CAST is a DevSecOps governance toolkit for GitHub Actions and GitLab CI — so a single DevOps engineer can enforce pipeline standards across every team, without personally reviewing every repository.
- Why CAST
- What You Get
- Quick Start
- CLI Reference
- Templates
- Pipeline Architecture
- Contributing
- License
The problem isn't that teams lack security tools. It's that one DevOps engineer's standards can't reach every team's pipeline.
The typical situation: a DevOps engineer defines a secure, policy-compliant pipeline for one project. Other teams write their own — often AI-generated, often untested against security standards, always "good enough to push." The DevOps engineer can't review every PR across every repository. Pipeline quality varies. Security gaps accumulate silently.
CAST is the governance layer that changes this. It's not "DevSecOps for teams with no DevOps expertise." It's "DevSecOps standards that enforce themselves — without your personal attention on every repository."
- Zero configuration — auto-detects your stack and CI platform, writes the workflow file
- Security-first — secrets scanning, SAST, SCA, and container scanning out of the box
- Policy as Code — OPA/conftest gate replaces fragile shell logic; policies are versioned
- Compliance dashboard — static HTML red/green board deployable to GitHub Pages
- Multi-platform — GitHub Actions and GitLab CI supported with identical security coverage
Each CAST template configures your repository with a full security stack:
| Layer | Tool | What It Does |
|---|---|---|
| Secrets Detection | Gitleaks | Scans entire git history for leaked credentials |
| SAST | Semgrep | Finds security bugs and anti-patterns in source code |
| SCA | pip-audit | Detects known vulnerabilities in dependencies |
| Container Security | Trivy | Scans Docker images for CVEs (skipped if no Dockerfile) |
| Code Quality | Ruff | Enforces code style and quality standards |
| Security Gate | conftest + OPA Rego | Policy-as-code gate; blocks merges on critical findings |
All findings surface in GitHub's Security tab or GitLab's Security dashboard. No external accounts, no SaaS dependencies.
pip install castops
cast initCAST auto-detects your project type and CI platform. One command. Done.
For GitLab CI:
cast init --platform gitlab- Copy the template for your stack:
curl -O https://raw.githubusercontent.com/castops/cast/main/src/cast_cli/templates/python/devsecops.yml- Move it to your repository:
mkdir -p .github/workflows
mv devsecops.yml .github/workflows/- Commit and push:
git add .github/workflows/devsecops.yml
git commit -m "ci: add CAST DevSecOps pipeline"
git pushYour pipeline is live. GitHub Actions will run all security checks on every push and pull request.
The cast CLI is the fastest way to add a DevSecOps pipeline to any project.
pip install castopsInitialize a DevSecOps pipeline in the current directory.
Usage: cast init [OPTIONS]
Initialize a DevSecOps pipeline for your project.
Options:
-f, --force Overwrite existing workflow file.
-t, --type TEXT Project type (python/nodejs/go). Auto-detected if omitted.
-p, --platform TEXT CI platform (github/gitlab). Auto-detected if omitted.
--help Show this message and exit.
Examples:
# Auto-detect project type and platform
cast init
# Specify project type explicitly
cast init --type nodejs
# Generate a GitLab CI pipeline
cast init --platform gitlab
# Go project on GitLab
cast init --type go --platform gitlab
# Overwrite an existing workflow
cast init --forceAuto-detection logic:
CAST detects your project type and CI platform by looking for marker files:
| Project Type | Marker Files |
|---|---|
| Python | pyproject.toml, requirements.txt, setup.py, setup.cfg |
| Node.js | package.json |
| Go | go.mod |
| CI Platform | Detected by |
|---|---|
| GitLab | .gitlab-ci.yml exists |
| GitHub | .github/ directory exists (default) |
Audit the current repo's pipeline against CAST baseline compliance.
Usage: cast audit [OPTIONS] [PATH]
Audit the current repo's pipeline against CAST baseline.
Options:
--json Output results as JSON.
--help Show this message and exit.
