DevOpsShield

Institutional-grade, 100% local auditing platform.
Unified security reporting with SARIF 2.1.0 support.

INSTALL shield-cli is now available
# 1. Run a local security audit
$ shield scan . --output-sarif report.sarif

# 2. Generate detailed report
$ shield secrets . --output-json report.json

> Quick Start

macOS/Linux Windows
$ curl -fsSL https://raw.githubusercontent.com/SmtTheSE/shield-cli/main/install.sh | bash

> What It Does

Plugin Architecture

Modular "Scanners" (Hunter, Linter, Docker Diff) allow for easy extension. Wrap industry-standard engines like Trivy, Checkov, and Kubeval as plugins.

Unified Dashboard

High-contrast minimalist UI with a "Swiss-style" design. One-button audit for your entire infrastructure stack with standardized severity reporting.

Cross-Tool Intelligence

Correlates findings between tools to detect complex risks. Match unused keys to K8s deployments and identify security gaps others miss.

Standardized Reporting

Every finding follows the SARIF 2.1.0 standard. Seamlessly pipe results into GitHub Advanced Security, SonarQube, or DefectDojo.

CI/CD Integration

Gatekeeper mode blocks builds with CRITICAL or HIGH findings. Integrate seamlessly into your existing pipelines.

Privacy First

100% local execution. No external API calls, zero data leakage. Your code never leaves your machine.

> Integrated Scanners

View all scanners →

> Dead Config Hunter

Standardized scanner for orphaned configuration keys within repository files.

Configuration
shield hunt-config

> K8s YAML Linter

Security-focused linter for Kubernetes manifests, checking for privilege escalation.

Kubernetes
shield k8s-lint

> Docker Image Diff

Deep layer inspection and security risk scoring for comparing container versions.

Containers
shield docker-diff

> Secret Scanner

Entropy-based leakage detection obeying .shieldignore whitelisting constraints.

Secrets
shield scan-secrets

> Cloud IAM Validator

Offline structural policy enforcer analyzing AWS JSON and Terraform HCL.

Cloud
shield iam-validate

> OSV Scanner

Analyzes requirements.txt and package.json against the OSV database.

Dependencies
shield osv-scan

> API Contract Linter

Security-focused linter for OpenAPI 3.x and GraphQL SDL specifications.

API Security
shield api-lint

> TLS Auditor

Full certificate chain and cipher suite auditor (A–F grading) for all endpoints.

Network
shield tls-audit

> IAM Escalation

Map privilege escalation paths in AWS/Terraform IAM using graph analysis.

IAM Analysis
shield iam-analyze

> SBOM Generator

Generate CycloneDX 1.6 or SPDX 2.3 bill of materials with license risk scoring.

Supply Chain
shield sbom-gen

> Syscall Policy

Build minimal seccomp/AppArmor security profiles using static/eBPF analysis.

Runtime
shield capsule

> 100% Local & Private

Zero data leakage. No external API calls are made for code analysis.

Privacy Core

> Live Sandbox

LIVE SANDBOX
SECURE DEPLOYMENT VERIFIED
shield-scan — institutional-audit
Privacy & Security

Your Code.
Your Machine.
Zero Compromise.

DevOpsShield is built on a foundation of absolute privacy. We believe security tools shouldn't require you to sacrifice the very thing they're meant to protect.

  • 100% Local Execution
    No external API calls. No data transmission. Ever.
  • Secret Protection
    --show-values defaults to False. Prevents credential leakage in logs.
  • Standalone Auditor
    Mount any repo via docker-compose without polluting source code.
  • OSV Database Integration
    Local vulnerability checking without pip or npm internet calls.

Zero-Trust Architecture

End-to-End Local
No Network Calls
Air-Gap Ready
Secret Masking
Get Started

Ready to Shield
Your Infrastructure?

Join the growing community of DevOps engineers who've made the switch to local-first, privacy-focused security auditing.

View on GitHub Read Documentation