pvtr-github-repo-scanner

command module
v0.23.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 14, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

README

Privateer Plugin for GitHub Repositories

This application performs automated assessments against GitHub repositories using controls defined in the Open Source Project Security Baseline v2025.02.25. The application consumes the OSPS Baseline controls using Gemara layer 2 and produces results of the automated assessments using layer 4.

Many of the assessments depend upon the presence of a Security Insights file at the root of the repository, or ./github/security-insights.yml.

Work in Progress

Currently 39 control requirements across OSPS Baselines levels 1-3 are covered, with 13 not yet implemented. Maturity Level 1 requirements are the most rigorously tested and are recommended for use. The results of these layer 1 assessments are integrated into LFX Insights, powering the Security & Best Practices results.

alt text

Level 2 and Level 3 requirements are undergoing current development and may be less rigorously tested.

Local Usage

To run the GitHub scanner locally, you will need the Privateer (pvtr) framework and the GitHub repository scanner (pvtr-github-repo-scanner) plugin.

  1. Install pvtr using one of the methods described here.
  2. Next, download the pvtr-github-repo-scanner plugin from the releases.

The following command is an example where the pvtr, the pvtr-github-repo-scanner, and the config.yaml are in the same directory.

./pvtr run --binaries-path .

If the binaries and the config files are in different directories specify the complete path using --binaries-path and --config flags.

You may have to adjust the plugin name in the config.yaml file to match them.

Docker Usage

# build the image
docker build . -t local
docker run \
  -v ./config.yml:/.privateer/config.yml \
  -v ./evaluation_results:/.privateer/bin/evaluation_results \
  local

GitHub Actions Usage

See the OSPS Security Baseline Scanner

Contributing

Contributions are welcome! Please see our Contributing Guidelines for more information.

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
osps/access_control
osps/build_release
osps/docs
osps/governance
osps/legal
osps/quality
osps/sec_assessment
osps/vuln_management
reusable_steps

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.