v0.3.0: industry-standard scanner — CIS/MITRE/CWE, SARIF, offline manifests, CI

.dockerignore

@@ -0,0 +1,17 @@
+.git
+.github
+.pytest_cache
+.coverage
+htmlcov
+**/__pycache__
+**/*.pyc
+*.egg-info
+build
+dist
+tests
+.venv
+venv
+.idea
+.vscode
+*.md
+!README.md

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,49 @@
+name: Bug report
+description: Report a defect in KubeRoast
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for filing a bug. Please include enough information for someone to reproduce.
+  - type: input
+    id: version
+    attributes:
+      label: KubeRoast version
+      description: Output of `kuberoast --version`
+      placeholder: "kuberoast 0.3.0"
+    validations:
+      required: true
+  - type: input
+    id: python
+    attributes:
+      label: Python version
+      placeholder: "3.12.3"
+    validations:
+      required: true
+  - type: textarea
+    id: command
+    attributes:
+      label: Command run
+      description: Exact CLI invocation
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior (include error output / stack trace)
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    id: extra
+    attributes:
+      label: Anything else?
+      description: Cluster type (kind/minikube/EKS/...), kubeconfig sanitization status, etc.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,25 @@
+name: Feature request
+description: Suggest a new check, output, or capability
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: What problem are you trying to solve?
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+  - type: textarea
+    id: references
+    attributes:
+      label: References / prior art
+      description: CIS controls, MITRE ATT&CK techniques, blog posts, CVEs, etc.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,25 @@
+<!-- Brief summary of what this PR changes and why. -->
+
+## Summary
+
+-
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New security check
+- [ ] New feature / output format
+- [ ] Documentation
+- [ ] CI / build / tooling
+
+## Checklist
+
+- [ ] Tests added / updated and `make test` passes
+- [ ] `make lint` is clean
+- [ ] New finding IDs mapped in `kuberoast/utils/compliance.py`
+- [ ] README finding tables updated (if applicable)
+- [ ] CHANGELOG entry added under `## [Unreleased]`
+
+## References
+
+<!-- CIS controls, MITRE ATT&CK techniques, CVEs, blog posts -->

.github/dependabot.yml

@@ -0,0 +1,27 @@
+version: 2
+updates:
+  - package-ecosystem: pip
+    directory: "/"
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - ci
+      - dependencies
+
+  - package-ecosystem: docker
+    directory: "/"
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - docker
+      - dependencies

.github/workflows/ci.yml

@@ -0,0 +1,112 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test (Python ${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Run tests with coverage (excluding performance)
+        run: |
+          pytest --cov=kuberoast --cov-report=xml --cov-report=term -v -m "not performance"
+
+      - name: Run performance regression tests
+        # Perf tests are non-blocking — slow runners shouldn't fail the matrix
+        continue-on-error: true
+        run: |
+          pytest -v -m performance
+
+      - name: Upload coverage artifact
+        if: matrix.python-version == '3.12'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage.xml
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+
+      - name: Install ruff
+        run: pip install "ruff>=0.4.0"
+
+      - name: Lint with ruff
+        run: ruff check kuberoast tests
+
+      - name: Format check with ruff
+        run: ruff format --check kuberoast tests
+
+  build:
+    name: Build distribution
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Build wheel and sdist
+        run: |
+          python -m pip install --upgrade pip build
+          python -m build
+
+      - name: Upload distribution
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  docker:
+    name: Docker build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          tags: kuberoast:ci
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/security-scan.yml

