sdgops ~ baghguard.sh

$ cat project.yaml

name: Baghguard

type: Security Scanning Platform

stack:

- Python · PostgreSQL

- Kubernetes · Argo CD

- Terraform · Terragrunt · AWS

scanners:

- Trivy · Grype · Gitleaks · Checkov · OPA

status: ● active development_

Baghguard

GitOps-native security scanning for Kubernetes

Scanning Baked Into the Pipeline

Baghguard is a GitOps-native security scanning platform that plugs straight into a CI/CD pipeline. A webhook receiver validates incoming GitHub HMAC signatures, then triggers a Kubernetes Job that runs a battery of industry-standard scanners across the repository — no bolted-on SaaS dashboard, no manual triggering.

Every scanner's output gets normalized into a unified schema and stored in Postgres, so findings from five different tools show up in one consistent format. Critical findings are pushed straight to Slack and email — the team hears about a problem before it ships, not after.

GitHub Push
Webhook Validates HMAC
K8s Job Runs Scanners
Normalizer → Postgres
Slack / Email Alert

Four Layers, One Platform

Microservices Core

Python microservices built on the standard library's http.server — no framework overhead. A webhook receiver, normalizer, Slack/email alerters, and a Config UI with GitHub OAuth login, each with its own Dockerfile and requirements.txt.

Python (stdlib) PostgreSQL Docker

Security Scanning Engine

Trivy for CVEs and IaC scanning, Grype for dependency vulnerabilities, Gitleaks for secret detection, Checkov for Terraform misconfigurations, and OPA for policy enforcement — each running as its own Kubernetes Job.

Trivy · Grype Gitleaks · Checkov OPA

GitOps & Infrastructure

Kubernetes manifests deployed via Argo CD, running locally on a kind cluster for development. Terraform managed through Terragrunt provisions the AWS side — VPC, EKS for prod, RDS Postgres, S3, and ECR — with remote state split across dev and prod.

Argo CD Terraform · Terragrunt AWS EKS

Pipeline Integration

A custom GitHub Action — pipelineguard-action — aggregates scanner results in Python so any other repository's pipeline can pull in Baghguard's findings without standing up the whole platform.

GitHub Actions Python

Built for Real Pipelines

Baghguard is under active development — Python microservices, Kubernetes-native scanning, and GitOps deployment, all wired together to catch problems before they reach production.

← Back to Projects