Examples:
# Check current directory
cast audit
# Check a specific repository
cast audit /path/to/repo
# Machine-readable output
cast audit --jsonChecks performed:
| Check | What it verifies |
|---|---|
| Workflow file exists | .github/workflows/*.yml or .gitlab-ci.yml present |
| Secrets scanning | Gitleaks or equivalent configured |
| SAST | Semgrep, CodeQL, or equivalent configured |
| Dependency scanning (SCA) | pip-audit, npm audit, govulncheck, etc. |
| Container scanning | Trivy or equivalent configured |
| Code quality | Ruff, ESLint, staticcheck, etc. |
| SARIF upload | Findings uploaded to GitHub Security tab |
| Security gate | conftest/OPA policy gate configured |
| Action pinning (SHA) | GitHub Actions pinned by commit SHA |
| Workflow permissions | Top-level permissions block declared |
| OpenSSF Scorecard | Scorecard workflow integrated |
| Branch protection | Informational only (requires GitHub API) |
Exit codes: 0 = all checks passed, 1 = one or more checks failed.
Check if your CAST workflow is up-to-date with the latest baseline template.
Usage: cast upgrade [OPTIONS] [PATH]
Check if your CAST workflow is up-to-date with the latest baseline.
Options:
--diff Show unified diff between current and baseline.
--help Show this message and exit.
Examples:
# Check for drift
cast upgrade
# Show detailed diff
cast upgrade --diffExit codes: 0 = up-to-date, 1 = drift detected or no workflow found.
Audit multiple repositories at once — the organization-level governance view.
Usage: cast org audit [OPTIONS] ORG_PATH
Organization-level governance: audit multiple repos at once.
Options:
--json Output results as JSON.
--help Show this message and exit.
Examples:
# Scan a directory of repos
cast org audit ~/my-org-repos/
# JSON output for dashboards/CI
cast org audit --json ~/my-org-repos/Output table:
| Repo | CAST installed | Security gate | Score |
|---|---|---|---|
| repo-a | yes | yes | 92 |
| repo-b | no | no | 34 |
List available baseline profiles for cast init --profile.
cast profilesAvailable profiles:
| Profile | Policy | Scorecard | SLSA | Use case |
|---|---|---|---|---|
opensource |
permissive | — | — | Public open-source projects |
enterprise |
strict | ✓ | ✓ | Enterprise with compliance requirements |
strict |
strict | ✓ | — | Maximum security posture |
ai-generated-code |
strict | ✓ | — | AI-generated codebases with extra checks |
cast init --profile enterpriseInitialize a pipeline with a pre-configured baseline profile.
# Enterprise: strict policy + Scorecard + SLSA
cast init --profile enterprise
# Open-source: permissive policy, minimal overhead
cast init --profile opensource
# AI-generated code: extra lint rules for generated code
cast init --profile ai-generated-codeDisplay the installed version of castops.
cast version
# cast 0.1.0CAST ships with production-tested workflow templates for multiple stacks.
| Stack | Security Tools | Status |
|---|---|---|
| Python | Gitleaks + Semgrep + pip-audit + Trivy + Ruff | ✅ Available |
| Node.js | Gitleaks + Semgrep + npm audit + Trivy + ESLint | ✅ Available |
| Go | Gitleaks + Semgrep + govulncheck + Trivy + staticcheck | ✅ Available |
| Stack | Security Tools | Status |
|---|---|---|
| Python | Gitleaks + Semgrep + pip-audit + Trivy + Ruff | ✅ Available |
| Node.js | Gitleaks + Semgrep + npm audit + Trivy + ESLint | ✅ Available |
| Go | Gitleaks + Semgrep + govulncheck + Trivy + staticcheck | ✅ Available |
| Policy | Blocks on | Activate via |
|---|---|---|
default |
CRITICAL findings | (default) |
strict |
HIGH + CRITICAL | CAST_POLICY=strict |
permissive |
Never (audit only) | CAST_POLICY=permissive |
See docs/policy-reference.md for custom policy authoring.
Each CAST pipeline runs 5 parallel security jobs followed by 1 gate job that controls whether a pull request can be merged. The example below shows the Python pipeline; Node.js and Go pipelines follow the same structure with stack-appropriate tools.
