thinkgrid-labs/greengate

# GreenGate — 用于 CI 质量门禁的 Rust DevOps CLI [](LICENSE) [](https://github.com/thinkgrid-labs/greengate/actions) [](https://github.com/thinkgrid-labs/greengate/releases/latest) [](https://crates.io/crates/greengate) [](https://crates.io/crates/greengate) [](https://www.rust-lang.org) [](https://github.com/thinkgrid-labs/greengate/stargazers) **[文档](https://thinkgrid-labs.github.io/greengate)** · [命令](https://thinkgrid-labs.github.io/greengate/commands/scan) · [CI 集成](https://thinkgrid-labs.github.io/greengate/guide/ci-integration) · [配置参考](https://thinkgrid-labs.github.io/greengate/reference/config) ## 功能介绍 | 命令 | 用途 | |---|---| | `greengate watch-install` | **供应链保护** — 封装 npm/yarn/pnpm/bun 并在检测到幽灵 postinstall 投递程序时中止 | | `greengate scan` | 针对 JS/TS/Python/Go 的密钥、PII 及基于 AST 的 SAST 扫描 | | `greengate audit` | OSV 依赖漏洞审计 | | `greengate review` | PR 复杂度评分 + 新增代码覆盖率缺口检查 | | `greengate lint` | Kubernetes 清单 (manifest) 代码检查 | | `greengate docker-lint` | Dockerfile 最佳实践检查 | | `greengate coverage` | LCOV / Cobertura 覆盖率阈值门禁 | | `greengate lighthouse` | PageSpeed Insights 性能门禁 | | `greengate reassure` | React 组件渲染回归门禁 | | `greengate sbom` | CycloneDX 1.5 SBOM 生成 | | `greengate run` | 根据 `.greengate.toml` 运行所有质量门禁 | | `greengate install-hooks` | 安装为 git pre-commit 钩子 | ## 安装说明 **macOS (Apple Silicon):** ``` curl -sL https://github.com/thinkgrid-labs/greengate/releases/latest/download/greengate-macos-arm64 \ -o /usr/local/bin/greengate && chmod +x /usr/local/bin/greengate ``` **macOS (Intel):** ``` curl -sL https://github.com/thinkgrid-labs/greengate/releases/latest/download/greengate-macos-amd64 \ -o /usr/local/bin/greengate && chmod +x /usr/local/bin/greengate ``` **Linux (x64):** ``` curl -sL https://github.com/thinkgrid-labs/greengate/releases/latest/download/greengate-linux-amd64 \ -o /usr/local/bin/greengate && chmod +x /usr/local/bin/greengate ``` **Windows (x64) — PowerShell:** ``` Invoke-WebRequest -Uri "https://github.com/thinkgrid-labs/greengate/releases/latest/download/greengate-windows-amd64.exe" ` -OutFile "$env:USERPROFILE\.local\bin\greengate.exe" ``` **从源码构建 (Rust 1.85+):** ``` cargo install --git https://github.com/thinkgrid-labs/greengate ``` ## 快速开始 ``` # 供应链安全安装 — 实时检测 postinstall droppers greengate watch-install npm ci # 扫描 secrets 并运行 SAST greengate scan # 审计依赖项中的已知 CVE greengate audit # 分析 PR：复杂度评分 + 新代码覆盖缺口 greengate review --base main --coverage-file coverage/lcov.info # 强制执行 80% 最低覆盖率 greengate coverage --file coverage/lcov.info --min 80 # 检查 Kubernetes manifests greengate lint --dir ./k8s # 作为 git pre-commit hook 安装 greengate install-hooks # 根据 config 运行所有 gates greengate run ``` ## GitHub Actions ``` - name: Install GreenGate run: | curl -sL https://github.com/thinkgrid-labs/greengate/releases/latest/download/greengate-linux-amd64 \ -o /usr/local/bin/greengate && chmod +x /usr/local/bin/greengate # 取代普通的 `npm ci` — 如果 postinstall 脚本释放并删除二进制文件则中止 - name: Supply-chain safe install run: greengate watch-install npm ci - name: Secret, PII & SAST scan run: greengate scan --annotate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Dependency audit (OSV) run: greengate audit - name: PR review (complexity + coverage gaps) if: github.event_name == 'pull_request' run: | greengate review \ --base "${{ github.event.pull_request.base.sha }}" \ --coverage-file coverage/lcov.info \ --min-coverage 80 \ --annotate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_REPOSITORY: ${{ github.repository }} GITHUB_SHA: ${{ github.sha }} - name: Coverage gate run: greengate coverage --file coverage/lcov.info --min 80 ``` ## 配置说明 在你的仓库根目录创建 `.greengate.toml`。