adds doc-gen, improves cli command flags #2979

Workflow file for this run

.github/workflows/devguard-scanner.yaml at 42a18d7

	# DevSecOps Workflow Definition
	# This workflow is triggered on every push to the repository
	name: DevGuard-Workflow

	on:
	workflow_dispatch:
	push:

	permissions:
	contents: write
	actions: read
	security-events: write
	packages: write


	jobs:
	golangci:
	name: lint
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
	with:
	submodules: recursive
	- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
	with:
	go-version: '1.25.5'
	cache: false
	- name: golangci-lint
	uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 - https://github.com/golangci/golangci-lint-action/releases/tag/v8.0.0
	with:
	args: --timeout=30m
	version: v2.4.0

	tests:
	name: tests
	runs-on: ubuntu-latest

	steps:
	- name: Check out code
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
	with:
	submodules: recursive
	- name: Set up Go
	uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
	with:
	go-version: '1.25.5'

	- name: Run unittests
	run: go test $(go list ./... \| grep -v "/mocks") -coverprofile=coverage.out && go tool cover -func=coverage.out
	- name: Archive code coverage results
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2
	with:
	name: code-coverage
	path: coverage.out


	devguard:
	uses: l3montree-dev/devguard-action/.github/workflows/full.yml@main
	with:
	asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
	api-url: https://api.main.devguard.org
	fail-on-risk: high
	fail-on-cvss: high
	web-ui: https://main.devguard.org
	should-deploy: ${{ github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/tags/') }}
	continue-on-open-code-risk: true
	secrets:
	devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
	build-args: "--context=. --dockerfile=Dockerfile --build-arg GITHUB_REF_NAME=$GITHUB_REF_NAME --build-arg GITHUB_SHA=$GITHUB_SHA"


	build-scanner-image:
	uses: l3montree-dev/devguard-action/.github/workflows/build-image.yml@main
	with:
	artifact-name: "pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
	asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
	api-url: https://api.main.devguard.org
	image-suffix: "scanner"
	secrets:
	devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
	build-args: "--context=. --dockerfile=Dockerfile.scanner --build-arg GITHUB_REF_NAME=$GITHUB_REF_NAME --build-arg GITHUB_SHA=$GITHUB_SHA"


	# Image scanning job to detect vulnerabilities in the built Docker image
	scanner-container-scanning:
	uses: l3montree-dev/devguard-action/.github/workflows/container-scanning.yml@main
	needs:
	- build-scanner-image
	with:
	asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
	api-url: https://api.main.devguard.org
	artifact-name: "pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
	web-ui: https://main.devguard.org
	fail-on-cvss: high
	fail-on-risk: high
	image-suffix: "scanner"
	secrets:
	devguard-token: ${{ secrets.DEVGUARD_TOKEN }}

	deploy-scanner:
	needs:
	- build-scanner-image
	- scanner-container-scanning
	- tests
	uses: l3montree-dev/devguard-action/.github/workflows/deploy.yml@main
	with:
	asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
	api-url: https://api.main.devguard.org
	image-suffix: "scanner"
	secrets:
	devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
	if: github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/tags/') \|\| github.ref == 'refs/heads/troubleshooting-sast' \|\| github.ref == 'refs/heads/test-release'


	sign-scanner:
	needs:
	- build-scanner-image
	- scanner-container-scanning
	- tests
	uses: l3montree-dev/devguard-action/.github/workflows/sign.yml@main
	with:
	asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
	api-url: https://api.main.devguard.org
	artifact-name: "pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
	image-suffix: "scanner"
	secrets:
	devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
	if: github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/tags/') \|\| github.ref == 'refs/heads/test-release'

	attest-scanner:
	needs:
	- build-scanner-image
	- scanner-container-scanning
	- tests
	uses: l3montree-dev/devguard-action/.github/workflows/attest.yml@main
	with:
	asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
	api-url: https://api.main.devguard.org
	artifact-name: "pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
	image-suffix: "scanner"
	secrets:
	devguard-token: ${{ secrets.DEVGUARD_TOKEN }}

	release:
	name: Build and Release Binaries
	runs-on: ubuntu-latest
	# needs: [golangci, tests, sign-scanner, devguard]
	if: startsWith(github.ref, 'refs/tags/') \|\| github.ref == 'refs/heads/test-release'
	outputs:
	tag: ${{ steps.tag.outputs.tag }}
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version: '1.25'

	- name: Get tag
	id: tag
	run: \|
	if [[ "${{ github.ref }}" == refs/tags/* ]]; then
	echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
	echo "TAG_NO_V=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
	else
	echo "tag=test-$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT
	fi

	- name: Build cross-platform binaries
	run: \|
	mkdir -p dist

	# Build flags for security-hardened binaries
	BUILD_FLAGS="-s -w -buildid= -X main.version=${{ steps.tag.outputs.tag }} -X main.commit=${{ github.sha }} -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions"

	# Build for Linux amd64
	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-linux-amd64 ./cmd/devguard-scanner

	# Build for Linux arm64
	GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-linux-arm64 ./cmd/devguard-scanner

	# Build for Windows amd64
	GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-windows-amd64.exe ./cmd/devguard-scanner

