chore: fix all lint errors, rewrite README, add release workflow

- Fix all 47 ruff lint errors (unused imports, ambiguous variables)
- Rewrite README.md documenting all 26 commands
- Add CI badges (CI status, license, Python version)
- Add PyPI release workflow with trusted publishing
- Remove stale roadmap (all items implemented)
- Fix GitHub URLs to kirankotari/ossguard

Author: kkotari

.github/workflows/release.yml

@@ -0,0 +1,61 @@
+name: Release to PyPI
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install -e ".[dev]"
+      - run: pytest --tb=short -q
+
+  build:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install build
+      - run: python -m build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1
+
+  github-release:
+    needs: publish
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh release create "${{ github.ref_name }}" --generate-notes

README.md

@@ -1,24 +1,26 @@
-# ossguard
+# OSSGuard
 
 **One CLI to guard any OSS project with OpenSSF security best practices — bootstrap, scan, and monitor.**
 
-[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/0000/badge)](https://www.bestpractices.dev/)
+[![CI](https://github.com/kirankotari/ossguard/actions/workflows/ci.yml/badge.svg)](https://github.com/kirankotari/ossguard/actions/workflows/ci.yml)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)
+[![Python 3.9+](https://img.shields.io/badge/python-3.9%2B-blue.svg)](https://www.python.org/downloads/)
 
-> *ossguard implements OpenSSF best practices and is intended for future contribution to the OpenSSF community.*
+> *OSSGuard implements OpenSSF best practices and is intended for future contribution to the OpenSSF community.*
 
 ---
 
 ## The Problem
 
 The [OpenSSF](https://openssf.org/) ecosystem has 30+ excellent tools, frameworks, and guides for securing open source software — Scorecard, Sigstore, SLSA, SBOM, CodeQL, Dependabot, and more.
 
-But setting them all up manually takes **hours**. And once set up, there's no unified way to monitor your dependency health or track security posture over time.
+But setting them all up manually takes **hours**. And once set up, there's no unified way to monitor dependency health, track compliance, or assess supply-chain risk.
 
-**ossguard** solves this with a single CLI:
+**OSSGuard** solves this with **26 commands** covering the full security lifecycle:
 
 1. **Bootstrap** — set up all OpenSSF security configurations in one command
-2. **Scan** — audit your project's security posture
-3. **Deps** *(coming soon)* — analyze dependency health across Scorecard, OSV, and deps.dev
+2. **Analyze** — audit security posture, dependencies, vulnerabilities, and compliance
+3. **Remediate** — auto-fix issues, generate reports, and enforce policies
 
