feat: multi-platform CI/CD scanning — Jenkins, Tekton, CircleCI + expanded GitLab/Azure

New platforms:
- Jenkins: declarative Jenkinsfile parser + 4 rules (JK-001 through JK-009)
- Tekton: Pipeline/Task YAML parser + 4 rules (TK-001 through TK-009)
- CircleCI: config.yml parser + 4 rules (CC-001 through CC-009)

Expanded existing platforms:
- GitLab CI: 5 new rules (GL-004 through GL-010) — broad permissions, secrets in logs, fork MR exec, OIDC, cache poisoning
- Azure Pipelines: 5 new rules (AZ-004 through AZ-010) — matching GitLab expansion

Remote API clients:
- internal/gitlab/client.go: GitLab API client with group enumeration, rate limiting
- internal/azure/client.go: Azure DevOps API client with project enumeration
- fluxgate remote --platform gitlab|azure support

Scanner integration:
- ScanDirectory now detects Jenkinsfile, .tekton/, .circleci/config.yml
- filterFindings helper deduplicates severity/rule filtering across platforms

Total rules: 41 (was 19). Platforms: 6 (was 3).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: north-echo

cmd/fluxgate/main.go

@@ -14,10 +14,12 @@ import (
 	"strings"
 	"time"
 
+	azureclient "github.com/north-echo/fluxgate/internal/azure"
 	"github.com/north-echo/fluxgate/internal/dashboard"
 	"github.com/north-echo/fluxgate/internal/diff"
 	"github.com/north-echo/fluxgate/internal/export"
 	ghclient "github.com/north-echo/fluxgate/internal/github"
+	gitlabclient "github.com/north-echo/fluxgate/internal/gitlab"
 	"github.com/north-echo/fluxgate/internal/merge"
 	"github.com/north-echo/fluxgate/internal/report"
 	"github.com/north-echo/fluxgate/internal/scanner"
@@ -136,42 +138,80 @@ func newRemoteCmd() *cobra.Command {
 		severities string
 		rules      string
 		token      string
+		platform   string
+		baseURL    string
 	)
 
 	cmd := &cobra.Command{
 		Use:   "remote [owner/repo]",
-		Short: "Scan a remote GitHub repository",
-		Long:  "Fetch and scan GitHub Actions workflows from a remote repository via the GitHub API.",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			parts := strings.SplitN(args[0], "/", 2)
-			if len(parts) != 2 {
-				return fmt.Errorf("invalid repo format: use owner/repo")
-			}
-			owner, repo := parts[0], parts[1]
+		Short: "Scan a remote repository",
+		Long: `Fetch and scan CI/CD pipelines from a remote repository.
 
+Platforms:
+  github  (default) — GitHub Actions via GitHub API
+  gitlab  — GitLab CI via GitLab API (use --url for self-hosted)
+  azure   — Azure Pipelines via Azure DevOps API (use --url for org URL)`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
 			if token == "" {
 				token = os.Getenv("GITHUB_TOKEN")
 			}
 
-			client := ghclient.NewClient(token)
+			opts := parseScanOpts(severities, rules)
 			ctx := context.Background()
 
-			opts := parseScanOpts(severities, rules)
-			result, err := client.ScanRemote(ctx, owner, repo, opts)
-			if err != nil {
-				return fmt.Errorf("remote scan failed: %w", err)
-			}
+			switch platform {
+			case "github", "":
+				parts := strings.SplitN(args[0], "/", 2)
+				if len(parts) != 2 {
+					return fmt.Errorf("invalid repo format: use owner/repo")
+				}
+				client := ghclient.NewClient(token)
+				result, err := client.ScanRemote(ctx, parts[0], parts[1], opts)
+				if err != nil {
+					return fmt.Errorf("remote scan failed: %w", err)
+				}
+				return outputResult(result, format, output)
 
-			return outputResult(result, format, output)
+			case "gitlab":
+				if token == "" {
+					token = os.Getenv("GITLAB_TOKEN")
+				}
+				client := gitlabclient.NewClient(baseURL, token)
+				result, err := client.ScanRemote(ctx, args[0], opts)
+				if err != nil {
+					return fmt.Errorf("gitlab scan failed: %w", err)
+				}
+				return outputResult(result, format, output)
+
+			case "azure":
+				if token == "" {
+					token = os.Getenv("AZURE_DEVOPS_TOKEN")
+				}
+				parts := strings.SplitN(args[0], "/", 2)
+				if len(parts) != 2 {
+					return fmt.Errorf("invalid format: use project/repo")
+				}
+				client := azureclient.NewClient(baseURL, token)
+				result, err := client.ScanRemote(ctx, parts[0], parts[1], opts)
+				if err != nil {
+					return fmt.Errorf("azure scan failed: %w", err)
+				}
+				return outputResult(result, format, output)
+
+			default:
+				return fmt.Errorf("unknown platform %q (use github, gitlab, or azure)", platform)
+			}
 		},
 	}
 
