oss-risk-guard

module
v0.0.7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2026 License: MIT

README

Risk Guard

Open source risk analysis and scoring for software dependencies.

Risk Guard walks a local git repository, builds an SBOM, runs a graph of scoring checks against the source and its direct dependencies, and emits a single SARIF report. Use it locally to spot risky dependencies before you adopt them, or in CI to gate pull requests.

Supported ecosystems: npm, pypi, rubygems.

Install

Pick whichever fits your machine. Each gives you a risk-guard binary.

Install script (Linux / macOS)

Download the latest prebuilt binary in one command:

curl -fsSL https://raw.githubusercontent.com/Risk-Guard/oss-risk-guard/main/getRiskGuard.sh | sh

It detects your OS/arch, downloads the matching release archive, verifies its checksum, and installs to /usr/local/bin (or ~/.local/bin if that isn't writable). Customize with:

# Pin a version
curl -fsSL https://raw.githubusercontent.com/Risk-Guard/oss-risk-guard/main/getRiskGuard.sh | sh -s -- v0.0.2

# Install somewhere else
curl -fsSL https://raw.githubusercontent.com/Risk-Guard/oss-risk-guard/main/getRiskGuard.sh | RISK_GUARD_INSTALL_DIR="$HOME/bin" sh

On an architecture without a prebuilt binary, the script points you at the go install method below.

Prebuilt binary

Download an archive for your platform from the GitHub Releases page, unpack it, and put risk-guard on your PATH. Builds are published for Linux (amd64, arm64, armv7), macOS (amd64, arm64), and Windows (amd64, arm64), each with a checksums-*.txt for verification.

tar xzf risk-guard-<version>-linux-amd64.tar.gz
sudo mv risk-guard /usr/local/bin/
risk-guard --version
Go install

If you have Go 1.25.1+ installed, install straight from source — no clone needed:

go install github.com/Risk-Guard/oss-risk-guard/cmd/risk-guard@latest

This drops a risk-guard binary in $(go env GOPATH)/bin (usually ~/go/bin). Make sure that directory is on your PATH.

Build from source
git clone https://github.com/Risk-Guard/oss-risk-guard.git
cd oss-risk-guard
go build -o risk-guard ./cmd/risk-guard

Usage

Run the full pipeline against an on-disk git repository — score the local source, build an SBOM, audit each direct dependency, and write one merged SARIF report:

risk-guard .

The single argument is a path to an existing git repository. By default the report is written to ./risk-guard-report.sarif.

risk-guard /path/to/repo --sarif report.sarif      # choose the output file
risk-guard . --sbom-format cyclonedx --sbom-out sbom.cdx.json
risk-guard . --jobs 8                               # audit more packages in parallel
risk-guard . --continue-on-error=false              # fail instead of emitting partial SARIF

Run risk-guard --help (or risk-guard <command> --help) for the full flag list.

Subcommands

The root command runs the complete pipeline. These subcommands expose individual stages:

Command What it does
scan <path> Score the local source repo only — no dependency audit.
audit Audit direct dependencies from an SBOM.
audit-package <key> Score a single package by its analysis-identifier key.
sbom <path> Generate an SBOM (SPDX or CycloneDX) for a local repo.
init [path] Run an initial scan and write a .risk-guard.yml seeded from the findings.
view-audit <sarif> Render a human-readable summary of an audit SARIF file.
Common flags

These persistent flags apply to every command:

Flag Default Purpose
--cache-dir os.UserCacheDir()/risk-guard Cache root for DAG outputs, clones, and network/audit caches. Also set via RISK_GUARD_CACHE_DIR.
--log-level warn debug, info, warn, or error.
--logfile Also write debug logs to a file.
--secure-git false Isolate git from local config/credentials (blocks SSH keys and credential helpers).
--no-color false Disable colored output (also honors NO_COLOR and non-TTY stderr).

Use in CI

In CI, run the pipeline and let the exit code gate the build:

risk-guard . --github
  • --github renders GitHub Actions workflow annotations to stdout after writing SARIF.
  • --gitlab <file> writes a GitLab Code Quality (CodeClimate) report to <file> after writing SARIF. GitLab has no inline-log annotations like GitHub; instead it renders this report on the merge request diff.
  • The exit code is non-zero when there are blocking findings and the effective workflow mode is active. Modes no-fail, silent, and disabled never fail the build.
  • --mode overrides workflow.mode from .risk-guard.yml for a single run, e.g. --mode no-fail to observe findings without breaking the build.

Upload risk-guard-report.sarif to GitHub code scanning to see findings inline on pull requests.

On GitLab, emit the Code Quality report and expose it as an artifact so findings show inline on the merge request diff:

risk-guard:
  script:
    - risk-guard . --gitlab gl-code-quality-report.json
  artifacts:
    reports:
      codequality: gl-code-quality-report.json

Configuration

Risk Guard reads two optional files from the repository root:

  • .risk-guard.yml — workflow config: scoring mode, the policy that decides which findings block vs. warn vs. ignore, acknowledged exceptions, and overrides.
  • .riskguardignore — gitignore-style patterns excluding paths from scanning.

risk-guard init generates a starter .risk-guard.yml from a first scan. See docs/configuration.md for the annotated schema.

Development

Requires Go 1.25.1+. Run the CLI without building a binary:

go run ./cmd/risk-guard .                    # full pipeline against the current repo
go run ./cmd/risk-guard scan .               # source-only scan
go run ./cmd/risk-guard --help

Tests and the build:

go test ./...
go build ./...

Linting uses golangci-lint with the config in .golangci.yml:

golangci-lint run

License

MIT — see LICENSE.

Directories

Path Synopsis
cmd
risk-guard command
src
ctxutil
Package ctxutil provides context helpers for logger and source token only.
Package ctxutil provides context helpers for logger and source token only.
git
lib/common/sbom
Package sbom provides format-agnostic helpers for reading SBOM files produced by the cdx16 and spdx30 sub-packages.
Package sbom provides format-agnostic helpers for reading SBOM files produced by the cdx16 and spdx30 sub-packages.
lib/local/auditcache
Package auditcache stores per-package raw violations from the local audit pipeline on disk so repeat audits over the same SBOM are fast.
Package auditcache stores per-package raw violations from the local audit pipeline on disk so repeat audits over the same SBOM are fast.
runpath
Package runpath carries per-run filesystem paths on the context: the single cache root and any explicit input dir for --no-fetch replays.
Package runpath carries per-run filesystem paths on the context: the single cache root and any explicit input dir for --no-fetch replays.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL