ReleaseGuard
Scan, harden, sign and attest build artifacts before they ship.
Build pipelines ship secrets, source maps, and debug symbols every day without anyone noticing. ReleaseGuard makes the full artifact lifecycle one auditable CI step you can verify.
- Status
- Active
- Latest
- v0.1.6+
- Language
- Go
- License
- Apache 2.0
- Install
- go install github.com/helixar-ai/releaseguard@latest
What it does
The full artifact lifecycle as one auditable CI step — scan, harden, SBOM, sign, attest, validate against policy.
Secrets & artifact scanning
dist/ and release/ outputs for secrets, API keys, source maps, and debug symbols across every ecosystem.
Hardening transforms
Deterministic symbol stripping, source-map removal, and metadata scrubbing before anything reaches a registry.
SBOM generation
CycloneDX and SPDX across 10+ ecosystems, enriched with OSV.dev VEX data for vulnerability context.
Signing & attestation
Keyless Sigstore/Fulcio signing plus in-toto and SLSA provenance — verifiable without managing keys.
One CI stage
Point it at your build output and get severity-rated findings, an SBOM, and a signature on every run.
$ releaseguard scan ./dist⚠ SECRET config.js:42 AWS key detected✗ MAP app.js.map source map exposes full source tree✓ SBOM sbom.cdx.json CycloneDX generated (148 components)✓ SIG Sigstore signature applied$ releaseguard harden ./dist --sbom --sign --report=html
More from Helixar Labs
All projectsVerifiable human delegation for agentic AI.
HDP extended to physical AI: robots, vehicles, surgical systems.
26-rule security scanner for MCP server infrastructure.