open in new tab ↗
Promotion flow + gates

How a change reaches production.

Per-pipeline maps show one pipeline's job graph. The topology view zooms out: services × environments, with the gates between every transition. This is the diagram an auditor wants to see when they ask "how does code reach prod here, and what controls fire on the way."

topology

Three services, four environments, one promotion flow.

The horizontal axis is environments (dev → test → staging → prod); the vertical axis is services (api / web / worker). Each cell that a service deploys to lights up, and the arrows between cells carry the gates that fire on that transition: branch protection, manual approval, required reviewer, wait timers. The worker → prod path is deliberately gateless in the fixture — exactly the pattern an auditor wants flagged in red. Run ciguard topology --verify with a GitHub token and the same view drift-checks the asserted gates against the live branch-protection + deployment-environment state.

Multi-environment topology · 3 services × 4 envs · promotion gates per transition · drift overlay when run with --verify Open in new tab ↗
Capability snapshot

What ships in the box.

3
platforms supported
46
deterministic rules
17
built-in policies
4
output formats
5
MCP tools
8
inventory probes

CLI verbs

ciguard scan
scan one pipeline file
ciguard scan-repo
scan every pipeline in a repo
ciguard inventory
live admin-API CI/CD inventory
ciguard topology
cross-pipeline swimlane + verify
ciguard audit-org
org-wide posture dashboard
ciguard mcp
MCP server (stdio)
ciguard app
GitHub App receiver
ciguard baseline
seed baseline for delta scans
How it ships

Install where it makes sense.

PyPI (CLI)

The Python CLI — drop into any developer machine or CI runner.

pip install ciguard

PyPI (with MCP)

Adds the stdio MCP server for Claude Desktop / Cursor / agentic clients.

pip install 'ciguard[mcp]'

GHCR (Docker)

Multi-arch image, Sigstore-signed, SBOM-attested every release.

docker pull ghcr.io/jo-jo98/ciguard:latest

pre-commit

Drop one hook in .pre-commit-config.yaml to scan changed pipeline files locally.

repos:
  - repo: https://github.com/Jo-Jo98/ciguard
    rev: v0.11.2
    hooks:
      - id: ciguard-scan
Posture posture

Built securely. Self-pentested.

CIGuard ships its own supply-chain provenance: every release is Sigstore-keyless-signed by digest on GHCR, attested with both CycloneDX + SPDX SBOMs, and PyPI distributions carry PEP 740 attestations. Cycle 1 self-pentest closed 2026-04-27 with all four findings fixed and verified; Cycle 2 is on the calendar. Two complementary CodeQL + dogfood-SARIF lanes upload to GitHub Code Scanning on every push.

Sigstore signing

Image digest signed via cosign keyless on every release. Verifiable with cosign verify.

SBOM attestations

CycloneDX + SPDX attestations on the GHCR image; PEP 740 provenance on PyPI distributions.

Public Cycle 1 report

Full pentest cycle with findings, exploits, fixes, and retest — published as part of the audit story.

Apache-2.0 · self-hosted · never phones home

Pick a deliverable. Generate. Ship.

CIGuard is a single binary plus an optional MCP server. No SaaS dashboard, no telemetry, no vendor account. The HTML files it writes are yours.

Read the docs → Star on GitHub