Deploy security controls to any project in one command
Security that auto-fixes problems instead of just complaining about them
Created by Albert Hui albert@securityronin.com 
Supports Rust, Node.js, Python, Go, and generic projects with 35+ security controls including pre-push validation, CI/CD workflows, and GitHub security features.
π Executive Briefing | π Documentation | ποΈ Architecture
β Secret detection - Blocks API keys, passwords, tokens β Vulnerability scanning - Catches known security issues β Code quality checks - Language-specific linting β Test validation - Ensures tests pass before push β Supply chain security - SHA pinning, dependency validation
π Static analysis - SAST with CodeQL and Trivy π Dependency auditing - Automated vulnerability detection π Security reporting - SBOM generation and metrics π Compliance checking - License and policy validation
π€ Renovate - Automated dependency updates with automerge π Secret scanning - Repository-wide credential detection π Branch protection - Enforce security policies π Security advisories - Vulnerability disclosure workflow
Security that works like a UK power plug - impossible to do wrong, automatic to do right.
Our DMMT principle means:
- π Auto-fixes instead of errors - We fix SHA pinning automatically, not just complain
- β‘ Zero configuration required - Sensible defaults that work immediately
- π― One command, comprehensive security - No manual setup or integration
- β¨ Invisible when working - Security runs in background, visible only when needed
- π§ Graceful degradation - Partial features better than complete failure
Example: Instead of "Error: Action not pinned", you see "β
Auto-pinned actions/checkout@v4 β @08eba0b2"
This isn't just convenient - it's security through design. Like the UK plug that physically prevents incorrect insertion, we make insecure practices impossible rather than merely discouraged.
Install security controls in your project:
# Download installer and SLSA provenance
curl -O https://github.com/h4x0r/1-click-github-sec/releases/download/v0.7.0/install-security-controls.sh
curl -O https://github.com/h4x0r/1-click-github-sec/releases/download/v0.7.0/multiple.intoto.jsonl
# VERIFY with SLSA provenance (cryptographic proof of authenticity)
# Install slsa-verifier: https://github.com/slsa-framework/slsa-verifier#installation
slsa-verifier verify-artifact \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/h4x0r/1-click-github-sec \
install-security-controls.sh
# Install after verification
chmod +x install-security-controls.sh
./install-security-controls.shPython projects: Activate your environment first for optimal tool installation:
# conda/miniconda
conda activate myproject
# pyenv/asdf/mise
pyenv local 3.11.0 # or: mise use python@3.11
# virtual environment
source venv/bin/activate
# Then run installer
./install-security-controls.shThat's it! Your project now has comprehensive security controls with cryptographic verification!
No configuration files to edit. No tools to manually install. No documentation to read. It just works.
Why verify? Every release is cryptographically signed with SLSA Build Level 3 provenance - proving it wasn't tampered with. Learn more β
π Visit Documentation Site π
- Quick Start - Get running in 5 minutes
- Installation Guide - Detailed setup instructions
- Upgrading Guide - Upgrade to latest version (v0.9.0+ features config-driven workflow generation)
- Security Architecture - How everything works
- GitHub Enterprise vs Free - Feature availability and alternatives
- Complete Signing Guide - 4-mode setup, GPG vs gitsign, verification
- Cryptographic Verification - Advanced verification procedures
- Contributing Guide - Development setup
- Repository Security & Quality Assurance - This repo's implementation
- Design Principles - Architectural decisions
- Executive Briefing - Strategic evaluation for CTOs, VPs, Directors
This repository demonstrates "dogfooding plus" - it uses enhanced security controls beyond what it installs:
| Feature | What Installer Gives You | What This Repository Has |
|---|---|---|
| Pre-push Controls | 24 universal security checks | 24 security checks + 5 development-specific |
| CI/CD Workflows | Optional installation | 6 specialized development workflows |
| GitHub Security | Automated setup | Enhanced with custom policies |
| Documentation | Installation guides | Complete documentation site + development controls documentation |
| Cryptographic Signing | Optional setup | All commits & releases signed |
Bottom line: We use an enhanced version of what we provide to others, proving it works in production.
- π Report Issues - Bug reports and feature requests
- π Documentation - Comprehensive guides and references
- π Releases - Download latest version
- π€ Contributing - Help improve the project
Licensed under the Apache License, Version 2.0. See LICENSE for details.
π‘οΈ Secure by default. Simple by design. Verified by cryptography.