Helixar Labs
Policy EngineApache 2.0Go

ReleaseGuard

Scan, harden, sign and attest build artifacts before they ship.

Build pipelines ship secrets, source maps, and debug symbols every day without anyone noticing. ReleaseGuard makes the full artifact lifecycle one auditable CI step you can verify.

Status
Active
Latest
v0.1.6+
Language
Go
License
Apache 2.0
Install
go install github.com/helixar-ai/releaseguard@latest

What it does

The full artifact lifecycle as one auditable CI step — scan, harden, SBOM, sign, attest, validate against policy.

Secrets & artifact scanning

dist/ and release/ outputs for secrets, API keys, source maps, and debug symbols across every ecosystem.

Hardening transforms

Deterministic symbol stripping, source-map removal, and metadata scrubbing before anything reaches a registry.

SBOM generation

CycloneDX and SPDX across 10+ ecosystems, enriched with OSV.dev VEX data for vulnerability context.

Signing & attestation

Keyless Sigstore/Fulcio signing plus in-toto and SLSA provenance — verifiable without managing keys.

One CI stage

Point it at your build output and get severity-rated findings, an SBOM, and a signature on every run.

releaseguard
$ releaseguard scan ./dist
⚠ SECRET config.js:42 AWS key detected
✗ MAP app.js.map source map exposes full source tree
✓ SBOM sbom.cdx.json CycloneDX generated (148 components)
✓ SIG Sigstore signature applied
 
$ releaseguard harden ./dist --sbom --sign --report=html