 	cmd.Flags().StringVarP(&format, "format", "f", "table", "Output format: table, json, sarif")
 	cmd.Flags().StringVarP(&output, "output", "o", "", "Output file (default: stdout)")
-	cmd.Flags().StringVar(&severities, "severity", "", "Filter by severity (comma-separated: critical,high,medium,low)")
-	cmd.Flags().StringVar(&rules, "rules", "", "Filter by rule ID (comma-separated: FG-001,FG-002)")
-	cmd.Flags().StringVarP(&token, "token", "t", "", "GitHub token (default: $GITHUB_TOKEN)")
+	cmd.Flags().StringVar(&severities, "severity", "", "Filter by severity (comma-separated)")
+	cmd.Flags().StringVar(&rules, "rules", "", "Filter by rule ID (comma-separated)")
+	cmd.Flags().StringVarP(&token, "token", "t", "", "API token (default: $GITHUB_TOKEN, $GITLAB_TOKEN, or $AZURE_DEVOPS_TOKEN)")
+	cmd.Flags().StringVar(&platform, "platform", "github", "Platform: github, gitlab, azure")
+	cmd.Flags().StringVar(&baseURL, "url", "", "Base URL for self-hosted instances (e.g., https://gitlab.example.com)")
 
 	return cmd
 }

internal/azure/client.go

@@ -0,0 +1,236 @@
+package azure
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/north-echo/fluxgate/internal/cicd"
+	"github.com/north-echo/fluxgate/internal/scanner"
+)
+
+// Client wraps the Azure DevOps API for fetching pipeline files.
+type Client struct {
+	orgURL     string
+	token      string
+	httpClient *http.Client
+}
+
+// RepoInfo represents basic Azure DevOps repository metadata.
+type RepoInfo struct {
+	ID            string `json:"id"`
+	Name          string `json:"name"`
+	DefaultBranch string `json:"defaultBranch"`
+	Project       string `json:"-"` // populated after fetch
+}
+
+// repoListResponse is the API response for listing repositories.
+type repoListResponse struct {
+	Value []repoEntry `json:"value"`
+	Count int         `json:"count"`
+}
+
+type repoEntry struct {
+	ID            string     `json:"id"`
+	Name          string     `json:"name"`
+	DefaultBranch string     `json:"defaultBranch"`
+	Project       repoProject `json:"project"`
+}
+
+type repoProject struct {
+	Name string `json:"name"`
+}
+
+// NewClient creates an Azure DevOps API client.
+// orgURL should be like "https://dev.azure.com/myorg".
+func NewClient(orgURL, token string) *Client {
+	return &Client{
+		orgURL: orgURL,
+		token:  token,
+		httpClient: &http.Client{
+			Timeout: 30 * time.Second,
+		},
+	}
+}
+
+// FetchPipelineFile fetches the azure-pipelines.yml file from a repository.
+func (c *Client) FetchPipelineFile(ctx context.Context, project, repoID string) ([]byte, error) {
+	endpoint := fmt.Sprintf("/%s/_apis/git/repositories/%s/items",
+		url.PathEscape(project), url.PathEscape(repoID))
+
+	params := url.Values{
+		"path":        {"azure-pipelines.yml"},
+		"api-version": {"7.0"},
+	}
+
+	body, err := c.doGet(ctx, endpoint, params)
+	if err != nil {
+		return nil, fmt.Errorf("fetching azure-pipelines.yml for %s/%s: %w", project, repoID, err)
+	}
+	return body, nil
+}
+
+// ListProjectRepos lists all Git repositories in an Azure DevOps project.
+func (c *Client) ListProjectRepos(ctx context.Context, project string) ([]RepoInfo, error) {
+	endpoint := fmt.Sprintf("/%s/_apis/git/repositories", url.PathEscape(project))
+	params := url.Values{
+		"api-version": {"7.0"},
+	}
+
+	body, err := c.doGet(ctx, endpoint, params)
+	if err != nil {
+		return nil, fmt.Errorf("listing repos for project %s: %w", project, err)
+	}
+
+	var resp repoListResponse
+	if err := json.Unmarshal(body, &resp); err != nil {
+		return nil, fmt.Errorf("decoding repos response: %w", err)
+	}
+
+	repos := make([]RepoInfo, len(resp.Value))
+	for i, r := range resp.Value {
+		repos[i] = RepoInfo{
+			ID:            r.ID,
+			Name:          r.Name,
+			DefaultBranch: r.DefaultBranch,
+			Project:       r.Project.Name,
+		}
+	}
+
+	return repos, nil
+}
+
+// ScanRemote fetches, parses, and scans a repository's azure-pipelines.yml file.
+func (c *Client) ScanRemote(ctx context.Context, project, repoID string, opts scanner.ScanOptions) (*scanner.ScanResult, error) {
+	data, err := c.FetchPipelineFile(ctx, project, repoID)
+	if err != nil {
+		return nil, err
+	}
+
