Skip to content

Build-Flow-Labs/buildflow-trust-oss

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

BuildFlow Trust

Compliance scanner for GitHub organizations and repositories. Evaluates repositories against 5 built-in security and governance policies and reports results in the terminal.

BuildFlow Trust checks your GitHub org or specific repos for common compliance gaps -- Docker security, code ownership, secret exposure, branch protection, and separation of duties -- in a single command.

Installation

Homebrew (macOS / Linux)

brew tap Build-Flow-Labs/buildflow-trust
brew install buildflow-trust

Direct Download

macOS (Apple Silicon)

curl -L https://github.com/Build-Flow-Labs/buildflow-trust-oss/releases/latest/download/buildflow-trust-darwin-arm64 -o buildflow-trust
chmod +x buildflow-trust
sudo mv buildflow-trust /usr/local/bin/

macOS (Intel)

curl -L https://github.com/Build-Flow-Labs/buildflow-trust-oss/releases/latest/download/buildflow-trust-darwin-amd64 -o buildflow-trust
chmod +x buildflow-trust
sudo mv buildflow-trust /usr/local/bin/

Linux (amd64)

curl -L https://github.com/Build-Flow-Labs/buildflow-trust-oss/releases/latest/download/buildflow-trust-linux-amd64 -o buildflow-trust
chmod +x buildflow-trust
sudo mv buildflow-trust /usr/local/bin/

Linux (arm64)

curl -L https://github.com/Build-Flow-Labs/buildflow-trust-oss/releases/latest/download/buildflow-trust-linux-arm64 -o buildflow-trust
chmod +x buildflow-trust
sudo mv buildflow-trust /usr/local/bin/

Windows (amd64)

Download buildflow-trust-windows-amd64.exe from the Releases page.

Docker

docker run --rm -e GITHUB_TOKEN=$GITHUB_TOKEN buildflowlabs/buildflow-trust scan --org your-org

All Releases

Download pre-built binaries and checksums from the Releases page.

Quick Start

# Authenticate with GitHub
buildflow-trust auth login

# Scan your organization
buildflow-trust scan --org your-org

# Or scan specific repositories
buildflow-trust scan --repo your-org/your-repo

Policies

ID Policy Severity What it checks
POL-SEC-01 Docker Root User CRITICAL Dockerfiles running as root without USER directive
POL-GOV-02 CODEOWNERS MEDIUM Repository has a CODEOWNERS file
POL-SEC-03 Secret Exposure CRITICAL Committed secret files (.env, credentials.json, etc.)
POL-SEC-04 Branch Protection HIGH Default branch has protection rules enabled
POL-SOX-01 SOX Separation CRITICAL PR authors cannot approve their own changes (OPA/Rego)

Usage

Scan

Run a compliance audit on a GitHub organization or specific repositories:

# Scan an entire organization
buildflow-trust scan --org my-company

# Scan specific repositories
buildflow-trust scan --repo my-company/api
buildflow-trust scan --repo my-company/api --repo my-company/web

# Scan with custom config
buildflow-trust scan --org my-company --config ./buildflow-trust.json

# Preview what would be scanned
buildflow-trust scan --org my-company --dry-run

Auth

Manage GitHub authentication:

buildflow-trust auth login     # Authenticate (opens browser)
buildflow-trust auth status    # Check authentication status
buildflow-trust auth logout    # Clear stored credentials

Init

Interactive setup wizard to create a configuration file:

buildflow-trust init

Validate

Check that your configuration file is valid:

buildflow-trust validate --config buildflow-trust.json

Configuration

BuildFlow Trust looks for configuration in these locations (in order):

  1. buildflow-trust.json
  2. .buildflow-trust.json
  3. config/buildflow-trust.json
  4. ~/.buildflow-trust.json

Example buildflow-trust.json:

