diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..23d74c7 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,50 @@ +# Continuous integration — runs on every push to main and every PR. +# Catches regressions early so the Release workflow on tag push doesn't +# surprise us with a red test run when we least want it. + +name: CI + +on: + push: + branches: [ main, 'v2-*' ] + pull_request: + branches: [ main ] + +permissions: + contents: read + +jobs: + test: + name: Test & vet + runs-on: ubuntu-latest + strategy: + matrix: + go-version: [ '1.21' ] + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Go ${{ matrix.go-version }} + uses: actions/setup-go@v5 + with: + go-version: ${{ matrix.go-version }} + + - name: Cache Go modules + uses: actions/cache@v4 + with: + path: | + ~/.cache/go-build + ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }} + + - name: Verify modules + run: go mod verify + + - name: Build + run: go build ./... + + - name: Vet + run: go vet ./... + + - name: Test (race detector) + run: go test ./... -race -timeout 180s diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..cf39dcb --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,85 @@ +# Release workflow — runs on any tag that starts with 'v' (e.g. v2.0.0-rc1). +# +# Responsibilities: +# 1. Run the full test suite with the race detector. +# 2. Build and publish binaries for macOS / Linux / Windows (amd64 + arm64) +# via goreleaser-action. +# 3. Attach them to a GitHub Release whose body comes from .goreleaser.yml +# headers + CHANGELOG entries. +# +# What you need: +# - Nothing beyond the default GITHUB_TOKEN that Actions provides. goreleaser +# uses it to create the release. +# +# To cut a new release locally: +# git tag -a v2.0.0-rc1 -m "v2.0.0 RC1" +# git push origin v2.0.0-rc1 +# Then watch the run under "Actions → Release". + +name: Release + +on: + push: + tags: + - 'v*' + +permissions: + contents: write # goreleaser needs this to create the release + upload assets. + +jobs: + test: + name: Test with race detector + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.21' + + - name: Cache Go modules + uses: actions/cache@v4 + with: + path: | + ~/.cache/go-build + ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - name: Verify modules + run: go mod verify + + - name: Vet + run: go vet ./... + + - name: Test (race detector) + run: go test ./... -race -timeout 180s + + release: + name: Build & publish binaries + needs: test + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.21' + + - name: Run goreleaser + uses: goreleaser/goreleaser-action@v6 + with: + distribution: goreleaser + version: '~> v2' + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index ef3863b..6671699 100644 --- a/.gitignore +++ b/.gitignore @@ -38,11 +38,21 @@ go.work.sum *.txt /results/ /output/ +# Scan artifacts anywhere in the tree (defence in depth) +gods-eye-*.json +gods-eye-*.stderr +scan-*.json +scan-*.csv +report-*.json +findings-*.json # Sensitive files secrets.yaml config.local.yaml .env.* +god-eye.yaml +.god-eye.yaml +/.god-eye/ # Logs *.log @@ -51,3 +61,15 @@ config.local.yaml # OS files .DS_Store Thumbs.db + +# Editor / IDE / AI-agent local state +.idea/ +.vscode/ +# Claude Code working notes — intentionally NOT public +CLAUDE.md +.claude/ +.cursor/ +.cursorrules + +# Benchmark captures with potentially sensitive output +BENCHMARK-SCANME.local.md diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 0000000..97c1510 --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,114 @@ +# goreleaser config for God's Eye v2+ +# Docs: https://goreleaser.com/intro/ +# +# Local dry-run: goreleaser release --snapshot --clean --skip=publish +# Full release: triggered by a 'v*' tag push, handled by .github/workflows/release.yml + +version: 2 + +project_name: god-eye + +before: + hooks: + - go mod tidy + +builds: + - id: god-eye + main: ./cmd/god-eye + binary: god-eye + env: + - CGO_ENABLED=0 + flags: + - -trimpath + ldflags: + - -s -w + goos: + - linux + - darwin + - windows + goarch: + - amd64 + - arm64 + # Skip combinations that aren't worth shipping — windows/arm64 rarely used, + # Go users who need it can `go install`. + ignore: + - goos: windows + goarch: arm64 + +archives: + - id: default + name_template: >- + {{ .ProjectName }}_{{ .Version }}_ + {{- if eq .Os "darwin" }}macOS + {{- else if eq .Os "linux" }}Linux + {{- else if eq .Os "windows" }}Windows + {{- else }}{{ .Os }}{{ end }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "arm64" }}arm64 + {{- else }}{{ .Arch }}{{ end }} + format_overrides: + - goos: windows + format: zip + files: + - README.md + - CHANGELOG.md + - LICENSE + - SECURITY.md + - AI_SETUP.md + +checksum: + name_template: 'checksums.txt' + algorithm: sha256 + +snapshot: + version_template: '{{ incpatch .Version }}-next' + +changelog: + # We curate the GitHub Release notes from CHANGELOG.md manually; goreleaser's + # auto-commit-log groupings add noise on top of that. + disable: true + +release: + github: + owner: Vyntral + name: god-eye + # Release Candidates (v2.0.0-rc1, rc2...) are pre-releases. Final v2.0.0 + # is not. goreleaser detects '-rc', '-beta', '-alpha' suffixes automatically. + prerelease: auto + draft: false + name_template: "God's Eye {{ .Tag }}" + header: | + ## God's Eye `{{ .Tag }}` + + AI-powered attack-surface discovery & offensive security — single Go binary, terminal-only, zero cloud. + + **Full changelog**: see [CHANGELOG.md](https://github.com/Vyntral/god-eye/blob/main/CHANGELOG.md). + + footer: | + --- + + ### Install + + Grab the binary for your platform from the assets below, or build from source: + + ```bash + git clone https://github.com/Vyntral/god-eye && cd god-eye + go build -o god-eye ./cmd/god-eye + ./god-eye + ``` + + ### Verify checksums + + ```bash + sha256sum -c checksums.txt + ``` + + ### First run + + Zero flags launches the interactive wizard — picks your AI tier, downloads Ollama models, validates your target, runs the scan with live event stream. + + ```bash + ./god-eye + ``` + + Full walkthrough: [README.md](https://github.com/Vyntral/god-eye/blob/main/README.md) · 14 recipes in [EXAMPLES.md](https://github.com/Vyntral/god-eye/blob/main/EXAMPLES.md). diff --git a/assets/ai-verbose.gif b/assets/ai-verbose.gif new file mode 100644 index 0000000..432c5aa Binary files /dev/null and b/assets/ai-verbose.gif differ diff --git a/assets/demo-ai.gif b/assets/demo-ai.gif deleted file mode 100644 index 06a265f..0000000 Binary files a/assets/demo-ai.gif and /dev/null differ diff --git a/assets/demo.gif b/assets/demo.gif deleted file mode 100644 index e751bb2..0000000 Binary files a/assets/demo.gif and /dev/null differ diff --git a/assets/live-scan.gif b/assets/live-scan.gif new file mode 100644 index 0000000..9f6714b Binary files /dev/null and b/assets/live-scan.gif differ diff --git a/assets/wizard-demo.gif b/assets/wizard-demo.gif new file mode 100644 index 0000000..537de7a Binary files /dev/null and b/assets/wizard-demo.gif differ