Policy EngineMIT·Go

ReleaseGuard

Artifact policy engine for dist/ and release/ outputs.

Build pipelines ship secrets, debug symbols, and source maps every day without anyone noticing. ReleaseGuard closes that gap, scanning, hardening, signing, and attesting every artifact before it reaches a registry or CDN.

View on GitHub 🦞 Available on ClawHub

Status

Active

Latest

v0.1.6+

Language

License

MIT

Install

go install github.com/helixar-ai/releaseguard@latest

The Problem

Build pipelines produce artifacts: minified bundles, binaries, container images, NPM packages, and most teams ship them with no systematic review of what is actually inside. Secrets that should have been stripped. Source maps that expose your entire codebase to anyone who looks. Debug symbols that confirm every internal function name. These are not hypothetical risks; they are common findings in production deployments.

Software supply chain requirements have added a second layer of complexity: SBOMs, provenance attestations, and keyless signing are now expected for regulated and enterprise deployments. Doing each of these by hand, with separate tools, separate configs, separate output formats, is error-prone and rarely done consistently.

ReleaseGuard makes the full artifact lifecycle a single, auditable pipeline step: scan, harden, generate SBOM, sign, attest, and validate against policy. One tool. One CI stage. One result you can verify.

What It Does

Secrets & Artifact Scanning

Scans dist/ and release/ outputs for embedded secrets, API keys, source maps, debug symbols, and unexpected content across all build ecosystems.

Hardening Transforms

Applies deterministic hardening: symbol stripping, source map removal, obfuscation transforms, and metadata scrubbing before artifacts reach any registry.

SBOM Generation

Produces full CycloneDX and SPDX SBOMs across 10+ ecosystems, enriched with VEX data from OSV.dev for known vulnerability context.

Signing & Attestation

Keyless signing via Sigstore/Fulcio. Generates in-toto and SLSA provenance attestations. Everything cryptographically verifiable without managing keys.

Coverage

Six modules covering the full artifact security lifecycle.

Secrets Detection

API keys, tokens, credentials embedded in build output

SBOM Generation

CycloneDX / SPDX across 10+ package ecosystems with VEX enrichment

Hardening Transforms

Symbol stripping, source map removal, obfuscation suite

Signing & Attestation

Sigstore / Fulcio keyless signing + in-toto / SLSA provenance

Policy Evaluation

Configurable release policy: required checks, thresholds, blocking rules

OpenClaw Integration

Native skill on ClawHub, invoke via natural language in your AI agent

Quick Start

Install and run your first artifact scan in under two minutes.

terminal

# Install
$ go install github.com/helixar-ai/releaseguard@latest

# Scan your dist/ directory
$ releaseguard scan ./dist
  ⚠  SECRET  dist/config.js:42  API key detected (AWS_SECRET_KEY pattern)
  ✗  MAP     dist/app.js.map  Source map present, exposes full source tree
  ✓  SBOM    dist/sbom.cdx.json  CycloneDX SBOM generated (148 components)
  ✓  SIG     dist/  Sigstore signature applied

# Apply hardening transforms + generate full report
$ releaseguard harden ./dist --sbom --sign --report=html

GitHub Issues Integration

v0.1.6+

When ReleaseGuard finds a critical severity violation, it can open a GitHub issue automatically, putting the finding directly in your team's workflow without anyone having to read CI logs.

How it works

Scan runs in CI

ReleaseGuard scans your dist/ artifacts on every build.

Critical finding detected

A secret, source map, or policy violation at critical severity fails the check.

Issue opened automatically

A rich GitHub issue appears in your repo with findings, evidence, and remediation steps.

Configure in `.releaseguard.yml`

.releaseguard.yml

# Enable GitHub issue creation for critical findings
integrations:
  github_issues:
    enabled: true
    # Optional: assign issues to a team or individual
    assignees: ["security-team"]
    # Optional: label issues for triage routing
    labels: ["security", "release-guard"]

GitHub Actions — passing the token

.github/workflows/release.yml

- name: ReleaseGuard scan
  uses: helixar-ai/releaseguard-action@v1
  with:
    path: ./dist
    create-issues: true
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

What every opened issue contains

Scan metadata

Commit SHA, branch, run ID, artifact path, and timestamp

Findings table

Severity, category, rule ID, and message for every critical violation

Per-finding evidence

Exact file path, line number, and matched content with surrounding context

Remediation guidance

Step-by-step fix instructions, including auto-fix commands where available

Category-specific guidance

Secrets get rotation instructions, source maps get cleanup commands

Auto-fix instructions

Ready-to-run releaseguard harden commands to resolve each finding

Note: If the GitHub API is unreachable or the token lacks permission to open issues, ReleaseGuard logs the error and continues. Issue creation failures never affect the build exit code or block your pipeline.