Advanced CI/CD Supply Chain Risk Analyzer and Dependency Confusion Defense Platform
BuildShield-CI is a DevSecOps security platform that detects CI/CD supply-chain risks before deployment. It analyzes repository files, dependencies, GitHub Actions workflows, Dockerfiles, registry configuration, policy rules, and known vulnerable package versions.
The project includes a CLI scanner, FastAPI backend, premium web dashboard, policy-as-code gate, SARIF/GitHub Code Scanning integration, SBOM-lite inventory, OSV vulnerability intelligence, SQLite scan history, Docker deployment, and automated tests.
- Detects dependency confusion risks
- Detects insecure npm and Python dependency configuration
- Detects weak GitHub Actions workflow security
- Detects Dockerfile hardening issues
- Enforces YAML policy-as-code rules
- Calculates security score and build-gate status
- Generates JSON, Markdown, HTML, SARIF, SBOM-lite, and OSV reports
- Uploads SARIF to GitHub Code Scanning
- Provides a FastAPI-powered security dashboard
- Tracks scan history using SQLite
- Visualizes security score and findings trends
- Integrates OSV vulnerability intelligence
- Supports Docker and Docker Compose deployment
- Includes automated pytest coverage
Modern CI/CD pipelines depend on many moving parts:
- Public packages
- Private packages
- Package registries
- GitHub Actions workflows
- Dockerfiles
- Build scripts
- Secrets
- Lockfiles
- Dependency versions
- Cloud deployment pipelines
A small misconfiguration can create serious supply-chain risk. BuildShield-CI helps detect these risks early, before deployment.
- Missing npm lockfile
- Loose dependency versions
- Risky npm lifecycle scripts
- Internal package dependency confusion risk
- Missing private registry configuration
- Unpinned Python dependencies
- Loose Python dependency versions
- Internal package dependency confusion risk
- Missing private package index configuration
- GitHub Actions not pinned to full commit SHA
- Over-permissive workflow token permissions
- Remote script piped directly to shell
- Secret value printed in workflow logs
- Risky
pull_request_targettrigger usage
- Latest or unpinned base image
- Missing non-root user
- Potential secrets in
ENVorARG - Remote script piped to shell
apt-get upgradeduring image build- Missing
HEALTHCHECK
- Checks pinned npm dependencies
- Checks pinned Python dependencies
- Detects known GHSA / OSV vulnerability IDs
- Generates vulnerability intelligence reports
| Feature | Description |
|---|---|
| CLI Scanner | Run repository scans directly from terminal |
| FastAPI Backend | Provides APIs for scans, reports, history, inventory, and OSV intelligence |
| Web Dashboard | Premium UI for security visualization |
| Risk Scoring | Calculates security score, risk level, and build gate status |
| Policy-as-Code | Enforces YAML security policy |
| SARIF Output | Integrates with GitHub Code Scanning |
| SBOM-lite Inventory | Extracts dependency inventory from npm and Python files |
| OSV Intelligence | Checks dependency versions against known vulnerability data |
| SQLite History | Stores scan history and risk trend data |
| Docker Deployment | Runs as a containerized dashboard |
| GitHub Actions | Automates scans, tests, reports, and SARIF upload |
| Automated Tests | Validates scanner, policy, dashboard, OSV, Docker, and reports |
| Area | Technology |
|---|---|
| Language | Python 3.13 |
| CLI | Typer |
| Terminal UI | Rich |
| Backend | FastAPI |
| Data Models | Pydantic |
| Storage | SQLite |
| Frontend | HTML, CSS, JavaScript |
| Reports | JSON, Markdown, HTML, SARIF |
| CI/CD | GitHub Actions |
| Code Scanning | SARIF / GitHub Code Scanning |
| Vulnerability Intelligence | OSV |
| Deployment | Docker, Docker Compose |
| Testing | Pytest |
BuildShield-CI
│
├── CLI Layer
│ └── scan, compare, inventory, vulncheck, dashboard
│
├── Scanner Core
│ ├── repository discovery
│ ├── analyzer orchestration
│ └── finding aggregation
│
├── Analyzer Layer
│ ├── npm analyzer
│ ├── Python analyzer
│ ├── GitHub Actions analyzer
│ └── Dockerfile analyzer
│
├── Risk and Policy Layer
│ ├── risk scoring engine
│ ├── category-wise risk profile
│ ├── top risk drivers
│ └── YAML policy-as-code gate
│
├── Intelligence Layer
│ ├── SBOM-lite dependency inventory
│ └── OSV vulnerability intelligence
│
├── Reporting Layer
│ ├── JSON reports
│ ├── Markdown reports
│ ├── HTML reports
│ ├── SARIF reports
│ ├── inventory reports
│ └── OSV intelligence reports
│
├── Dashboard Layer
│ ├── FastAPI backend
│ ├── premium frontend UI
│ ├── findings explorer
│ ├── policy view
│ ├── reports center
│ ├── vulnerability intelligence page
│ └── risk trend dashboard
│
├── Persistence Layer
│ └── SQLite scan history
│
└── Deployment Layer
├── Dockerfile
├── docker-compose.yml
├── health check
└── persistent volumes
