Learn more at argus.huntridgelabs.com
Unified security scanning — SAST, containers, IaC, secrets, and DAST from a single CLI or GitHub Actions workflow.
- Quick Start
- Supported Scanners
- Features
- GitHub Enterprise Server (GHES)
- Documentation
- Usage Examples
- Configuration
- Contributing
The argus Python SDK is the primary interface for running security scans. It works locally, in CI, and on any platform with Python 3.11+.
pip install argus-security
# Initialize config and scan
argus init
argus scanOr scan immediately without a config file:
argus scan bandit gitleaks osv --severity-threshold highAfter a scan, argus view terminal opens a terminal UI for navigating findings —
filter by severity, product, or scanner; search by CVE; drill into details;
export to CSV / JSON / Markdown / SARIF; see an executive dashboard. Ships
behind an optional extra:
pip install 'argus-security[terminal]'
argus view terminal # load ./argus-results/argus-results.json
argus scan --interface=terminal # scan, then drop straight into the terminal viewerFull keyboard reference and workflow in docs/view-terminal.md.
For GitHub Actions users, composite actions remain available for direct integration:
name: Security Scan
on: [pull_request, push]
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: huntridge-labs/argus/.github/actions/scanner-gitleaks@1.4.0
with:
enable_code_security: true
fail_on_severity: high
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: huntridge-labs/argus/.github/actions/scanner-bandit@1.4.0
with:
enable_code_security: true
fail_on_severity: high| Category | Scanner | Description |
|---|---|---|
| SAST | CodeQL | GitHub semantic code analysis |
| Gitleaks | Secret detection in git history | |
| Bandit | Python security linter | |
| OpenGrep | Fast multi-language static analysis | |
| Container | Trivy Container | Comprehensive vulnerability scanner |
| Grype | Fast, accurate CVE detection | |
| Syft | Software Bill of Materials (SBOM) | |
| Exposed-port surface | Reports declared Dockerfile EXPOSE ports as findings (MEDIUM for risky-defaults watchlist: SSH, MySQL, Redis, etc.) |
|
| Infrastructure | Trivy IaC | Infrastructure as Code scanner |
| Checkov | Policy as Code for cloud configs | |
| Malware | ClamAV | Open-source antivirus engine |
| DAST | ZAP | Dynamic testing of running web/API endpoints (opt-in) |
For detailed scanner configuration, see Scanner Reference.
- Argus SDK - Run scanners locally or in CI with
argus scan - Unified interface - One CLI or workflow for all scanners
- Flexible scanner selection - Use scanner groups or specific scanners
- Interactive triage TUI -
argus view terminal— keyboard-driven findings explorer with executive dashboard - SBOM input -
argus scan --sbom path/to/sbom.jsonaccepts CycloneDX / SPDX / Syft SBOMs (file or directory of SBOMs) - GitHub Security tab integration - Upload SARIF results to Code Scanning
- PR comments - Inline feedback on pull requests
- Severity-based failure control - Set thresholds for workflow failures
- Container configuration - Scan multiple containers from a single config file
- Matrix execution - Parallel scanning for multiple targets
- Credential handling - Secrets stay out of
argus.yml: name an env var via<field>_env, pipe via--registry-password-stdin, or both. Validator warns on literal vendor-shaped values; resolved values never reach logs / audit trail. - Supply-chain verification - Cosign-verify on every argus-owned image pull (Sigstore keyless), implicit
@sha256:digest verification on every third-party image. Failure aborts the scanner. - Shell tab-completion -
argus completion zsh >> ~/.zshrc(orbash) — Tab-completes subcommands, scanner / linter names, common flags. Auto-refreshes from the live scanner registry. - Optional AI summary - Generate executive security summaries from scan results using your own AI provider and API key (Copilot, Claude, or Gemini)
- Interactive findings TUI -
argus view terminal— keyboard-driven triage browser (pip install 'argus-security[terminal]') - Local web UI -
argus view browser— localhost dashboard for non-engineer stakeholders (pip install 'argus-security[browser]')
GHES users can use the argus SDK or composite actions directly from github.com - no mirroring required.
Architecture: Scanner logic lives in the argus Python SDK and in composite actions. The SDK is the primary interface; composite actions provide GitHub Actions integration.