{
  "organization": {
    "name": "your-org",
    "default_branch": "main",
    "fallback_branches": ["master", "develop"]
  },
  "policies": {
    "docker_root_user": { "enabled": true, "severity": "critical" },
    "code_owners": { "enabled": true, "severity": "medium" },
    "secret_exposure": {
      "enabled": true,
      "severity": "critical",
      "patterns": [".env", ".env.local", ".env.production", "credentials.json", "secrets.yaml"]
    },
    "branch_protection": {
      "enabled": true,
      "severity": "high",
      "min_reviewers": 1,
      "require_dismiss_stale": true,
      "require_admin_enforcement": true
    },
    "sox_separation": { "enabled": true, "severity": "critical" }
  }
}

Environment Variables

Variable Required Description
GITHUB_TOKEN Yes GitHub personal access token or fine-grained token
BUILDFLOW_TRUST_ORG No Default organization (overridden by --org)
BUILDFLOW_TRUST_DEFAULT_BRANCH No Default branch to check (default: main)

Required GitHub Token Permissions

  • repo (or fine-grained: contents: read, pull_requests: read, administration: read)

Sample Output

+---------------------------------------------------------+
|         BuildFlow Trust Compliance Scanner                |
+---------------------------------------------------------+

  Organization:    your-org
  Default Branch:  main
  Policies:        5 built-in

  Policies Enabled:
    POL-SEC-01 (Docker Root User)  [x]
    POL-GOV-02 (Code Owners)  [x]
    POL-SEC-03 (Secret Exposure)  [x]
    POL-SEC-04 (Branch Protection)  [x]
    POL-SOX-01 (SOX Separation)  [x]

+---------------------------------------------------------+
|                   Scan Results                           |
+---------------------------------------------------------+

  [PASS] Compliance Score:    87.5%
  Repositories Scanned:  12
  Compliant Repos:       9
  Non-Compliant Repos:   3
  Total Checks:          48  (42 passed, 6 failed)

  +--------------+----------------------+----------+------+------+-----------+
  | Policy       | Name                 | Severity | Pass | Fail | Rate      |
  +--------------+----------------------+----------+------+------+-----------+
  | POL-SEC-01   | Docker Root User     | CRITICAL |   10 |    2 | !!  83%   |
  | POL-GOV-02   | CODEOWNERS           | MEDIUM   |   12 |    0 | OK 100%   |
  | POL-SEC-03   | Secret Exposure      | CRITICAL |   11 |    1 | !!  92%   |
  | POL-SEC-04   | Branch Protection    | HIGH     |    9 |    3 | !!  75%   |
  | POL-SOX-01   | SOX Separation       | CRITICAL |   12 |    0 | OK 100%   |
  +--------------+----------------------+----------+------+------+-----------+

Verify Checksums

Each release includes a checksums.txt file. After downloading a binary:

sha256sum -c checksums.txt

Upgrade

# Homebrew
brew upgrade buildflow-trust

# Or re-download the latest binary
curl -L https://github.com/Build-Flow-Labs/buildflow-trust-oss/releases/latest/download/buildflow-trust-darwin-arm64 -o buildflow-trust

Need More?

BuildFlow Trust Team and Enterprise editions include:

  • 20+ compliance policies
  • 6 compliance framework mappings (SOC2, SOX, NIST, HIPAA, ISO 27001, PCI DSS)
  • JSON, HTML, and PDF report exports
  • Web dashboard with trend lines
  • Auto-remediation via pull requests
  • Slack and webhook notifications
  • Repository scoping and filtering
  • Custom Rego policy authoring
  • Multi-org support and RBAC

Learn more at buildflowlabs.com.

License

BuildFlow Trust is free to use. See LICENSE for terms.

Copyright (c) 2025-2026 A.O.E. Holdings Group LLC.

About

Compliance scanner for GitHub organizations — 5 built-in policies, free to use

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

BuildFlow Trust v0.2.0 Latest
Feb 6, 2026
+ 1 release

Packages

 
 
 

Contributors