feat: fluxgate v0.1.0 — CI/CD pipeline security scanner

Static analysis tool for GitHub Actions workflows detecting dangerous
security patterns including the Pwn Request misconfiguration (FG-001)
that enabled the Trivy supply chain compromise.

- 5 detection rules (FG-001 through FG-005)
- Local, remote, and batch scanning modes
- JSON, SARIF, and table output formats
- SQLite storage for batch research with resume support
- Markdown report generation for aggregate findings
- Exponential backoff retry for GitHub API rate limits

Signed-off-by: Christopher Lusk <christopherdlusk@gmail.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: north-echo

.github/workflows/ci.yaml

@@ -0,0 +1,31 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+
+      - name: Run tests
+        run: go test ./...
+
+      - name: Run vet
+        run: go vet ./...
+
+      - name: Build
+        run: go build ./cmd/fluxgate

.gitignore

@@ -0,0 +1,20 @@
+# Binary
+fluxgate
+dist/
+
+# SQLite databases
+*.db
+*.db-wal
+*.db-shm
+
+# Editor/OS
+.DS_Store
+*.swp
+*.swo
+*~
+.idea/
+.vscode/
+
+# Test artifacts
+test-report.md
+test-repos.txt

.goreleaser.yaml

@@ -0,0 +1,35 @@
+version: 2
+
+builds:
+  - id: fluxgate
+    main: ./cmd/fluxgate
+    binary: fluxgate
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w
+      - -X main.version={{.Version}}
+      - -X main.commit={{.Commit}}
+      - -X main.date={{.Date}}
+
+archives:
+  - id: fluxgate
+    format: tar.gz
+    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+
+checksum:
+  name_template: "checksums.txt"
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+      - "^chore:"

CONTRIBUTING.md

@@ -0,0 +1,59 @@
+# Contributing to Fluxgate
+
+Thank you for your interest in contributing to Fluxgate.
+
+## Getting Started
+
+1. Fork the repository and clone your fork.
+2. Ensure you have Go 1.22 or later installed.
+3. Run `go mod download` to fetch dependencies.
+
+## Development Workflow
+
+### Run Tests
+
+```bash
+go test ./...
+```
+
+### Format Code
+
+```bash
+gofmt -w .
+```
+
+### Vet Code
+
+```bash
+go vet ./...
+```
+
+### Build
+
+```bash
+go build ./cmd/fluxgate
+```
+
+## Submitting Changes
+
+1. Create a feature branch from `main`.
+2. Make your changes, ensuring all tests pass.
+3. Format your code with `gofmt`.
+4. Write clear commit messages.
+5. Open a pull request against `main`.
+
+## Adding Detection Rules
+
+New rules should:
+- Follow the existing rule function signature in `internal/scanner/rules.go`.
+- Include a unique rule ID (e.g., `FG-006`).
+- Have corresponding test fixtures in `test/fixtures/`.
+- Include unit tests in `internal/scanner/rules_test.go`.
+
+## Code of Conduct
+
+Be respectful and constructive. We are all working toward safer CI/CD pipelines.
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the Apache 2.0 License.

Containerfile

@@ -0,0 +1,12 @@
+FROM docker.io/library/golang:1.22-bookworm AS builder
+WORKDIR /build
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=1 go build -o fluxgate ./cmd/fluxgate
+
+FROM docker.io/library/debian:bookworm-slim
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates sqlite3 && rm -rf /var/lib/apt/lists/*
+COPY --from=builder /build/fluxgate /usr/local/bin/fluxgate
+ENTRYPOINT ["fluxgate"]

DISCLOSURE.md

@@ -0,0 +1,38 @@
+# Fluxgate Responsible Disclosure Protocol
+
+When Fluxgate's batch scanning identifies vulnerable workflows in
+public repositories, we follow this responsible disclosure process:
+
+## Timeline
+1. **Day 0:** Finding identified during batch scan
+2. **Day 1-3:** Finding verified manually (not a false positive)
+3. **Day 3-7:** Maintainer contacted via:
+   - Repository SECURITY.md contact (preferred)
+   - Security advisory on the repository (if enabled)
+   - Direct email to listed maintainers (fallback)
+4. **Day 7:** Confirmation of receipt requested
+5. **Day 37:** If no response, second notification attempt
+6. **Day 67:** Public disclosure of aggregate statistics
+   (vulnerable repos are NOT named if unpatched)
+
+## What We Disclose Publicly
+- Aggregate statistics (X of Y repos affected)
+- Rule descriptions and detection logic
+- Example vulnerable patterns (synthetic, not from real repos)
+- Remediation guidance
+
+## What We Do NOT Disclose Publicly
+- Names of affected repositories (until patched or 90-day window expires)
+- Specific workflow file contents from unpatched repos
+- Details that would enable exploitation
+
+## Exceptions
+- If a vulnerability is already being actively exploited in the wild
+  (as with the Trivy compromise), we may accelerate the timeline
+- If a maintainer requests extended time, we will accommodate up to
+  180 days for complex remediations
+
+## Contact
+If you believe Fluxgate has identified a vulnerability in your
+repository and you'd like to coordinate, contact:
+christopherdlusk@gmail.com or open a GitHub Security Advisory.