$ cat project.yaml
name: Baghguard
type: Security Scanning Platform
stack:
- Python · PostgreSQL
- Kubernetes · Argo CD
- Terraform · Terragrunt · AWS
scanners:
- Trivy · Grype · Gitleaks · Checkov · OPA
status: ● active development_
GitOps-native security scanning for Kubernetes
// overview
Baghguard is a GitOps-native security scanning platform that plugs straight into a CI/CD pipeline. A webhook receiver validates incoming GitHub HMAC signatures, then triggers a Kubernetes Job that runs a battery of industry-standard scanners across the repository — no bolted-on SaaS dashboard, no manual triggering.
Every scanner's output gets normalized into a unified schema and stored in Postgres, so findings from five different tools show up in one consistent format. Critical findings are pushed straight to Slack and email — the team hears about a problem before it ships, not after.
// architecture
Python microservices built on the standard library's http.server — no framework overhead. A webhook receiver, normalizer, Slack/email alerters, and a Config UI with GitHub OAuth login, each with its own Dockerfile and requirements.txt.
Trivy for CVEs and IaC scanning, Grype for dependency vulnerabilities, Gitleaks for secret detection, Checkov for Terraform misconfigurations, and OPA for policy enforcement — each running as its own Kubernetes Job.
Kubernetes manifests deployed via Argo CD, running locally on a kind cluster for development. Terraform managed through Terragrunt provisions the AWS side — VPC, EKS for prod, RDS Postgres, S3, and ECR — with remote state split across dev and prod.
A custom GitHub Action — pipelineguard-action — aggregates scanner results in Python so any other repository's pipeline can pull in Baghguard's findings without standing up the whole platform.
// status
Baghguard is under active development — Python microservices, Kubernetes-native scanning, and GitOps deployment, all wired together to catch problems before they reach production.