git clone https://github.com/rootmass56/buildshield-ci.git
cd buildshield-cipython -m venv .venv
.\.venv\Scripts\Activate.ps1pip install -e .buildshield versionExpected:
BuildShield-CI version: 0.12.6
buildshield scan samples/vulnerable-repo --policy buildshield-policy.yml --hide-filesExpected result:
- Multiple findings detected
- Policy failed
- Build gate failed
- Low security score
buildshield scan samples/secure-repo --policy buildshield-policy.yml --hide-filesExpected result:
- Policy passed
- Build gate passed
- Improved security score
buildshield compare samples/vulnerable-repo samples/secure-repoExpected result:
- Score improvement
- Findings reduced
- Risk reduction percentage
buildshield inventory samples/vulnerable-repo --hide-packagesOffline query plan:
buildshield vulncheck samples/secure-repo --offline-planOnline OSV lookup:
buildshield vulncheck samples/secure-repo --online --timeout 15buildshield scan samples/vulnerable-repo --report-format json --output reports/vulnerable-scan.jsonbuildshield scan samples/vulnerable-repo --report-format md --output reports/vulnerable-scan.mdbuildshield scan samples/vulnerable-repo --report-format html --output reports/vulnerable-scan.htmlbuildshield scan samples/vulnerable-repo --report-format sarif --output reports/buildshield-results.sarifStart the dashboard:
buildshield dashboard --port 8080Open:
http://127.0.0.1:8080
Dashboard pages:
- Overview
- Scanner
- SBOM Inventory
- Vulnerability Intel
- History & Trends
- Compare
- Findings
- Policy
- Reports
- CI/CD
- About
BuildShield-CI uses YAML policy rules to decide whether a repository should pass or fail a CI/CD security gate.
Example policy controls:
- Minimum score requirement
- Block critical findings
- Block high findings
- Require lockfiles
- Require pinned GitHub Actions
- Block secret echoing
- Block curl pipe shell
- Block dependency confusion
Policy file:
buildshield-policy.yml
Example command:
buildshield scan samples/vulnerable-repo --policy buildshield-policy.yml --fail-on-policyBuildShield-CI includes a GitHub Actions workflow that:
- Installs the project
- Runs tests
- Runs repository scans
- Applies policy-as-code
- Generates reports
- Generates SARIF
- Uploads SARIF to GitHub Code Scanning
- Uploads reports as workflow artifacts
Workflow path:
.github/workflows/buildshield-ci.yml
BuildShield-CI generates SARIF output and uploads it to GitHub Code Scanning.
This allows findings to appear inside:
Security and quality -> Code scanning
docker build -t buildshield-ci:latest .docker run -d --name buildshield-ci-test -p 8080:8080 buildshield-ci:latestInvoke-RestMethod http://127.0.0.1:8080/healthExpected:
status product version
------ ------- -------
ok BuildShield-CI 0.12.6
docker stop buildshield-ci-test
docker rm buildshield-ci-testStart:
docker compose up --build -dCheck:
docker compose psHealth check:
Invoke-RestMethod http://127.0.0.1:8080/healthStop:
docker compose downDocker Compose uses persistent volumes for:
- Generated reports
- SQLite scan history
- Dashboard data
- OSV reports
- SBOM reports
Run all tests:
pytest -qCurrent stable result:
41 passed
Test coverage includes:
- CLI behavior
- Scanner engine
- npm analyzer
- Python analyzer
- GitHub Actions analyzer
- Dockerfile analyzer
- Policy engine
- Report generation
- Comparison engine
- Dashboard APIs
- SBOM-lite inventory
- OSV vulnerability intelligence
- Dashboard UI assets
- Deployment files
samples/
├── vulnerable-repo/
│ ├── package.json
│ ├── requirements.txt
│ ├── Dockerfile
│ └── .github/workflows/build.yml
│
└── secure-repo/
├── package.json
├── package-lock.json
├── requirements.txt
├── pip.conf
├── Dockerfile
└── .github/workflows/build.yml
The vulnerable repository is intentionally insecure for demonstration.
The secure repository demonstrates improved configuration and policy compliance.
Additional documentation is available in:
docs/
├── architecture.md
├── deployment.md
├── demo-script.md
├── final-project-summary.md
├── final-submission-checklist.md
├── interview-explanation.md
├── research-log.md
└── resume-points.md
BuildShield-CI performs passive static analysis only.
It does not:
- Exploit systems
- Execute malware
- Attack live targets
- Steal credentials
- Access unauthorized systems
- Perform destructive testing
The project is designed for defensive DevSecOps and educational cybersecurity use.
BuildShield-CI is complete as an advanced cybersecurity project with:
- CLI
- Backend
- Dashboard
- Static analyzers
- Risk scoring
- Policy gate
- SARIF integration
- GitHub Actions
- GitHub Code Scanning
- SBOM-lite inventory
- OSV intelligence
- SQLite history
- Docker deployment
- Automated tests
- Final documentation
Developed as an advanced cybersecurity and DevSecOps project for internship, placement, and portfolio demonstration.