ReleaseGuard is an artifact policy engine. Use it to scan build outputs for secrets, misconfigurations, and supply-chain risks; harden and fix them; generate SBOMs; sign artifacts; and verify release integrity.
Preferred — Homebrew (macOS / Linux, no remote script execution):
brew install Helixar-AI/tap/releaseguard
Alternative — manual download from GitHub Releases (review before running):
# 1. Review the install script before executing:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | less
# 2. If satisfied, run it:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | sh
Alternative — direct binary download (no shell script):
# Replace VERSION, OS, and ARCH as appropriate (linux/darwin, amd64/arm64)
curl -sSfL https://github.com/Helixar-AI/ReleaseGuard/releases/latest/download/releaseguard-VERSION-OS-ARCH.tar.gz \
| tar -xz releaseguard
sudo mv releaseguard /usr/local/bin/releaseguard
> Note: The install script is MIT-licensed and open-source at
> https://github.com/Helixar-AI/ReleaseGuard/blob/main/scripts/install.sh
> Review it before executing in sensitive environments.
Some commands interact with external services. This is documented per-command below. No data is sent externally unless you explicitly invoke the relevant flag or mode:
| Feature | External Service | Triggered by |
|---|---|---|
| --- | --- | --- |
| CVE enrichment | OSV.dev (read-only, no auth) | sbom --enrich-cve or vex |
| Keyless signing | Sigstore / Fulcio (requires OIDC token) | sign --mode keyless |
| Cloud obfuscation | ReleaseGuard Cloud API | obfuscate --level medium/aggressive |
| SLSA Provenance L3 | ReleaseGuard Cloud API | Cloud plan only |
Credentials: Keyless signing requires an OIDC token (available in GitHub Actions, GitLab CI, etc.). Local signing requires a private key file you supply with --key. Cloud features require RELEASEGUARD_CLOUD_TOKEN. No credentials are used by default for check, fix, sbom, pack, report, or verify.
releaseguard check Scan an artifact path and evaluate the release policy. No external network calls.
Trigger phrases: "scan", "check", "audit", "analyze release", "inspect dist", "any secrets", "find vulnerabilities"
releaseguard check <path>
releaseguard check <path> --format json
releaseguard check <path> --format sarif --out results.sarif
releaseguard check <path> --format markdown --out report.md
cli (human-readable)json, sarif, markdown, htmlreleaseguard fix Apply safe, deterministic hardening transforms. No external network calls.
Trigger phrases: "fix", "harden", "apply fixes", "remediate", "auto-fix release"
releaseguard fix <path>
releaseguard fix <path> --dry-run # preview without applying
releaseguard sbom Generate a Software Bill of Materials.
Trigger phrases: "sbom", "software bill of materials", "dependencies", "generate bom"
releaseguard sbom <path> # no network calls
releaseguard sbom <path> --format spdx
releaseguard sbom <path> --enrich-cve # fetches CVE data from OSV.dev (read-only)
cyclonedx--enrich-cve makes read-only requests to OSV.dev; no credentials requiredreleaseguard obfuscate Apply obfuscation to release artifacts.
Trigger phrases: "obfuscate", "strip symbols", "protect binary"
releaseguard obfuscate <path> --level light # OSS — no network calls
releaseguard obfuscate <path> --level medium # requires RELEASEGUARD_CLOUD_TOKEN
releaseguard obfuscate <path> --dry-run
Levels:
none / light — local, no external calls (OSS)medium / aggressive — calls ReleaseGuard Cloud API; requires RELEASEGUARD_CLOUD_TOKENreleaseguard harden Full hardening pipeline: fix + obfuscate + DRM injection.
Trigger phrases: "full harden", "harden release", "full hardening pipeline"
releaseguard harden <path> --obfuscation light # no network calls
releaseguard harden <path> --obfuscation medium # requires RELEASEGUARD_CLOUD_TOKEN
releaseguard harden <path> --dry-run
releaseguard pack Package an artifact into a canonical archive. No external network calls.
Trigger phrases: "pack", "package artifact", "create archive"
releaseguard pack <path> --out release.tar.gz
releaseguard pack <path> --out release.zip --format zip
releaseguard sign Sign an artifact and its evidence bundle.
Trigger phrases: "sign", "cosign", "keyless sign", "sign artifact"
# Keyless (Sigstore/Fulcio) — requires OIDC token; use in CI environments
releaseguard sign <artifact> --mode keyless
# Local signing — no external calls; requires private key file
releaseguard sign <artifact> --mode local --key signing.key
keyless mode contacts Sigstore's Fulcio CA and Rekor transparency loglocal mode is fully offline; key stays on diskreleaseguard attest Emit in-toto and SLSA provenance attestations.
Trigger phrases: "attest", "provenance", "slsa", "in-toto"
releaseguard attest <artifact>
releaseguard verify Verify artifact signatures and policy compliance. No credentials required for verification.
Trigger phrases: "verify", "check signature", "validate artifact"
releaseguard verify <artifact>
releaseguard report Export a scan report. No external network calls.
Trigger phrases: "report", "export report", "compliance report"
releaseguard report <path> --format sarif --out results.sarif
releaseguard report <path> --format html --out report.html
releaseguard vex Enrich SBOM with VEX vulnerability data. Makes read-only requests to OSV.dev.
Trigger phrases: "vex", "vulnerability data", "enrich sbom"
releaseguard vex <path> --sbom .releaseguard/sbom.cdx.json --out vex.json
releaseguard check ./dist
releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode keyless # OIDC token required
releaseguard attest release.tar.gz
releaseguard verify release.tar.gz
releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode local --key signing.key
releaseguard init # creates .releaseguard.yml
# .releaseguard.yml
version: 2
scanning:
exclude_paths:
- test/fixtures
policy:
fail_on: [critical, high]
共 2 个版本