ReleaseGuard Skill
ReleaseGuard is an artifact policy engine. Use it to scan build outputs for secrets, misconfigurations, and supply-chain risks; harden and fix them; generate SBOMs; sign artifacts; and verify release integrity.
Install ReleaseGuard
Preferred — Homebrew (macOS / Linux, no remote script execution):
CODEBLOCK0
Alternative — manual download from GitHub Releases (review before running):
CODEBLOCK1
Alternative — direct binary download (no shell script):
CODEBLOCK2
Note: The install script is MIT-licensed and open-source at
https://github.com/Helixar-AI/ReleaseGuard/blob/main/scripts/install.sh
Review it before executing in sensitive environments.
External Services
Some commands interact with external services. This is documented per-command below. No data is sent externally unless you explicitly invoke the relevant flag or mode:
| Feature | External Service | Triggered by |
|---|
| CVE enrichment | OSV.dev (read-only, no auth) | INLINECODE0� or �INLINECODE1 |
| Keyless signing |
Sigstore / Fulcio (requires OIDC token) |
sign --mode keyless |
| Cloud obfuscation | ReleaseGuard Cloud API |
obfuscate --level medium/aggressive |
| SLSA Provenance L3 | ReleaseGuard Cloud API | Cloud plan only |
Credentials: Keyless signing requires an OIDC token (available in GitHub Actions, GitLab CI, etc.). Local signing requires a private key file you supply with --key. Cloud features require RELEASEGUARD_CLOUD_TOKEN. No credentials are used by default for check, fix, sbom, pack, report, or verify.
Commands
Check / Scan — releaseguard check <path>
Scan an artifact path and evaluate the release policy. No external network calls.
Trigger phrases: "scan", "check", "audit", "analyze release", "inspect dist", "any secrets", "find vulnerabilities"
CODEBLOCK3
- - Default format:
cli (human-readable) - Other formats:
json, sarif, markdown, �INLINECODE17 - Exit code 0 = PASS, non-zero = FAIL
Fix — releaseguard fix <path>
Apply safe, deterministic hardening transforms. No external network calls.
Trigger phrases: "fix", "harden", "apply fixes", "remediate", "auto-fix release"
CODEBLOCK4�
SBOM — releaseguard sbom <path>
Generate a Software Bill of Materials.
Trigger phrases: "sbom", "software bill of materials", "dependencies", "generate bom"
CODEBLOCK5
- - Default format: �INLINECODE20
- INLINECODE21� makes read-only requests to OSV.dev; no credentials required
Obfuscate — releaseguard obfuscate <path>
Apply obfuscation to release artifacts.
Trigger phrases: "obfuscate", "strip symbols", "protect binary"
CODEBLOCK6
Levels:
- -
none / light — local, no external calls (OSS) - INLINECODE25� /
aggressive — calls ReleaseGuard Cloud API; requires �INLINECODE27
Harden — releaseguard harden <path>
Full hardening pipeline: fix + obfuscate + DRM injection.
Trigger phrases: "full harden", "harden release", "full hardening pipeline"
CODEBLOCK7�
Pack — releaseguard pack <path>
Package an artifact into a canonical archive. No external network calls.
Trigger phrases: "pack", "package artifact", "create archive"
CODEBLOCK8�
Sign — releaseguard sign <artifact>
Sign an artifact and its evidence bundle.
Trigger phrases: "sign", "cosign", "keyless sign", "sign artifact"
CODEBLOCK9
- -
keyless mode contacts Sigstore's Fulcio CA and Rekor transparency log - INLINECODE32� mode is fully offline; key stays on disk
Attest — releaseguard attest <artifact>
Emit in-toto and SLSA provenance attestations.
Trigger phrases: "attest", "provenance", "slsa", "in-toto"
CODEBLOCK10�
Verify — releaseguard verify <artifact>
Verify artifact signatures and policy compliance. No credentials required for verification.
Trigger phrases: "verify", "check signature", "validate artifact"
CODEBLOCK11�
Report — releaseguard report <path>
Export a scan report. No external network calls.
Trigger phrases: "report", "export report", "compliance report"
CODEBLOCK12�
VEX — releaseguard vex <path>
Enrich SBOM with VEX vulnerability data. Makes read-only requests to OSV.dev.
