ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

noted outdated features

Browse Source
This commit is contained in:
Elizabeth W
2026-04-19 21:17:14 -06:00
parent 2225bb2045
commit 89b3586030
2 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/pipeline-overview.md
+4 -3
View File
@@ -24,15 +24,15 @@ To achieve this, the architecture utilizes "Defense in Depth," split across seve
---
2. Part 1: Local Development & Repository Tooling
2.1 Secret Scanning: Gitleaks (Local)
## 2. Part 1: Local Development & Repository Tooling
### 2.1 Secret Scanning: Gitleaks (Local)
What it does: Fast, static regex matching for secrets.
Where it runs: Local developer machine (via Pre-commit hook).
Detailed Rationale: Developers make human errors. Gitleaks runs in milliseconds and acts as a "spell-check for secrets." It prevents accidentally committing a .env file or hardcoded token before it ever enters the local Git history.
Trade-offs: It relies on the developer actively using the pre-commit hook. If a commit is forced (--no-verify), the local check is bypassed.
2.2 Supply Chain Defense: Socket CLI (Local Wrapper)
### 2.2 Supply Chain Defense: Socket CLI (Local Wrapper)
What it does: Intercepts package installation to check for malicious code, typosquatting, and hijacked packages.
Where it runs: Local machine (aliased: alias pnpm="socket pnpm").
@@ -62,6 +62,7 @@ To achieve this, the architecture utilizes "Defense in Depth," split across seve
* **Detailed Rationale:** Traditional CVE scanners check for accidental developer mistakes. Socket checks for active malice (install scripts that steal SSH keys, typosquatting, hijacked maintainer accounts). Because AI agents regularly pull in new dependencies to solve coding problems, Socket ensures neither the local machine nor the pipeline executes malicious code during dependency resolution.
* **Trade-offs:** API-dependent. To conserve free-tier API quotas, the pipeline step must be strictly configured to trigger *only* when lockfiles (`pnpm-lock.yaml`) change, requiring careful CI optimization.
**outdated, using pulumi crossguard**
### 2.5 Infrastructure Validation (IaC): Checkov
* **What it does:** Parses Kubernetes manifests, Terraform, and Dockerfiles to ensure they adhere to security best practices.
* **Detailed Rationale:** A homelab exposed to the internet cannot afford basic infrastructure misconfigurations, such as running containers as `root` or mapping sensitive host volumes. Checkov acts as an automated senior cloud architect, validating the AI's generated Kubernetes manifests before Argo CD syncs them.