GHES Quick Start
name: Security Scan (GHES)
on: [pull_request, push]
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
# Use composite actions directly from github.com
- uses: huntridge-labs/argus/.github/actions/scanner-gitleaks@1.4.0
with:
enable_code_security: true
fail_on_severity: high
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
- uses: huntridge-labs/argus/.github/actions/scanner-bandit@1.4.0
with:
enable_code_security: true
fail_on_severity: highSee examples/github-enterprise/ for complete GHES workflow templates:
Full documentation: huntridge-labs.github.io/argus
- Configuration Reference - Full
argus.ymlspecification - Scanner Reference - Complete configuration for all scanners
- Container Scanning - Config-driven matrix container scanning
- Failure Control - Severity-based workflow failure configuration
- Security Policy - Threat model, credential handling, supply-chain verification, vulnerability reporting
- Migration 0.6.x → 1.x - Side-by-side guide for upgrading consumer workflows
- Docker Troubleshooting - Runtime detection, bind-mount permissions, image pulls, proxies, and execution-failure signals
- Contributing Guide - How to add scanners and actions
- Testing Guide - How to add and run tests
- Release Management - Release process and versioning
- Enhanced PR Comments - PR comment implementation
SDK: Full Scan with Config File
# argus.yml
scanners:
- gitleaks
- bandit
- opengrep
- osv
- trivy-iac
- checkov
scan_path: "."
severity_threshold: highargus scan --config argus.ymlSDK: SAST Scanners Only
argus scan bandit opengrep gitleaks --severity-threshold mediumSDK: Container Scanning
argus scan container --severity-threshold criticalSDK: Infrastructure as Code
# argus.yml
scanners:
- trivy-iac
- checkov
scan_path: "terraform/"
severity_threshold: highargus scan --config argus.ymlGitHub Actions: Composite Actions
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: huntridge-labs/argus/.github/actions/scanner-gitleaks@1.4.0
with:
enable_code_security: true
fail_on_severity: high
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: huntridge-labs/argus/.github/actions/scanner-bandit@1.4.0
with:
enable_code_security: true
fail_on_severity: highGitHub Actions: Config-Driven Container Scanning
See Container Scanning Guide for complete documentation.
scanners:
- gitleaks
- bandit
- osv
- trivy-iac
scan_path: "."
severity_threshold: high# Specific scanners
argus scan gitleaks bandit osv
# With severity threshold
argus scan --severity-threshold high
# With config file
argus scan --config argus.ymlSeverity levels: none, low, medium, high, critical
See Failure Control Guide for detailed threshold configuration.
When using composite actions in GitHub Actions workflows:
permissions:
contents: read # Read repository content
security-events: write # Upload to GitHub Security tab
pull-requests: write # Post PR comments
actions: read # Read Actions artifactsScanner-specific secrets (for GitHub Actions composite action usage):
| Secret | Required For | Description |
|---|---|---|
GITLEAKS_LICENSE |
Gitleaks (organizations) | License from gitleaks.io |
GITHUB_TOKEN |
PR comments, Security tab | Automatically provided |
| Registry secrets | Private containers | Token for authentication |
Argus includes an MCP server for AI-assistant integration. Tools like Claude Desktop, Claude Code, Cursor, Continue, and Cline can run scans, validate configs, classify IaC changes, and explain findings — without leaving the chat.
Zero-install (recommended for AI-tool-only users — no global Python install needed):
uvx --from 'argus-security[mcp]' argus mcpOr install via pip (recommended if you also use the Argus CLI):
pip install 'argus-security[mcp]'Add to your AI tool's MCP configuration:
{
"mcpServers": {
"argus": {"command": "argus", "args": ["mcp"]}
}
}Available tools: argus_scan, argus_detect, argus_validate, argus_list_scanners, argus_init, argus_classify, argus_explain_finding, argus_scan_summary. Resources: argus://config, argus://results/latest, argus://config/schema. Prompts: security_review, fix_findings, setup_scanning.
See docs/mcp.md for per-client config (Claude Desktop, Claude Code, Cursor, Continue, Cline), the full tool reference, and the list of MCP server registries where Argus is listed for discovery.
Contributions welcome! See CONTRIBUTING.md for guidelines.
Quick Start with Dev Container (Recommended):
- Install VS Code + Dev Containers extension
- Open repository → "Reopen in Container"
- All dependencies ready! Run
npm test
# Install dependencies
npm install
pip install -r .devcontainer/requirements.txt
# Run tests
npm test
# See tests/CONTRIBUTING.md for detailed testing guideAGPL v3 License - see LICENSE.md for details.
- Documentation: huntridge-labs.github.io/argus
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: See SECURITY.md for vulnerability reporting