FortressCI: The DevSecOps Platform

FortressCI is a secure-by-default DevSecOps platform blueprint designed to implement "Shift Left" security, automated pipelines, and infrastructure protection. It integrates best-in-class open-source security tools to ensure your code and infrastructure are secure from day one.

View our Roadmap for upcoming features and long-term vision. Read the Changelog for release-by-release updates. Try the Interactive Playground to see FortressCI in action.

Features

Phase 1: Shift Left (Local Development)

Catch issues before they are committed.

• Secrets Detection: TruffleHog scans for hardcoded credentials.
• Code Quality: Standard hooks for trailing whitespace and file integrity.
• IaC Scanning: Checkov runs locally to catch Terraform/CloudFormation/Bicep issues.

Phase 2: Automated Pipeline (CI/CD)

Automated checks on every push and pull request across 6 CI platforms.

• Secret Scanning: TruffleHog deep scan on git history.
• SAST: Semgrep scans source code for vulnerabilities (OWASP Top 10).
• SCA: Snyk checks dependencies for known CVEs.
• IaC Scanning: Checkov scans Terraform, CloudFormation, Kubernetes, and Bicep manifests.
• Container Security: Trivy scans Docker images for OS and library vulnerabilities.
• DAST: OWASP ZAP baseline scan for runtime attack surface.
• Signing: Cosign signs container images.
• SBOM: Syft generates SPDX/CycloneDX Bill of Materials.
• Provenance: SLSA Level 3 build provenance via slsa-github-generator.

Phase 3: Platform & Intelligence

• AI Triage: Automated findings analysis and prioritisation via LLMs.
• DevSecOps Adoption Roadmap: 30/60/90-day prioritized plan with maturity and feasibility scores.
• Auto-Remediation: Self-healing pipelines that open PRs to fix vulnerabilities.
• Cross-Repo Analyzer: Shared dependency and vulnerability hotspot analysis across many repositories.
• Security Dashboard: Real-time visualisations of security posture and trends.
• MCP Server: Native integration for AI assistants to query security data.
• Waiver Governance: Expired/expiring waiver detection, auditable exceptions with policy enforcement.
• Diff-Aware Scanning: PR-scoped scans that skip irrelevant scanners based on changed file types.

---

Quick Start

Option 1: Setup Wizard (Recommended)

git clone https://github.com/mackeh/FortressCI.git
cd FortressCI

# Run the interactive wizard — detects your project type and CI platform
./scripts/fortressci-init.sh

The wizard generates:

• CI/CD workflow file for your platform
• .pre-commit-config.yaml (local hooks)
• .security/ configurations (policy, waivers, compliance mappings, falco rules)
• .fortressci.yml (severity thresholds and scanner config)

Validate your setup:

./scripts/fortressci-doctor.sh --workspace .

Option 2: Docker Local Scan

Run all security scans locally in a single container:

# Build the all-in-one scanner image
docker build -t fortressci/scan .

# Scan your project (results output to ./results/)
docker run --rm \
  -v $(pwd):/workspace \
  -v $(pwd)/results:/results \
  fortressci/scan /workspace

This runs the full suite including AI triage, SBOM generation, threshold gating, and an adoption roadmap.

The scanner image is maintained separately from the main repository scan flow:

• .github/workflows/devsecops.yml is the app-facing reference pipeline.
• .github/workflows/scanner-image.yml builds and inspects the FortressCI scanner image itself.
• Scanner image Trivy findings are currently report-only and tracked in .security/scanner-image-waivers.md when upstream tool vendors have not yet shipped fixed binaries.

---

Azure DevOps Integration

FortressCI ships an Azure DevOps pipeline template at templates/azure/azure-pipelines.yml.

# Generate Azure pipeline + FortressCI config in your repo
./scripts/fortressci-init.sh --ci azure

The Azure pipeline:

• Builds fortressci/scan in CI.
• Runs the full FortressCI scan with policy gates.
• Validates required secrets (SNYK_TOKEN) before scanning.
• Publishes results/ as a build artifact, including adoption-roadmap.json, adoption-roadmap.md, and IaC SARIF outputs such as bicep.sarif.

For the FortressCI repository itself, scanner image maintenance is handled by the dedicated Scanner Image Maintenance workflow so root image CVEs do not pollute the main repo code-scanning flow.

---

Quality And Tests

Run local quality checks before opening a PR:

pre-commit run --all-files
bash -n scripts/*.sh
python3 -m compileall scripts

Run the script test suites:

python3 -m pip install -U pytest
pytest -q tests/python
bats tests/bash

CI now runs:

• quality-lint: actionlint + shellcheck + yamllint
• script-tests: pytest + bats

---

Security Scoring

FortressCI calculates a real-time security grade (A+ to F) based on findings and practices.