所有字段均为可选项： ``` [supply_chain] block_phantom_scripts = true enforce_sandbox = true allow_postinstall = ["esbuild", "prisma", "@swc/core"] [scan] exclude_patterns = ["tests/**", "*.test.ts", "vendor/**"] entropy = true entropy_threshold = 4.5 [coverage] file = "coverage/lcov.info" min = 80.0 [review] min_new_code_coverage = 80 complexity_budget = 0 # 0 = warn only; > 0 = hard fail threshold [pipeline] steps = ["scan", "review --base main --coverage-file coverage/lcov.info", "coverage", "audit"] ``` 完整参考 → [docs/reference/config](https://thinkgrid-labs.github.io/greengate/reference/config) ## 文档 完整指南、命令参考和 CI 示例请访问 **[文档站点](https://thinkgrid-labs.github.io/greengate)**： - [入门指南](https://thinkgrid-labs.github.io/greengate/guide/getting-started) - [CI/CD 集成](https://thinkgrid-labs.github.io/greengate/guide/ci-integration) - [使用案例](https://thinkgrid-labs.github.io/greengate/guide/use-cases) - **命令：** [watch-install](https://thinkgrid-labs.github.io/greengate/commands/watch-install) · [scan](https://thinkgrid-labs.github.io/greengate/commands/scan) · [audit](https://thinkgrid-labs.github.io/greengate/commands/audit) · [review](https://thinkgrid-labs.github.io/greengate/commands/review) · [coverage](https://thinkgrid-labs.github.io/greengate/commands/coverage) · [lint](https://thinkgrid-labs.github.io/greengate/commands/lint) · [docker-lint](https://thinkgrid-labs.github.io/greengate/commands/docker-lint) · [lighthouse](https://thinkgrid-labs.github.io/greengate/commands/lighthouse) · [reassure](https://thinkgrid-labs.github.io/greengate/commands/reassure) · [sbom](https://thinkgrid-labs.github.io/greengate/commands/sbom) · [run](https://thinkgrid-labs.github.io/greengate/commands/run) - **参考：** [Config](https://thinkgrid-labs.github.io/greengate/reference/config) · [Secret Patterns](https://thinkgrid-labs.github.io/greengate/reference/secret-patterns) · [SAST Rules](https://thinkgrid-labs.github.io/greengate/reference/sast-rules) · [Output Formats](https://thinkgrid-labs.github.io/greengate/reference/output-formats) · [Exit Codes](https://thinkgrid-labs.github.io/greengate/reference/exit-codes) · [Roadmap](https://thinkgrid-labs.github.io/greengate/reference/roadmap) ## 贡献指南 GreenGate 是基于 [MIT License](LICENSE) 的开源项目。关于添加密钥模式、SAST 规则以及运行测试的详细信息，请参阅 [CONTRIBUTING.md](CONTRIBUTING.md)。 ``` cargo test # unit + integration tests cargo clippy # lint cargo fmt --check # formatting ```

标签：CMS安全, CycloneDX, Dockerfile检查, Go, IP 地址批量处理, JavaScript, Lighthouse, Python, Ruby工具, Rust, SAST, SBOM, StruQ, TypeScript, Web性能, Web截图, 二进制文件, 云安全监控, 代码覆盖率, 依赖审计, 可视化界面, 子域名突变, 安全合规, 安全插件, 容器安全, 数据可视化, 文档安全, 无后门, 日志审计, 盲注攻击, 硬件无关, 秘密扫描, 网络代理, 网络流量审计, 请求拦截, 质量门禁, 逆向工具, 通知系统, 配置检查, 零依赖, 静态分析