Open source · Apache 2.0

One engineer's standards.
Every team's pipeline.

DevSecOps governance that enforces secrets detection, SAST, SCA, container security, and code quality — in every CI run, without hunting for yet another tool.

Get started → View on GitHub
6
Security layers
3
Languages
2
CI platforms
1
Command
0
External accounts

What you get

Every layer of the security stack.
Out of the box.

Layer 1
Secrets Detection
via Gitleaks
Layer 2
SAST
via Semgrep
Layer 3
SCA — Dependency Audit
via pip-audit · npm audit · govulncheck
Layer 4
Container Security
via Trivy
Layer 5
Code Quality
via Ruff · ESLint · staticcheck
Gate
Security Gate
via conftest + OPA Rego

How it works

Three commands to governed pipelines.

01
Install
Add CAST to your environment. No accounts, no SaaS sign-ups, no phone-home telemetry.
$ pip install castops
02
Init
CAST detects your stack and scaffolds a pipeline config tuned to your language and CI platform.
$ cast init
03
Push
All six security layers run on every push. Failing the gate blocks the merge. No configuration drift.
$ git push

Templates

Works where you already work.

Language SCA Tool Quality Tool GitHub Actions GitLab CI
Python pip-audit Ruff
Node.js npm audit ESLint
Go govulncheck staticcheck

Extensible

Your tools. Your rules.

CAST is a governance layer, not a walled garden. Drop in any tool you already trust — Snyk, Checkov, custom OPA policies — by adding a YAML plugin definition. No patching the core.

  • Drop-in YAML plugin definitions
  • Any CLI tool becomes a security layer
  • Custom OPA Rego policies for your gate
  • Works alongside existing CI steps
plugins/custom-snyk.yml 
# Custom Snyk plugin for CAST
name: custom-snyk
layer: sca
enabled: true

run:
  command: snyk test --severity-threshold=high
  fail_on: nonzero_exit

report:
  format: sarif
  output: snyk-results.sarif

gate:
  policy: policy/snyk.rego
  block_merge: true

Ship secure code,
starting today.

One command. Six layers. Zero excuses.

Get started → Star on GitHub