+	path := fmt.Sprintf("%s/%s/azure-pipelines.yml", project, repoID)
+	pipeline, err := cicd.ParseAzurePipeline(data, path)
+	if err != nil {
+		return nil, fmt.Errorf("parsing pipeline for %s/%s: %w", project, repoID, err)
+	}
+
+	azFindings := cicd.ScanAzurePipeline(pipeline)
+
+	result := &scanner.ScanResult{
+		Path:      fmt.Sprintf("%s/%s", project, repoID),
+		Workflows: 1,
+	}
+
+	for _, azf := range azFindings {
+		f := scanner.Finding{
+			RuleID:   azf.RuleID,
+			Severity: azf.Severity,
+			File:     azf.File,
+			Line:     azf.Line,
+			Message:  azf.Message,
+			Details:  azf.Details,
+		}
+		result.Findings = append(result.Findings, f)
+	}
+
+	// Apply severity filter
+	if len(opts.Severities) > 0 {
+		sevSet := make(map[string]bool)
+		for _, s := range opts.Severities {
+			sevSet[s] = true
+		}
+		var filtered []scanner.Finding
+		for _, f := range result.Findings {
+			if sevSet[f.Severity] {
+				filtered = append(filtered, f)
+			}
+		}
+		result.Findings = filtered
+	}
+
+	// Apply rule filter
+	if len(opts.Rules) > 0 {
+		ruleSet := make(map[string]bool)
+		for _, r := range opts.Rules {
+			ruleSet[r] = true
+		}
+		var filtered []scanner.Finding
+		for _, f := range result.Findings {
+			if ruleSet[f.RuleID] {
+				filtered = append(filtered, f)
+			}
+		}
+		result.Findings = filtered
+	}
+
+	return result, nil
+}
+
+// doGet performs an authenticated GET request with retry logic.
+// Azure DevOps uses Basic auth with empty username and PAT as password.
+func (c *Client) doGet(ctx context.Context, endpoint string, params url.Values) ([]byte, error) {
+	u := c.orgURL + endpoint
+	if params != nil {
+		u += "?" + params.Encode()
+	}
+
+	const maxRetries = 5
+	for attempt := 0; attempt <= maxRetries; attempt++ {
+		req, err := http.NewRequestWithContext(ctx, http.MethodGet, u, nil)
+		if err != nil {
+			return nil, err
+		}
+
+		// Azure DevOps Basic auth: empty username, PAT as password
+		if c.token != "" {
+			auth := base64.StdEncoding.EncodeToString([]byte(":" + c.token))
+			req.Header.Set("Authorization", "Basic "+auth)
+		}
+
+		resp, err := c.httpClient.Do(req)
+		if err != nil {
+			return nil, err
+		}
+
+		body, err := io.ReadAll(resp.Body)
+		resp.Body.Close()
+
+		if resp.StatusCode == http.StatusOK {
+			return body, err
+		}
+
+		if resp.StatusCode == http.StatusNotFound {
+			return nil, fmt.Errorf("not found: %s (HTTP %d)", endpoint, resp.StatusCode)
+		}
+
+		// Retry on rate limits and transient errors
+		if attempt < maxRetries && (resp.StatusCode == http.StatusTooManyRequests ||
+			resp.StatusCode == http.StatusServiceUnavailable ||
+			resp.StatusCode == http.StatusBadGateway) {
+
+			wait := time.Duration(1<<uint(attempt)) * time.Second
+
+			// Check Retry-After header
+			if retryAfter := resp.Header.Get("Retry-After"); retryAfter != "" {
+				if secs, err := time.ParseDuration(retryAfter + "s"); err == nil {
+					wait = secs
+				}
+			}
+
+			select {
+			case <-ctx.Done():
+				return nil, ctx.Err()
+			case <-time.After(wait):
+				continue
+			}
+		}
+
+		return nil, fmt.Errorf("Azure DevOps API error: %s (HTTP %d): %s", endpoint, resp.StatusCode, string(body))
+	}
+
+	return nil, fmt.Errorf("exceeded maximum retries for %s", endpoint)
+}

internal/cicd/azure.go

@@ -419,11 +419,13 @@ func convertAzureStep(raw *rawAzureStep) []PipelineStep {
 		})
 	}
 	if raw.Task != "" {
+		// Merge Env and Inputs for task steps so rules can inspect both
+		taskEnv := mergeStringMaps(raw.Env, raw.Inputs)
 		steps = append(steps, PipelineStep{
 			Name:    raw.DisplayName,
 			Type:    StepAction,
 			Command: raw.Task,
-			Env:     raw.Env,
+			Env:     taskEnv,
 		})
 	}
 	if raw.Template != "" {
@@ -495,3 +497,19 @@ func extractAzureSecretRefs(node *yaml.Node) []string {
 	}
 	return secrets
 }
+
+// mergeStringMaps merges two string maps, with b values overriding a values.
+// Returns nil if both inputs are nil/empty.
+func mergeStringMaps(a, b map[string]string) map[string]string {
+	if len(a) == 0 && len(b) == 0 {
+		return nil
+	}
+	result := make(map[string]string)
+	for k, v := range a {
+		result[k] = v
+	}
+	for k, v := range b {
+		result[k] = v
+	}
+	return result
+}