@@ -0,0 +1,52 @@
+name: Security Scan (SARIF demo)
+
+# Demonstration of using kuberoast in a CI pipeline against a manifest
+# directory and uploading SARIF results to GitHub code scanning.
+on:
+  workflow_dispatch:
+    inputs:
+      manifests_path:
+        description: "Path to manifests to scan (relative to repo root)"
+        required: false
+        default: "examples"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  scan:
+    name: Scan manifests with KubeRoast
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install KubeRoast
+        run: pip install -e .
+
+      - name: Scan manifests (SARIF)
+        run: |
+          kuberoast \
+            --manifests "${{ github.event.inputs.manifests_path }}" \
+            --report sarif \
+            --out kuberoast.sarif \
+            --no-compliance=false || true
+
+      - name: Upload SARIF to GitHub code scanning
+        if: always() && hashFiles('kuberoast.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: kuberoast.sarif
+          category: kuberoast
+
+      - name: Upload SARIF artifact
+        if: always() && hashFiles('kuberoast.sarif') != ''
+        uses: actions/upload-artifact@v4
+        with:
+          name: kuberoast-sarif
+          path: kuberoast.sarif

CHANGELOG.md

@@ -0,0 +1,63 @@
+# Changelog
+
+All notable changes to this project are documented here.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.3.0] - 2026-05-08
+
+### Added
+- **Compliance enrichment** — every finding is automatically tagged with CIS
+  Kubernetes Benchmark controls, MITRE ATT&CK techniques, and CWE IDs.
+- **SARIF v2.1.0 output** (`--report sarif`) for GitHub code scanning, Azure
+  DevOps, and other static-analysis dashboards.
+- **JUnit XML output** (`--report junit`) for Jenkins / GitLab / CircleCI.
+- **CSV output** (`--report csv`) for spreadsheets and analytics.
+- **Offline manifest scanning** (`--manifests <dir|file>`) — scan YAML/JSON
+  manifests without a live cluster. Supports Pod, Deployment, StatefulSet,
+  DaemonSet, Job, CronJob, ReplicaSet, ReplicationController, RBAC, Secret,
+  Service, Ingress, Namespace, and CRD kinds.
+- **Dockerfile** — non-root, multi-stage container image for portable scans.
+- **GitHub Actions CI** — test matrix (Python 3.9–3.12), ruff lint, build, and
+  Docker image build.
+- **GitHub Actions security-scan workflow** — example pipeline that uploads
+  SARIF results to GitHub code scanning.
+- **Makefile** with `install`, `dev`, `test`, `coverage`, `lint`, `format`,
+  `build`, `docker`, `clean` targets.
+- **`--version` flag**, `-q/--quiet` flag, ISO-8601 structured log timestamps,
+  and `--no-compliance` opt-out.
+- Richer HTML report with severity stat cards and CIS/MITRE/CWE chips.
+- `CONTRIBUTING.md`, `SECURITY.md`, `CHANGELOG.md`, and GitHub issue/PR
+  templates.
+
+### Changed
+- Bumped package version from 0.2.0 to 0.3.0.
+- Text reporter now displays the finding ID, namespace, and compliance
+  metadata when present.
+- HTML reporter redesigned with a summary-stats header and tag chips.
+
+### Tests
+- 146 tests passing (38 baseline → 146 with advanced suites).
+- New test categories:
+  - **End-to-end golden tests** against the bundled `examples/` manifests.
+  - **Property-based fuzzing** (Hypothesis) of the manifest parser and
+    scanners — random valid manifests must not crash any scanner.
+  - **Scanner contract tests** — every scanner returns Findings with
+    valid IDs, severities, categories, remediations, and (where mapped)
+    correctly-formatted CIS / MITRE / CWE references.
+  - **Severity matrix tests** — comprehensive `--fail-on` and
+    `--min-severity` interaction matrix.
+  - **SARIF v2.1.0 schema validation** — output is validated against
+    the official OASIS SARIF schema.
+  - **Performance regression tests** — 1000-pod scans must complete in
+    bounded time; deselect with `-m "not performance"`.
+
+### Notes
+This release is backwards-compatible at the CLI level: existing
+`--report {json,text,html}` flows continue to work.
+
+## [0.2.0]
+
+Initial public release with 30+ checks across Pod Security, RBAC, Network,
+Node, Secrets, Policy, and PSS categories.