feat: add Docker, standalone binaries, and Homebrew distribution

- Add multi-stage Dockerfile + .dockerignore
- Add GitHub Actions workflow for Docker image on ghcr.io
- Add PyInstaller workflow for macOS/Linux/Windows binaries on release
- Add Homebrew formula
- Update README with all installation methods (PyPI, pipx, binaries, Homebrew, Docker)
- Add PyPI and Docker badges

Author: kirankotari

.dockerignore

@@ -0,0 +1,10 @@
+.git
+.github
+.pytest_cache
+.ruff_cache
+.venv
+__pycache__
+*.egg-info
+dist
+build
+.env

.github/workflows/binaries.yml

@@ -0,0 +1,87 @@
+name: Build Standalone Binaries
+
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            artifact: ossguard-linux-amd64
+            pyinstaller_args: ""
+          - os: macos-latest
+            artifact: ossguard-macos-arm64
+            pyinstaller_args: ""
+          - os: windows-latest
+            artifact: ossguard-windows-amd64.exe
+            pyinstaller_args: ""
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: |
+          pip install -e .
+          pip install pyinstaller
+
+      - name: Build binary
+        run: |
+          pyinstaller --onefile --name ossguard --clean \
+            --hidden-import ossguard.analyzers \
+            --hidden-import ossguard.generators \
+            --hidden-import ossguard.parsers \
+            --hidden-import ossguard.apis \
+            --collect-submodules ossguard \
+            src/ossguard/cli.py
+        shell: bash
+
+      - name: Rename artifact
+        run: |
+          if [ "${{ runner.os }}" = "Windows" ]; then
+            mv dist/ossguard.exe "dist/${{ matrix.artifact }}"
+          else
+            mv dist/ossguard "dist/${{ matrix.artifact }}"
+          fi
+        shell: bash
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: ${{ matrix.artifact }}
+          path: dist/${{ matrix.artifact }}
+
+  release:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v8
+
+      - name: Generate checksums
+        run: |
+          mkdir -p release
+          for dir in ossguard-*; do
+            cp "$dir"/* release/ 2>/dev/null || true
+          done
+          cd release
+          sha256sum * > checksums-sha256.txt
+
+      - name: Upload to GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: release/*
+          fail_on_unmatched_files: false

.github/workflows/docker.yml

@@ -0,0 +1,50 @@
+name: Docker
+
+on:
+  push:
+    branches: [main]
+    tags: ["v*"]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Dockerfile

@@ -0,0 +1,29 @@
+FROM python:3.12-slim AS builder
+
+WORKDIR /app
+COPY pyproject.toml README.md LICENSE ./
+COPY src/ src/
+
+RUN pip install --no-cache-dir build && \
+    python -m build --wheel && \
+    pip install --no-cache-dir dist/*.whl
+
+FROM python:3.12-slim
+
+LABEL org.opencontainers.image.source="https://github.com/kirankotari/ossguard"
+LABEL org.opencontainers.image.description="One CLI to guard any OSS project with OpenSSF security best practices"
+LABEL org.opencontainers.image.licenses="Apache-2.0"
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends git && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
+COPY --from=builder /usr/local/bin/ossguard /usr/local/bin/ossguard
+
+RUN useradd --create-home ossguard
+USER ossguard
+WORKDIR /project
+
+ENTRYPOINT ["ossguard"]
+CMD ["--help"]

Formula/ossguard.rb

@@ -0,0 +1,16 @@
+class Ossguard < Formula
+  desc "One CLI to guard any OSS project with OpenSSF security best practices"
+  homepage "https://github.com/kirankotari/ossguard"
+  url "https://github.com/kirankotari/ossguard/archive/refs/tags/v0.1.0.tar.gz"
+  license "Apache-2.0"
+
+  depends_on "python@3.12"
+
+  def install
+    virtualenv_install_with_resources
+  end
+
+  test do
+    assert_match "ossguard", shell_output("#{bin}/ossguard version")
+  end
+end

README.md

@@ -3,6 +3,8 @@
 **One CLI to guard any OSS project with OpenSSF security best practices — bootstrap, scan, and monitor.**
 
 [![CI](https://github.com/kirankotari/ossguard/actions/workflows/ci.yml/badge.svg)](https://github.com/kirankotari/ossguard/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/ossguard)](https://pypi.org/project/ossguard/)
+[![Docker](https://ghcr-badge.egpl.dev/kirankotari/ossguard/latest_tag?trim=major&label=docker)](https://github.com/kirankotari/ossguard/pkgs/container/ossguard)
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)
 [![Python 3.9+](https://img.shields.io/badge/python-3.9%2B-blue.svg)](https://www.python.org/downloads/)
 
@@ -22,12 +24,53 @@ But setting them all up manually takes **hours**. And once set up, there's no un
 2. **Analyze** — audit security posture, dependencies, vulnerabilities, and compliance
 3. **Remediate** — auto-fix issues, generate reports, and enforce policies
 
-## Quick Start
+## Installation
+
+### PyPI (recommended)
 
 ```bash
-# Install
 pip install ossguard
 
+# Or with pipx (isolated install)
+pipx install ossguard
+```
+
+### Standalone Binaries (no Python required)
+
+Download pre-built binaries from [GitHub Releases](https://github.com/kirankotari/ossguard/releases):
+
+```bash
+# macOS (Apple Silicon)
+curl -L https://github.com/kirankotari/ossguard/releases/latest/download/ossguard-macos-arm64 -o ossguard
+chmod +x ossguard && sudo mv ossguard /usr/local/bin/
+
+# Linux (x86_64)
+curl -L https://github.com/kirankotari/ossguard/releases/latest/download/ossguard-linux-amd64 -o ossguard
+chmod +x ossguard && sudo mv ossguard /usr/local/bin/
+```
+
+### Homebrew
+
+```bash
+brew install kirankotari/tap/ossguard
+```
+
+### Docker
+
+```bash
+# Scan current directory
+docker run --rm -v "$(pwd):/project" ghcr.io/kirankotari/ossguard scan
+
+# Bootstrap OpenSSF configs
+docker run --rm -v "$(pwd):/project" ghcr.io/kirankotari/ossguard init
+
+# Any command works
+docker run --rm -v "$(pwd):/project" ghcr.io/kirankotari/ossguard audit
+```
+
+## Quick Start
+
+```bash
 # Bootstrap your project with all OpenSSF best practices
 cd your-project
 ossguard init