Trigger phrases: "vex", "vulnerability data", "enrich sbom"
CODEBLOCK13�
Typical Workflows
Quick scan (no network, no credentials)
�CODEBLOCK14
Full pipeline (CI with keyless signing)
�CODEBLOCK15
Offline pipeline (no network, local key)
releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode local --key signing.key
Configuration
CODEBLOCK17
CODEBLOCK18
ReleaseGuard 技能
ReleaseGuard 是一个制品策略引擎。用于扫描构建输出中的密钥、错误配置和供应链风险;加固并修复这些问题;生成SBOM;签署制品;以及验证发布完整性。
安装 ReleaseGuard
推荐方式 — Homebrew (macOS / Linux,无需远程脚本执行):
bash
brew install Helixar-AI/tap/releaseguard
备选方式 — 从 GitHub Releases 手动下载(执行前请审查):
bash
1. 执行前审查安装脚本:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | less
2. 如确认无误,运行:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | sh
备选方式 — 直接下载二进制文件(无需 shell 脚本):
bash
替换 VERSION、OS 和 ARCH 为适当值(linux/darwin,amd64/arm64)
curl -sSfL https://github.com/Helixar-AI/ReleaseGuard/releases/latest/download/releaseguard-VERSION-OS-ARCH.tar.gz \
| tar -xz releaseguard
sudo mv releaseguard /usr/local/bin/releaseguard
注意: 安装脚本采用 MIT 许可,开源地址为
https://github.com/Helixar-AI/ReleaseGuard/blob/main/scripts/install.sh
在敏感环境中执行前请先审查。
外部服务
部分命令会与外部服务交互。以下按命令逐一说明。除非您明确调用相关标志或模式,否则不会向外部发送任何数据:
| 功能 | 外部服务 | 触发方式 |
|---|
| CVE 丰富 | OSV.dev(只读,无需认证) | sbom --enrich-cve 或 vex |
| 无密钥签名 |
Sigstore / Fulcio(需要 OIDC 令牌) | sign --mode keyless |
| 云端混淆 | ReleaseGuard Cloud API | obfuscate --level medium/aggressive |
| SLSA 溯源 L3 | ReleaseGuard Cloud API | 仅限云计划 |
凭据: 无密钥签名需要 OIDC 令牌(可在 GitHub Actions、GitLab CI 等环境中获取)。本地签名需要您通过 --key 提供的私钥文件。云功能需要 RELEASEGUARDCLOUDTOKEN。check、fix、sbom、pack、report 或 verify 命令默认不使用任何凭据。
命令
检查/扫描 — releaseguard check <路径>
扫描制品路径并评估发布策略。无外部网络调用。
触发短语: scan、check、audit、analyze release、inspect dist、any secrets、find vulnerabilities
bash
releaseguard check <路径>
releaseguard check <路径> --format json
releaseguard check <路径> --format sarif --out results.sarif
releaseguard check <路径> --format markdown --out report.md
- - 默认格式:cli(人类可读)
- 其他格式:json、sarif、markdown、html
- 退出码 0 = 通过,非零 = 失败
修复 — releaseguard fix <路径>
应用安全、确定性的加固转换。无外部网络调用。
触发短语: fix、harden、apply fixes、remediate、auto-fix release
bash
releaseguard fix <路径>
releaseguard fix <路径> --dry-run # 预览而不实际应用
SBOM — releaseguard sbom <路径>
生成软件物料清单。
触发短语: sbom、software bill of materials、dependencies、generate bom
bash
releaseguard sbom <路径> # 无网络调用
releaseguard sbom <路径> --format spdx
releaseguard sbom <路径> --enrich-cve # 从 OSV.dev 获取 CVE 数据(只读)
- - 默认格式:cyclonedx
- --enrich-cve 向 OSV.dev 发起只读请求;无需凭据
混淆 — releaseguard obfuscate <路径>
对发布制品应用混淆处理。
触发短语: obfuscate、strip symbols、protect binary
bash
releaseguard obfuscate <路径> --level light # OSS — 无网络调用
releaseguard obfuscate <路径> --level medium # 需要 RELEASEGUARDCLOUDTOKEN
releaseguard obfuscate <路径> --dry-run
级别:
- - none / light — 本地处理,无外部调用(OSS)
- medium / aggressive — 调用 ReleaseGuard Cloud API;需要 RELEASEGUARDCLOUDTOKEN
加固 — releaseguard harden <路径>
完整加固流程:修复 + 混淆 + DRM 注入。
触发短语: full harden、harden release、full hardening pipeline
bash
releaseguard harden <路径> --obfuscation light # 无网络调用
releaseguard harden <路径> --obfuscation medium # 需要 RELEASEGUARDCLOUDTOKEN
releaseguard harden <路径> --dry-run
打包 — releaseguard pack <路径>
将制品打包为标准归档文件。无外部网络调用。
触发短语: pack、package artifact、create archive
bash
releaseguard pack <路径> --out release.tar.gz
releaseguard pack <路径> --out release.zip --format zip
签名 — releaseguard sign <制品>
对制品及其证据包进行签名。
触发短语: sign、cosign、keyless sign、sign artifact
bash
无密钥签名(Sigstore/Fulcio)— 需要 OIDC 令牌;在 CI 环境中使用
releaseguard sign <制品> --mode keyless
本地签名 — 无外部调用;需要私钥文件
releaseguard sign <制品> --mode local --key signing.key
- - keyless 模式会联系 Sigstore 的 Fulcio CA 和 Rekor 透明日志
- local 模式完全离线;密钥保留在磁盘上
证明 — releaseguard attest <制品>
生成 in-toto 和 SLSA 溯源证明。
触发短语: attest、provenance、slsa、in-toto
bash
releaseguard attest <制品>
验证 — releaseguard verify <制品>
验证制品签名和策略合规性。验证无需凭据。
触发短语: verify、check signature、validate artifact
bash
releaseguard verify <制品>
报告 — releaseguard report <路径>
导出扫描报告。无外部网络调用。
触发短语: report、export report、compliance report
bash
releaseguard report <路径> --format sarif --out results.sarif
releaseguard report <路径> --format html --out report.html
VEX — releaseguard vex <路径>
使用 VEX 漏洞数据丰富 SBOM。向 OSV.dev 发起只读请求。
触发短语: vex、vulnerability data、enrich sbom
bash
releaseguard vex <路径> --sbom .releaseguard/sbom.cdx.json --out vex.json
典型工作流程
快速扫描(无网络,无需凭据)
bash
releaseguard check ./dist
完整流程(CI 环境中的无密钥签名)
bash
releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode keyless # 需要 OIDC 令牌
releaseguard attest release.tar.gz
releaseguard verify release.tar.gz
离线流程(无网络,本地密钥)
bash
releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode local --key signing.key
配置
bash
releaseguard init # 创建 .releaseguard.yml
yaml
.releaseguard.yml
version: 2
scanning:
exclude_paths:
- test/fixtures
policy:
fail_on: [critical, high]
