# agentguard-ci A DevSecOps Argo Workflows pipeline specifically designed to protect against AI coding agent hallucinations, supply chain attacks, and security misconfigurations in a homelab or solo-developer environment. ## 📖 The Problem AI coding agents are highly productive "junior developers," but they lack intrinsic context. They frequently hallucinate dummy credentials, introduce insecure application logic, or pull in new, potentially typosquatted dependencies. This pipeline acts as a strict, automated gatekeeper that prioritizes zero-noise alerting, allowing you to maintain high development velocity without compromising the security of your exposed homelab. ## 🏗️ Architecture & Features This project deploys an **Argo ClusterWorkflowTemplate** that orchestrates a parallel security scanning matrix whenever code is pushed: * **TruffleHog**: Verifies leaked API keys dynamically to prevent false-positives from AI hallucinations. * **Semgrep**: Scans first-party application logic for vulnerabilities (e.g., SQLi, XSS). * **Socket.dev**: Analyzes dependencies for supply chain attacks, malware, and typosquatting. * **Pulumi CrossGuard**: Validates Infrastructure as Code against policy packs. * **Syft + Grype**: Generates SBOMs and scans for container vulnerabilities scored via EPSS. * **KICS**: Scans infrastructure misconfigurations. * **DefectDojo & MinIO**: Uploads findings to a centralized ASPM dashboard and raw SARIF/JSON reports to S3-compatible storage. * **Policy Enforcement**: Custom TypeScript logic automatically fails the build if any findings exceed your defined CVSS severity threshold. For deep-dive architecture decisions, see the [Pipeline Overview ADR](docs/pipeline-overview.md) and [Secret Strategy ADR](docs/secret-strategy.md). ## 🚀 Prerequisites Before installing the pipeline, ensure your Kubernetes cluster has the following installed: * **Argo Workflows** * **Infisical Kubernetes Operator** (for secret injection) * **DefectDojo** (for vulnerability dashboards) * **MinIO / S3** (for raw report storage) You will also need API keys or tokens for: Socket.dev, Pulumi, AWS/MinIO, and DefectDojo. ## 🛠️ Installation ### 1. Build the Pipeline Tools Image The pipeline relies on custom TypeScript logic (e.g., CVSS enforcement and API uploads). Build and push this image to your registry: ```bash cd tools docker build -t your-registry/agentguard-tools:latest . docker push your-registry/agentguard-tools:latest ``` *(Make sure to update `clusterworkflowtemplate.yaml` with your custom image if you do not use `agentguard-tools:latest`)* ### 2. Configure Helm Values Update `helm/values.yaml` (if applicable) and configure your Infisical integration: ```yaml pipeline: enabled: true infisical: workspaceSlug: "your-workspace-id" projectSlug: "your-project-id" ``` ### 3. Deploy via Helm Install the pipeline and its associated resources to your cluster: ```bash helm upgrade --install agentguard-ci ./helm -n argo ``` ## 🔐 Secret Management Integration To prevent hardcoded secrets in the pipeline, this project uses the **Infisical Kubernetes Operator**. When you deploy the Helm chart, it creates an `InfisicalSecret` Custom Resource (`helm/templates/infisical-secret.yaml`). The Infisical Operator securely fetches your vault secrets (like `SOCKET_DEV_API_KEY` and `DEFECTDOJO_API_TOKEN`) and synchronizes them into a standard Kubernetes `Secret` named `amp-security-pipeline-secrets`. The Argo Workflow then mounts this standard secret as environment variables inside the scanning containers, ensuring zero secret leakage in the Git repository.