┌─────────────────────────────────────────────────────────────┐
│ CAST DevSecOps Pipeline │
│ │
│ ┌──────────────┐ ┌──────┐ ┌─────┐ ┌───────────┐ │
│ │ Secrets │ │ SAST │ │ SCA │ │ Container │ │
│ │ (Gitleaks) │ │(Semgrep)│ │(pip-│ │ (Trivy) │ │
│ │ │ │ │ │audit│ │ │ │
│ └──────┬───────┘ └──┬───┘ └──┬──┘ └─────┬─────┘ │
│ │ │ │ │ │
│ └─────────────┴────┬────┴────────────┘ │
│ │ │
│ ┌───────▼────────┐ │
│ │ Security Gate │ │
│ │ (blocks merge) │ │
│ └───────────────┘ │
│ │
│ ┌─────────────┐ │
│ │ Ruff │ (runs independently, informational) │
│ │ (Quality) │ │
│ └─────────────┘ │
└─────────────────────────────────────────────────────────────┘
The pipeline runs on:
| Event | Branches |
|---|---|
push |
main, master |
pull_request |
main, master |
workflow_dispatch |
Any (manual trigger) |
The gate job runs after all security checks complete, regardless of individual job results:
IF secrets == "failure" OR sast == "failure" OR sca == "failure"
→ Block merge (exit 1)
ELSE
→ Allow merge (exit 0)
Code quality failures (Ruff) do not block merges by default. Adjust the gate job's
needsarray in the workflow to change this behavior.
All security findings (Semgrep, Trivy) are uploaded to GitHub's Security tab via SARIF. This means:
- All vulnerabilities are tracked as GitHub Security alerts
- Developers see findings inline on pull request diffs
- Security history is retained without any external tools
- GitHub or GitLab repository with CI/CD enabled
- Python 3.9+ (for CLI usage)
- No additional accounts, tokens, or external services required
Optional: Set
SEMGREP_APP_TOKENas a secret to enable Semgrep's cloud dashboard and additional rulesets.
CAST can generate a static HTML compliance dashboard — red/green status per project, collapsible finding details, zero JavaScript dependencies.
python dashboard/generate.py --sarif-dir sarif-results --output index.htmlDeploy to GitHub Pages with the included workflow:
templates/github/publish-dashboard.yml → .github/workflows/publish-dashboard.yml
See docs/dashboard-guide.md for setup instructions.
| Guide | Description |
|---|---|
| Getting Started | Step-by-step setup for your first pipeline |
| CLI Reference | Full cast command reference |
| Pipeline Reference | How each pipeline job works |
| GitLab Guide | GitLab CI setup and configuration |
| Policy Reference | Writing custom OPA/conftest policies |
| Plugin Guide | Extending CAST with custom security tools |
| Dashboard Guide | Security dashboard setup and GitHub Pages deployment |
Chinese documentation: docs/zh/
We welcome contributions. See CONTRIBUTING.md for details on:
- Development setup
- Adding new language templates
- Running tests
- Submitting pull requests
To report a security vulnerability in CAST itself, see SECURITY.md.
One engineer's standards. Every team's pipeline.
CAST is the answer to a scaling problem: a single DevOps engineer cannot personally review every CI/CD pipeline across every team. CAST packages expert-validated standards as executable templates and policy gates — so the standard is enforced by the pipeline itself, not by PR review.
AI can generate a pipeline that runs. CAST enforces a pipeline that complies.
CAST is not another security scanner. It is the enforcement layer that translates industry standards into executable CI baselines:
OpenSSF Scorecard tells you what is wrong. CAST helps you install and enforce the fix across CI/CD.
Scorecard evaluates open-source project security practices. CAST takes those findings — along with org-specific policies — and turns them into automated checks that run on every commit. Together, they provide full-cycle governance: Scorecard for assessment, CAST for enforcement.
Use cast init --profile enterprise to install a baseline that includes OpenSSF Scorecard
integration out of the box.
Apache 2.0 — see LICENSE for details.