	# Build for Windows arm64
	GOOS=windows GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-windows-arm64.exe ./cmd/devguard-scanner

	# Build for macOS amd64
	GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-darwin-amd64 ./cmd/devguard-scanner

	# Build for macOS arm64
	GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-darwin-arm64 ./cmd/devguard-scanner

	- name: Create archives
	run: \|
	cd dist

	# Create tar.gz archives for Unix-like systems
	tar -czf devguard-scanner-linux-amd64.tar.gz devguard-scanner-linux-amd64
	tar -czf devguard-scanner-linux-arm64.tar.gz devguard-scanner-linux-arm64
	tar -czf devguard-scanner-darwin-amd64.tar.gz devguard-scanner-darwin-amd64
	tar -czf devguard-scanner-darwin-arm64.tar.gz devguard-scanner-darwin-arm64

	# Create zip archives for Windows
	zip devguard-scanner-windows-amd64.zip devguard-scanner-windows-amd64.exe
	zip devguard-scanner-windows-arm64.zip devguard-scanner-windows-arm64.exe

	# Remove individual binaries, keep archives
	rm -f devguard-scanner-linux-amd64 devguard-scanner-linux-arm64 devguard-scanner-darwin-amd64 devguard-scanner-darwin-arm64
	rm -f devguard-scanner-windows-amd64.exe devguard-scanner-windows-arm64.exe


	- name: Generate checksums
	run: \|
	cd dist
	sha256sum .tar.gz .zip > checksums.txt
	echo "Generated checksums for all release artifacts"

	- name: Sign release artifacts with devguard-scanner
	uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
	with:
	entrypoint: /bin/sh
	args: \|
	-c "
	cd dist
	for file in .tar.gz .zip checksums.txt; do
	if [ -f \"\$file\" ]; then
	echo \"Signing \$file with devguard-scanner...\"
	devguard-scanner sign --token ${{ secrets.DEVGUARD_TOKEN }} \"\$file\" > ${file}.sig
	fi
	done
	"

	- name: Create GitHub Release
	uses: softprops/action-gh-release@v1
	with:
	tag_name: ${{ steps.tag.outputs.tag }}
	name: "DevGuard Scanner ${{ steps.tag.outputs.tag }}"
	draft: false
	prerelease: ${{ contains(steps.tag.outputs.tag, 'test-') }}
	body: \|
	## 🚀 DevGuard Release ${{ steps.tag.outputs.tag }}

	Secure software supply chain scanning and security analysis toolkit

	### Release Assets

	#### 📱 Binaries
	- `devguard-scanner-linux-amd64.tar.gz` - Linux x64 binary
	- `devguard-scanner-linux-arm64.tar.gz` - Linux ARM64 binary
	- `devguard-scanner-darwin-amd64.tar.gz` - macOS x64 binary
	- `devguard-scanner-darwin-arm64.tar.gz` - macOS ARM64 (Apple Silicon) binary
	- `devguard-scanner-windows-amd64.zip` - Windows x64 binary
	- `devguard-scanner-windows-arm64.zip` - Windows ARM64 binary

	#### 🐳 Container Images
	- Registry:
	- `ghcr.io/l3montree-dev/devguard:${{ steps.tag.outputs.tag }}` (Main platform)
	- `ghcr.io/l3montree-dev/devguard-web:${{ steps.tag.outputs.tag }}` (Frontend of the platform)
	- `ghcr.io/l3montree-dev/devguard/scanner:${{ steps.tag.outputs.tag }}` (Scanner tool)

	#### Helm Charts

	`oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard` (Main platform Helm chart)

	```bash
	helm install my-devguard oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard --version ${{ env.TAG_NO_V }}
	```

	### Quick Start

	#### Download and Install
	```bash
	# Linux/macOS - Download and extract
	curl -L https://github.com/l3montree-dev/devguard/releases/download/${{ steps.tag.outputs.tag }}/devguard-scanner-linux-amd64.tar.gz \| tar -xz
	chmod +x devguard-scanner-linux-amd64
	sudo mv devguard-scanner-linux-amd64 /usr/local/bin/devguard-scanner

	# Verify installation
	devguard-scanner --version
	```

	#### Docker Usage
	```bash
	# Pull DevGuard Scanner from registry
	docker pull ghcr.io/l3montree-dev/devguard/scanner:${{ steps.tag.outputs.tag }}

	# Pull DevGuard Platform from registry
	docker pull ghcr.io/l3montree-dev/devguard:${{ steps.tag.outputs.tag }}
	```

	#### Go Install
	```bash
	go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@${{ steps.tag.outputs.tag }}
	```

	---

	📖 Documentation: [DevGuard Documentation](https://github.com/l3montree-dev/devguard)
	🐛 Report Issues: [GitHub Issues](https://github.com/l3montree-dev/devguard/issues)
	💬 Community: [Discussions](https://github.com/l3montree-dev/devguard/discussions)
	files: \|
	dist/*.tar.gz
	dist/*.zip
	dist/checksums.txt
	dist/*.sig
	dist/*.link
	dist/*.provenance.json
	dist/*.sbom.json
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

adds doc-gen, improves cli command flags #2979

Workflow file

adds doc-gen, improves cli command flags #2979

Uh oh!

Workflow file for this run