ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
25 Commits 1 Branch 0 Tags
fefe72d177dd75222e81f4f24a21e8b2887a85cb
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
ada fefe72d177 readme edits
2026-04-20 18:07:49 -06:00
docs
other changes
2026-04-20 01:25:44 -06:00
helm
redo flow to have configurable upload and defectdojo
2026-04-20 18:07:32 -06:00
renovate-preset
renovate bot
2026-04-19 22:55:44 -06:00
tools
add working dir as input to step
2026-04-20 18:06:58 -06:00
convert.py
other changes
2026-04-20 01:25:44 -06:00
LICENSE
Initial commit
2026-04-16 05:09:03 +00:00
README.md
readme edits
2026-04-20 18:07:49 -06:00

README.md

agentguard-ci

A DevSecOps Argo Workflows pipeline designed to protect against AI coding agent hallucinations, supply chain attacks, and security misconfigurations in a homelab or solo-developer environment.

Problem

AI coding agents are highly productive junior developers, but they lack intrinsic context. They can hallucinate credentials, introduce insecure logic, or pull in risky dependencies.

This project adds a reusable security gate in front of deployment by cloning a repository into an Argo workflow, running multiple scanners in parallel, uploading supported results to DefectDojo and object storage, and enforcing a CVSS-based policy threshold.

What the pipeline does

  • Runs TruffleHog for secret scanning.
  • Runs Semgrep for first-party code scanning.
  • Runs KICS for infrastructure misconfiguration scanning.
  • Runs Socket.dev for dependency risk scanning.
  • Runs Syft and Grype for SBOM generation and vulnerability scanning.
  • Runs Pulumi CrossGuard for policy-pack validation.
  • Uploads supported reports to DefectDojo when enabled.
  • Uploads raw reports to S3-compatible storage when enabled.
  • Fails the workflow when findings meet or exceed the configured CVSS threshold.

Prerequisites

Install these separately in your cluster before using this chart:

  • Argo Workflows
  • Infisical Kubernetes Operator, if you want this chart to sync secrets automatically
  • DefectDojo, if you want report ingestion enabled
  • MinIO or another S3-compatible store, if you want raw report uploads enabled

You will also need the corresponding credentials for Socket.dev, Pulumi, AWS or MinIO, and DefectDojo.

Validation workflow

For fast validation while wiring up infrastructure, use these tools together:

  • helm lint ./helm
  • helm template agentguard-ci ./helm
  • helm template agentguard-ci ./helm | kubectl apply --dry-run=client -f -
  • helm template agentguard-ci ./helm | kubectl apply --dry-run=server -f -
  • argo lint rendered.yaml

Notes:

  • helm lint catches Helm chart problems.
  • kubectl --dry-run=client catches basic Kubernetes schema issues without talking to the cluster.
  • kubectl --dry-run=server is better once the cluster already has the Argo and Infisical CRDs installed.
  • argo lint is the most useful Argo-specific check once you have the Argo CLI installed.

Installation

1. Build the tools image

The workflow uses custom TypeScript utilities for policy enforcement and DefectDojo uploads.

cd tools
docker build -t your-registry/agentguard-tools:latest .
docker push your-registry/agentguard-tools:latest

2. Configure values

Start from helm/values.yaml and set at least:

pipeline:
  toolsImage:
    repository: your-registry/agentguard-tools
    tag: latest

infisical:
  enabled: true
  workspaceSlug: your-workspace-id
  projectSlug: your-project-id

storage:
  enabled: false

defectdojo:
  enabled: false

Keep storage.enabled and defectdojo.enabled disabled until those services are actually installed and reachable. Keep infisical.enabled disabled until the operator is installed and your project identifiers are ready.

If you do not use Infisical, create the amp-security-pipeline-secrets secret yourself before running the workflow.

3. Deploy the chart

helm upgrade --install agentguard-ci ./helm -n argo

DefectDojo integration

DefectDojo is not installed by this repository.

You install DefectDojo separately, then enable this chart's upload step. When enabled, the workflow uploads supported reports into DefectDojo through the API using the custom uploader in tools/src/upload-defectdojo.ts.

Secret management

When infisical.enabled is true, this chart creates an InfisicalSecret that syncs the runtime credentials needed by the workflow into the amp-security-pipeline-secrets Kubernetes secret.

Reference in New Issue View Git Blame Copy Permalink
S
Description
A DevSecOps Argo Workflows pipeline to protect against AI coding agent hallucinations and supply chain attacks.
Readme MIT 187 KiB
Languages
TypeScript 74.9%
Shell 14.9%
Python 6.7%
Dockerfile 2.3%
Go Template 1.2%