Metadata-Version: 2.4
Name: codesecure-cicd
Version: 1.0.29
Summary: CodeSecure CI/CD Templates and Integration
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: codesecure-core>=1.0.29
Requires-Dist: codesecure-cli>=1.0.29

# CodeSecure CI/CD Integrations (`codesecure-cicd`)

The `codesecure-cicd` package provides automated security scanning integration for CI/CD pipelines with quality gates, PR decoration, baseline comparison, and security scoring.

## 🎯 Headless Runner & Docker

CodeSecure CI/CD is primarily distributed as a **production-grade Docker image**. This multi-stage image bundles all 9 security scanners and the CodeSecure platform into a single, self-contained environment.

- **Registry**: `gcr.io/codesecure-479807/codesecure`
- **Scanners Included**: Semgrep, Bandit, Checkov, Detect-Secrets, Syft (SBOM), npm-audit, pip-audit, pip-licenses, and Grype (SCA).

## 🔒 Licensing & Beta Access

CodeSecure CI/CD is currently in **Beta** and is free to use. 

- **Beta Mode**: No token required. Free access to all scanning features.
- **Post-Beta**: A valid `CODESECURE_TOKEN` will be required for licensed use.
- **Enterprise**: Custom on-premise deployments or air-gapped images available.

## 📦 Installation & Usage

### 🐋 Docker (Recommended)
This is the fastest and most reliable way to run scans in CI/CD without managing dependencies.

```bash
docker run --rm -v $(pwd):/workspace \
  -e GOOGLE_API_KEY=${GOOGLE_API_KEY} \
  gcr.io/codesecure-479807/codesecure:1.0.23 \
  scan /workspace --format sarif,html --output reports
```

### 🐍 Python (Development)
```bash
uv pip install codesecure-cicd
```

## 🔌 Pipeline Templates

| Integration | Template | Deployment Method |
|:---|:---|:---|
| **GitHub Actions** | `templates/github-action.yml` | **Docker Container** (ghcr.io/gcr.io) |
| **GitLab CI** | `templates/gitlab-ci.yml` | **Docker Image** (gcr.io) |
| **Azure Pipelines** | `templates/azure-pipelines.yml` | **Docker Container** (gcr.io) |
| **GitHub Public** | `templates/github/codesecure-public.yml` | **Docker Container** |
| **GitHub Private** | `templates/github/codesecure-private.yml` | **Docker Container** |

## 🛠️ Quick Start (GitHub Actions)

```yaml
jobs:
  scan:
    runs-on: ubuntu-latest
    container:
      image: gcr.io/codesecure-479807/codesecure:1.0.23
      env:
        CODESECURE_TOKEN: ${{ secrets.CODESECURE_TOKEN }}
    steps:
      - uses: actions/checkout@v4
      - run: codesecure scan . --fail-on critical,high
```

> **🧠 AI Enriched Reports**: CodeSecure natively injects AI Findings directly into SARIF and Markdown exports. False positives are tagged in the `properties` bag to prevent alert fatigue, and AI Remediation steps are embedded in the `markdown` field to render seamlessly in the GitHub PR/GitLab MR interfaces!

## ⚙️ Configuration

Place `.codesecure.yml` at your repository root:

```yaml
scanners:
  enabled: [semgrep, bandit, checkov, detect-secrets, pip-audit]

quality_gate:
  fail_on: [critical, high]
  max_total: 50
  new_only: true
  baseline: .codesecure-baseline.json
  min_score: B

ai:
  enabled: true
  provider: google
  fp_detection: true
  remediation: true

reports:
  formats: [sarif, html, json, markdown]
```

## 📁 Package Structure

```
packages/cicd/
├── src/codesecure_cicd/
│   ├── __init__.py          # Package exports
│   ├── quality_gate.py      # Quality gate evaluation
│   ├── baseline.py          # Baseline comparison engine
│   ├── security_score.py    # A–F score calculator
│   ├── pr_decorator.py      # PR comment generator
│   ├── license_gate.py      # Beta/Licensed mode gate
│   └── runner.py            # Headless CI runner
├── templates/
│   ├── github-action.yml    # Advanced GitHub workflow
│   ├── gitlab-ci.yml        # GitLab CI pipeline
│   ├── azure-pipelines.yml  # Azure DevOps pipeline
│   └── github/
│       ├── codesecure-public.yml
│       └── codesecure-private.yml
├── Dockerfile               # Production multi-stage build
├── entrypoint.sh            # License check + CLI bridge
├── pyproject.toml
└── README.md
```

