Releaseguard

v0.1.5

Scan, harden, sign, and verify release artifacts with ReleaseGuard — the artifact policy engine for dist/ and release/ outputs.

0· 332· 3 versions· 0 current· 0 all-time· Updated 10h ago· MIT-0

bySiri@asiridalugoda

Security Scans

VirusTotalSuspicious ClawScanBenign Static analysisBenign

Install

openclaw skills install releaseguard

ReleaseGuard Skill

ReleaseGuard is an artifact policy engine. Use it to scan build outputs for secrets, misconfigurations, and supply-chain risks; harden and fix them; generate SBOMs; sign artifacts; and verify release integrity.

Install ReleaseGuard

Preferred — Homebrew (macOS / Linux, no remote script execution):

brew install Helixar-AI/tap/releaseguard

Alternative — manual download from GitHub Releases (review before running):

# 1. Review the install script before executing:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | less

# 2. If satisfied, run it:
curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | sh

Alternative — direct binary download (no shell script):

# Replace VERSION, OS, and ARCH as appropriate (linux/darwin, amd64/arm64)
curl -sSfL https://github.com/Helixar-AI/ReleaseGuard/releases/latest/download/releaseguard-VERSION-OS-ARCH.tar.gz \
  | tar -xz releaseguard
sudo mv releaseguard /usr/local/bin/releaseguard

Note: The install script is MIT-licensed and open-source at https://github.com/Helixar-AI/ReleaseGuard/blob/main/scripts/install.sh Review it before executing in sensitive environments.

External Services

Some commands interact with external services. This is documented per-command below. No data is sent externally unless you explicitly invoke the relevant flag or mode:

Feature	External Service	Triggered by
CVE enrichment	OSV.dev (read-only, no auth)	`sbom --enrich-cve` or `vex`
Keyless signing	Sigstore / Fulcio (requires OIDC token)	`sign --mode keyless`
Cloud obfuscation	ReleaseGuard Cloud API	`obfuscate --level medium/aggressive`
SLSA Provenance L3	ReleaseGuard Cloud API	Cloud plan only

Credentials: Keyless signing requires an OIDC token (available in GitHub Actions, GitLab CI, etc.). Local signing requires a private key file you supply with --key. Cloud features require RELEASEGUARD_CLOUD_TOKEN. No credentials are used by default for check, fix, sbom, pack, report, or verify.

Commands

Check / Scan — `releaseguard check <path>`

Scan an artifact path and evaluate the release policy. No external network calls.

Trigger phrases: "scan", "check", "audit", "analyze release", "inspect dist", "any secrets", "find vulnerabilities"

releaseguard check <path>
releaseguard check <path> --format json
releaseguard check <path> --format sarif --out results.sarif
releaseguard check <path> --format markdown --out report.md

Default format: cli (human-readable)
Other formats: json, sarif, markdown, html
Exit code 0 = PASS, non-zero = FAIL

Fix — `releaseguard fix <path>`

Apply safe, deterministic hardening transforms. No external network calls.

Trigger phrases: "fix", "harden", "apply fixes", "remediate", "auto-fix release"

releaseguard fix <path>
releaseguard fix <path> --dry-run   # preview without applying

SBOM — `releaseguard sbom <path>`

Generate a Software Bill of Materials.

Trigger phrases: "sbom", "software bill of materials", "dependencies", "generate bom"

releaseguard sbom <path>                     # no network calls
releaseguard sbom <path> --format spdx
releaseguard sbom <path> --enrich-cve        # fetches CVE data from OSV.dev (read-only)

Default format: cyclonedx
--enrich-cve makes read-only requests to OSV.dev; no credentials required

Obfuscate — `releaseguard obfuscate <path>`

Apply obfuscation to release artifacts.

Trigger phrases: "obfuscate", "strip symbols", "protect binary"

releaseguard obfuscate <path> --level light   # OSS — no network calls
releaseguard obfuscate <path> --level medium  # requires RELEASEGUARD_CLOUD_TOKEN
releaseguard obfuscate <path> --dry-run

Levels:

none / light — local, no external calls (OSS)
medium / aggressive — calls ReleaseGuard Cloud API; requires RELEASEGUARD_CLOUD_TOKEN

Harden — `releaseguard harden <path>`

Full hardening pipeline: fix + obfuscate + DRM injection.

Trigger phrases: "full harden", "harden release", "full hardening pipeline"

releaseguard harden <path> --obfuscation light    # no network calls
releaseguard harden <path> --obfuscation medium   # requires RELEASEGUARD_CLOUD_TOKEN
releaseguard harden <path> --dry-run

Pack — `releaseguard pack <path>`

Package an artifact into a canonical archive. No external network calls.

Trigger phrases: "pack", "package artifact", "create archive"

releaseguard pack <path> --out release.tar.gz
releaseguard pack <path> --out release.zip --format zip

Sign — `releaseguard sign <artifact>`

Sign an artifact and its evidence bundle.

Trigger phrases: "sign", "cosign", "keyless sign", "sign artifact"

# Keyless (Sigstore/Fulcio) — requires OIDC token; use in CI environments
releaseguard sign <artifact> --mode keyless

# Local signing — no external calls; requires private key file
releaseguard sign <artifact> --mode local --key signing.key

keyless mode contacts Sigstore's Fulcio CA and Rekor transparency log
local mode is fully offline; key stays on disk

Attest — `releaseguard attest <artifact>`

Emit in-toto and SLSA provenance attestations.

Trigger phrases: "attest", "provenance", "slsa", "in-toto"

releaseguard attest <artifact>

Verify — `releaseguard verify <artifact>`

Verify artifact signatures and policy compliance. No credentials required for verification.

Trigger phrases: "verify", "check signature", "validate artifact"

releaseguard verify <artifact>

Report — `releaseguard report <path>`

Export a scan report. No external network calls.

Trigger phrases: "report", "export report", "compliance report"

releaseguard report <path> --format sarif --out results.sarif
releaseguard report <path> --format html --out report.html

VEX — `releaseguard vex <path>`

Enrich SBOM with VEX vulnerability data. Makes read-only requests to OSV.dev.

Trigger phrases: "vex", "vulnerability data", "enrich sbom"

releaseguard vex <path> --sbom .releaseguard/sbom.cdx.json --out vex.json

Typical Workflows

Quick scan (no network, no credentials)

releaseguard check ./dist

Full pipeline (CI with keyless signing)

releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode keyless   # OIDC token required
releaseguard attest release.tar.gz
releaseguard verify release.tar.gz

Offline pipeline (no network, local key)

releaseguard check ./dist
releaseguard fix ./dist
releaseguard sbom ./dist
releaseguard pack ./dist --out release.tar.gz
releaseguard sign release.tar.gz --mode local --key signing.key

Configuration

releaseguard init   # creates .releaseguard.yml

# .releaseguard.yml
version: 2
scanning:
  exclude_paths:
    - test/fixtures
policy:
  fail_on: [critical, high]

Version tags

latestvk97camv5fp0ry5kf4tcs94ew5s83kvm1

Runtime requirements

Binsreleaseguard

Releaseguard

Security Scans

Install

ReleaseGuard Skill

Install ReleaseGuard

External Services

Commands

Check / Scan — releaseguard check <path>

Fix — releaseguard fix <path>

SBOM — releaseguard sbom <path>

Obfuscate — releaseguard obfuscate <path>

Harden — releaseguard harden <path>

Pack — releaseguard pack <path>

Sign — releaseguard sign <artifact>

Attest — releaseguard attest <artifact>

Verify — releaseguard verify <artifact>

Report — releaseguard report <path>

VEX — releaseguard vex <path>