# Generate your security badge
./scripts/generate-badge.py <results_dir>

---

Policy-as-Code

Define organisational security policies in .security/policy.yml. Policies are enforced during scans and can gate your pipeline.

# Run policy enforcement
./scripts/fortressci-policy-check.sh .security/policy.yml results/

---

Setup Health Check

Use fortressci doctor to validate local readiness before enforcing policy gates in CI.

# Local health check (files, hooks, tools, secrets)
./scripts/fortressci-doctor.sh --workspace .

# Optional: include GitHub branch protection probe
./scripts/fortressci-doctor.sh --workspace . --check-remote

Use --strict to treat warnings as a failure:

./scripts/fortressci-doctor.sh --workspace . --strict

---

Compliance Reporting

Map technical findings to regulatory frameworks (SOC2, NIST, OWASP).

# Generate compliance report
python3 scripts/generate-compliance-report.py results/ .security/compliance-mappings.yml

---

Auto-Remediation

FortressCI can automatically apply fixes for dependency and IaC vulnerabilities.

# Attempt automatic fixes
./scripts/auto-fix.sh

---

AI-Powered Triage

Use LLMs to explain complex vulnerabilities and prioritise remediation.

# Run AI triage (requires ANTHROPIC_API_KEY)
python3 scripts/ai-triage.py --results-dir results/ --config .fortressci.yml

---

DevSecOps Adoption Roadmap

Generate a practical, prioritized adoption plan with maturity and feasibility scoring.

python3 scripts/generate-adoption-roadmap.py --results-dir results/ --workspace . --config .fortressci.yml

Outputs:

• results/adoption-roadmap.json (machine-readable roadmap with scoring and priority)
• results/adoption-roadmap.md (human-readable 30/60/90 plan)

---

Cross-Repo Dependency Risk Analysis

Use SBOM and SCA outputs from multiple repositories to find shared dependency hotspots that are likely to create systemic risk.

# Analyze all subdirectories under ./org-results that contain sbom-source.cdx.json
# If sibling sca.json files exist, known vulnerable dependencies are correlated too.
python3 scripts/cross-repo-analyzer.py --dir ./org-results --top 25

Output: ./org-results/cross-repo-analysis.json

---

Repository Structure

.
├── .github/
│   ├── workflows/devsecops.yml    # Primary GitHub Actions pipeline
│   └── scripts/post_summary.js    # PR comment posting script
├── .security/
│   ├── policy.yml                 # Policy-as-code definitions
│   ├── waivers.yml                # Security finding exceptions
│   ├── compliance-mappings.yml    # Framework mapping definitions
│   └── falco-rules.yaml           # Runtime security rules
├── dashboard/                     # Security Operations Dashboard
├── playground/                    # Interactive Browser Playground
├── examples/                      # Vulnerable sample apps (Node/Python/TF)
├── integrations/
│   └── mcp-server/                # Model Context Protocol server
├── scripts/
│   ├── fortressci-init.sh         # Setup wizard CLI
│   ├── fortressci-doctor.sh       # Health checks for local/CI readiness
│   ├── run-all.sh                 # Docker scan orchestrator
│   ├── changed-files.sh           # PR diff-aware file detection
│   ├── ai-triage.py               # AI findings analysis
│   ├── auto-fix.sh                # Automated remediation
│   ├── cross-repo-analyzer.py     # Shared dependency risk analysis
│   ├── generate-badge.py          # Security scoring & badges
│   ├── generate-adoption-roadmap.py # DevSecOps roadmap + feasibility scoring
│   ├── generate-sbom.sh           # SBOM generator
│   ├── fortressci-policy-check.sh # Policy enforcement (incl. waiver governance)
│   ├── generate-report.py         # HTML report generator
│   └── check-pinning.sh           # Supply chain pinning checker
├── tests/
│   ├── python/                    # Pytest suite for Python scripts
│   └── bash/                      # Bats suite for shell scripts
├── templates/                     # CI/CD and config templates
├── .fortressci.yml                # Global project configuration
└── Dockerfile                     # All-in-one scanner image

---

CI/CD Secrets

Secret	Required	Purpose
SNYK_TOKEN	For SCA scans	Get token
ANTHROPIC_API_KEY	For AI Triage	Get key
COSIGN_KEY	For image signing	Generate with ./scripts/generate_keys.sh
INFRACOST_API_KEY	For cost estimation	Get token

---

Contributing

Please see CONTRIBUTING.md and our Code of Conduct.