FortressCI: The DevSecOps Platform

FortressCI is a secure-by-default DevSecOps platform blueprint designed to implement "Shift Left" security, automated pipelines, and infrastructure protection. It integrates best-in-class open-source security tools to ensure your code and infrastructure are secure from day one.

View our Roadmap for upcoming features and long-term vision. Read the Changelog for release-by-release updates. Try the Interactive Playground to see FortressCI in action.

Features

Phase 1: Shift Left (Local Development)

Catch issues before they are committed.

• Secrets Detection: TruffleHog scans for hardcoded credentials.
• Code Quality: Standard hooks for trailing whitespace and file integrity.
• IaC Scanning: Checkov runs locally to catch Terraform/CloudFormation issues.

Phase 2: Automated Pipeline (CI/CD)

Automated checks on every push and pull request across 6 CI platforms.

• Secret Scanning: TruffleHog deep scan on git history.
• SAST: Semgrep scans source code for vulnerabilities (OWASP Top 10).
• SCA: Snyk checks dependencies for known CVEs.
• IaC Scanning: Checkov scans Terraform, CloudFormation, and Kubernetes manifests.
• Container Security: Trivy scans Docker images for OS and library vulnerabilities.
• DAST: OWASP ZAP baseline scan for runtime attack surface.
• Signing: Cosign signs container images.
• SBOM: Syft generates SPDX/CycloneDX Bill of Materials.
• Provenance: SLSA Level 3 build provenance via slsa-github-generator.

Phase 3: Platform & Intelligence

• AI Triage: Automated findings analysis and prioritisation via LLMs.
• Auto-Remediation: Self-healing pipelines that open PRs to fix vulnerabilities.
• Cross-Repo Analyzer: Shared dependency and vulnerability hotspot analysis across many repositories.
• Security Dashboard: Real-time visualisations of security posture and trends.
• MCP Server: Native integration for AI assistants to query security data.

---

Quick Start

Option 1: Setup Wizard (Recommended)

git clone https://github.com/mackeh/FortressCI.git
cd FortressCI

# Run the interactive wizard — detects your project type and CI platform
./scripts/fortressci-init.sh

The wizard generates:

• CI/CD workflow file for your platform
• .pre-commit-config.yaml (local hooks)
• .security/ configurations (policy, waivers, compliance mappings, falco rules)
• .fortressci.yml (severity thresholds and scanner config)

Validate your setup:

./scripts/fortressci-doctor.sh --workspace .

Option 2: Docker Local Scan

Run all security scans locally in a single container:

# Build the all-in-one scanner image
docker build -t fortressci/scan .

# Scan your project (results output to ./results/)
docker run --rm \
  -v $(pwd):/workspace \
  -v $(pwd)/results:/results \
  fortressci/scan /workspace

This runs the full suite including AI triage, SBOM generation, and threshold gating.

---

Quality And Tests

Run local quality checks before opening a PR:

pre-commit run --all-files
bash -n scripts/*.sh
python3 -m compileall scripts

Run the script test suites:

python3 -m pip install -U pytest
pytest -q tests/python
bats tests/bash

CI now runs:

• quality-lint: actionlint + shellcheck + yamllint
• script-tests: pytest + bats

---

Security Scoring

FortressCI calculates a real-time security grade (A+ to F) based on findings and practices.

# Generate your security badge
./scripts/generate-badge.py <results_dir>

---

Policy-as-Code

Define organisational security policies in .security/policy.yml. Policies are enforced during scans and can gate your pipeline.

# Run policy enforcement
./scripts/fortressci-policy-check.sh .security/policy.yml results/

---

Setup Health Check

Use fortressci doctor to validate local readiness before enforcing policy gates in CI.

# Local health check (files, hooks, tools, secrets)
./scripts/fortressci-doctor.sh --workspace .

# Optional: include GitHub branch protection probe
./scripts/fortressci-doctor.sh --workspace . --check-remote

Use --strict to treat warnings as a failure:

./scripts/fortressci-doctor.sh --workspace . --strict

---

Compliance Reporting

Map technical findings to regulatory frameworks (SOC2, NIST, OWASP).

# Generate compliance report
python3 scripts/generate-compliance-report.py results/ .security/compliance-mappings.yml

---

Auto-Remediation

FortressCI can automatically apply fixes for dependency and IaC vulnerabilities.

# Attempt automatic fixes
./scripts/auto-fix.sh

---

AI-Powered Triage

Use LLMs to explain complex vulnerabilities and prioritise remediation.

# Run AI triage (requires ANTHROPIC_API_KEY)
python3 scripts/ai-triage.py --results-dir results/ --config .fortressci.yml

---

Cross-Repo Dependency Risk Analysis

Use SBOM and SCA outputs from multiple repositories to find shared dependency hotspots that are likely to create systemic risk.

# Analyze all subdirectories under ./org-results that contain sbom-source.cdx.json
# If sibling sca.json files exist, known vulnerable dependencies are correlated too.
python3 scripts/cross-repo-analyzer.py --dir ./org-results --top 25

Output: ./org-results/cross-repo-analysis.json

---

Repository Structure

.
├── .github/
│   ├── workflows/devsecops.yml    # Primary GitHub Actions pipeline
│   └── scripts/post_summary.js    # PR comment posting script
├── .security/
│   ├── policy.yml                 # Policy-as-code definitions
│   ├── waivers.yml                # Security finding exceptions
│   ├── compliance-mappings.yml    # Framework mapping definitions
│   └── falco-rules.yaml           # Runtime security rules
├── dashboard/                     # Security Operations Dashboard
├── playground/                    # Interactive Browser Playground
├── examples/                      # Vulnerable sample apps (Node/Python/TF)
├── integrations/
│   └── mcp-server/                # Model Context Protocol server
├── scripts/
│   ├── fortressci-init.sh         # Setup wizard CLI
│   ├── fortressci-doctor.sh       # Health checks for local/CI readiness
│   ├── run-all.sh                 # Docker scan orchestrator
│   ├── ai-triage.py               # AI findings analysis
│   ├── auto-fix.sh                # Automated remediation
│   ├── cross-repo-analyzer.py     # Shared dependency risk analysis
│   ├── generate-badge.py          # Security scoring & badges
│   ├── generate-sbom.sh           # SBOM generator
│   ├── fortressci-policy-check.sh # Policy enforcement
│   ├── generate-report.py         # HTML report generator
│   └── check-pinning.sh           # Supply chain pinning checker
├── tests/
│   ├── python/                    # Pytest suite for Python scripts
│   └── bash/                      # Bats suite for shell scripts
├── templates/                     # CI/CD and config templates
├── .fortressci.yml                # Global project configuration
└── Dockerfile                     # All-in-one scanner image

---

CI/CD Secrets

Secret	Required	Purpose
SNYK_TOKEN	For SCA scans	Get token
ANTHROPIC_API_KEY	For AI Triage	Get key
COSIGN_KEY	For image signing	Generate with ./scripts/generate_keys.sh
INFRACOST_API_KEY	For cost estimation	Get token

---

Contributing

Please see CONTRIBUTING.md and our Code of Conduct.