Skip to content

Release Notes: v0.1.0

Release Date: 2026-01-28

Overview

PipelineConductor v0.1.0 is the initial release of the CI/CD pipeline compliance scanning tool. It provides multi-org GitHub repository scanning with Cedar policy-as-code evaluation, supporting four output formats including SARIF for GitHub Security integration.

Highlights

  • Multi-org scanning - Scan repositories across multiple GitHub organizations in a single command
  • Cedar policy engine - Define CI/CD compliance rules using the Cedar policy language
  • Four output formats - JSON, Markdown, SARIF 2.1.0, and CSV for different use cases
  • GitHub Security integration - SARIF output integrates with GitHub Security tab
  • Built-in rate limiting - Exponential backoff for large-scale scans

Features

CLI Commands

Command Description
scan Scan repositories for compliance against policies
validate Validate Cedar policy syntax
version Display version information

Repository Scanning

# Scan single organization
pipelineconductor scan --orgs myorg

# Scan multiple organizations
pipelineconductor scan --orgs org1,org2,org3

# Filter by language
pipelineconductor scan --orgs myorg --languages Go,Python

# Output to file with specific format
pipelineconductor scan --orgs myorg --output report.sarif --format sarif

Policy Engine

Cedar policy-as-code for defining CI/CD compliance rules:

// Require CI workflow
permit(
    principal,
    action == Action::"deploy",
    resource
)
when {
    context.hasWorkflow == true &&
    context.workflowHasTests == true
};

Built-in Profiles

Profile Go Versions Platforms Use Case
default 1.24, 1.25 Linux, macOS, Windows Standard projects
modern 1.25 Linux, macOS Latest features only
legacy 1.12 Linux Older maintenance projects

Output Formats

  • JSON - Machine-readable with full compliance details
  • Markdown - Human-readable with status icons
  • SARIF 2.1.0 - GitHub Security tab integration
  • CSV - Spreadsheet analysis

Installation

go install github.com/grokify/pipelineconductor/cmd/pipelineconductor@v0.1.0

Or build from source:

git clone https://github.com/grokify/pipelineconductor.git
cd pipelineconductor
go build -o pipelineconductor ./cmd/pipelineconductor

Dependencies

Module Version Purpose
github.com/cedar-policy/cedar-go v1.4.1 Cedar policy evaluation
github.com/google/go-github/v82 v82.0.0 GitHub API client
github.com/grokify/gogithub v0.7.0 GitHub API helpers
github.com/grokify/mogo v0.72.7 HTTP retry transport
github.com/spf13/cobra v1.10.2 CLI framework
github.com/spf13/viper v1.21.0 Configuration management

Documentation

Full documentation is available at:

What's Next

See Roadmap for planned features:

  • v0.2.0: Automated remediation via pull requests
  • v0.3.0: GitLab support
  • v0.4.0: Dashboard and trend analysis