 ## Quick Start
 
@@ -32,115 +34,125 @@ ossguard init
 
 # Scan your project to see what's missing
 ossguard scan
+
+# Run a full security audit
+ossguard audit
+
+# Check OSPS Baseline compliance
+ossguard baseline
 ```
 
-## What It Does
+## Commands
 
-`ossguard init` auto-detects your project and creates:
+### Core
 
-| File | Purpose | OpenSSF Reference |
-|------|---------|-------------------|
-| `SECURITY.md` | Vulnerability disclosure policy | [CVD Guide](https://github.com/ossf/oss-vulnerability-guide) |
-| `.github/workflows/scorecard.yml` | Automated security scoring | [Scorecard](https://scorecard.dev/) |
-| `.github/dependabot.yml` | Dependency update automation | [Best Practices](https://best.openssf.org/) |
-| `.github/workflows/codeql.yml` | Code scanning for vulnerabilities | [Security Tooling WG](https://github.com/ossf/wg-security-tooling) |
-| `.github/workflows/sbom.yml` | Software Bill of Materials generation | [SBOM Everywhere](https://github.com/ossf/sbom-everywhere) |
-| `.github/workflows/sigstore.yml` | Cryptographic signing of releases | [Sigstore](https://sigstore.dev/) |
-| `.github/BRANCH_PROTECTION.md` | Branch protection setup guide | [SCM Best Practices](https://best.openssf.org/SCM-BestPractices/) |
+| Command | Description |
+|---------|-------------|
+| `ossguard init` | Bootstrap OpenSSF security configs (SECURITY.md, Scorecard, Dependabot, CodeQL, SBOM, Sigstore, branch protection) |
+| `ossguard scan` | Read-only security posture scan |
+| `ossguard version` | Show version |
 
-## Features
+### Dependency Analysis
 
-### Auto-Detection
-Automatically detects:
-- **Languages**: Python, JavaScript/TypeScript, Go, Rust, Java, C/C++, Ruby, PHP, C#, and more
-- **Package Managers**: npm, yarn, pnpm, pip, poetry, cargo, go modules, maven, gradle, etc.
-- **Frameworks**: React, Vue, Angular, Next.js, Django, Flask, FastAPI, Express, etc.
-- **Existing Security Setup**: Won't overwrite existing configurations
+| Command | Description |
+|---------|-------------|
+| `ossguard deps` | Dependency health analysis — vulns (OSV), outdated packages, risk scores (deps.dev) |
+| `ossguard drift` | SBOM diff between releases — detect added, removed, and changed dependencies |
+| `ossguard watch` | Continuous vulnerability monitoring from an SBOM (post-deployment watch) |
+| `ossguard tpn` | Generate third-party notices from project dependencies |
 
-### Smart Defaults
-- Scorecard workflow with weekly schedule and SARIF upload
-- Dependabot configured for your specific ecosystems
-- CodeQL with language-specific analysis and security-extended queries
-- SBOM in both SPDX and CycloneDX formats
-- Sigstore with Python-specific or generic cosign signing
-- SECURITY.md following OpenSSF CVD best practices
+### Security Analysis
 
-### Commands
+| Command | Description |
+|---------|-------------|
+| `ossguard audit` | Comprehensive security audit (scan + deps + reachability combined) |
+| `ossguard reach` | Filter vulnerabilities by runtime reachability (static import analysis) |
+| `ossguard secrets` | Scan for leaked credentials and secrets (24 detection rules) |
 
-```bash
-# Initialize with all defaults
-ossguard init
+### Compliance & Frameworks
 
-# Specify a project path
-ossguard init /path/to/project
+| Command | Description |
+|---------|-------------|
+| `ossguard baseline` | Check against OSPS Security Baseline (34 controls, Levels 1-3) |
+| `ossguard badge` | Assess readiness for the OpenSSF Best Practices Badge |
+| `ossguard slsa` | Assess SLSA Build Level (Levels 1-4, 12 requirements) |
+| `ossguard maturity` | S2C2F supply chain maturity assessment (22 practices, Levels 1-4) |
+| `ossguard license` | Dependency license compliance and conflict detection |
+| `ossguard policy` | Org-wide security policy enforcement (JSON config) |
 
-# Set security contact email
-ossguard init --email security@example.com
+### Supply Chain
 
-# Skip specific components
-ossguard init --skip-scorecard --skip-codeql
+| Command | Description |
+|---------|-------------|
+| `ossguard supply-chain` | Malicious package detection + typosquatting analysis |
+| `ossguard pin` | Pin GitHub Actions to commit SHAs (resolve tags to full SHAs) |
+| `ossguard update` | Security-prioritized dependency update suggestions |
 
-# Preview without writing files
-ossguard init --dry-run
+### Generation
 
-# Overwrite existing files
-ossguard init --force
+| Command | Description |
+|---------|-------------|
+| `ossguard insights` | Generate or validate SECURITY-INSIGHTS.yml |
+| `ossguard sbom-gen` | Generate local SBOM (SPDX 2.3 or CycloneDX 1.5) |
+| `ossguard ci` | Generate unified CI security pipeline (GitHub Actions) |
+| `ossguard report` | Export HTML or JSON compliance report |
+| `ossguard fuzz` | Fuzzing readiness check + starter harness generation (7 languages) |
 
-# Scan and report current security posture
-ossguard scan
-```
+### Container & Comparison
+
+| Command | Description |
+|---------|-------------|
+| `ossguard container` | Dockerfile security linting (12 rules) |
+| `ossguard compare` | Side-by-side security posture comparison of two projects |
+| `ossguard fix` | Auto-remediate common security issues |
 
-## Supported Languages
+## Auto-Detection
 
-| Language | CodeQL | Dependabot | Sigstore |
-|----------|--------|------------|----------|
-| Python | Yes | pip | Python-specific |
-| JavaScript/TypeScript | Yes | npm | Generic (cosign) |
-| Go | Yes | gomod | Generic (cosign) |
-| Java/Kotlin | Yes | maven/gradle | Generic (cosign) |
-| Rust | No | cargo | Generic (cosign) |
-| C/C++ | Yes | N/A | Generic (cosign) |
-| Ruby | Yes | bundler | Generic (cosign) |
-| C# | Yes | nuget | Generic (cosign) |
+OSSGuard automatically detects:
+
+- **Languages**: Python, JavaScript/TypeScript, Go, Rust, Java, C/C++, Ruby, PHP, C#
+- **Package Managers**: npm, yarn, pnpm, pip, poetry, cargo, go modules, maven, gradle
+- **Frameworks**: React, Vue, Angular, Next.js, Django, Flask, FastAPI, Express
+- **Existing Security Setup**: Won't overwrite existing configurations
+
+## What `ossguard init` Generates
+
+| File | Purpose | OpenSSF Reference |
+|------|---------|-------------------|
+| `SECURITY.md` | Vulnerability disclosure policy | [CVD Guide](https://github.com/ossf/oss-vulnerability-guide) |
+| `.github/workflows/scorecard.yml` | Automated security scoring | [Scorecard](https://scorecard.dev/) |
+| `.github/dependabot.yml` | Dependency update automation | [Best Practices](https://best.openssf.org/) |
+| `.github/workflows/codeql.yml` | Code scanning for vulnerabilities | [Security Tooling WG](https://github.com/ossf/wg-security-tooling) |
+| `.github/workflows/sbom.yml` | Software Bill of Materials generation | [SBOM Everywhere](https://github.com/ossf/sbom-everywhere) |
+| `.github/workflows/sigstore.yml` | Cryptographic signing of releases | [Sigstore](https://sigstore.dev/) |
+| `.github/BRANCH_PROTECTION.md` | Branch protection setup guide | [SCM Best Practices](https://best.openssf.org/SCM-BestPractices/) |
+
+## How It Relates to OpenSSF
+
+OSSGuard is **not** a replacement for any OpenSSF project. It's a **unifier** — it makes it trivially easy to adopt the best practices and tools that OpenSSF working groups have built:
+
+- **Best Practices WG** — SECURITY.md template, Best Practices Badge assessment
+- **Security Tooling WG** — CodeQL setup, SBOM generation, secret scanning
+- **Supply Chain Integrity WG** — Sigstore signing, SLSA assessment, S2C2F maturity
+- **Vulnerability Disclosures WG** — CVD-compliant SECURITY.md
+- **Securing Software Repos WG** — Dependabot, branch protection, GitHub Actions pinning
+- **OSPS Baseline** — Automated compliance checking across maturity levels
 
 ## Development
 
 ```bash
 # Clone and install
-git clone https://github.com/ossguard/ossguard.git
+git clone https://github.com/kirankotari/ossguard.git
 cd ossguard
 pip install -e ".[dev]"
 
 # Run tests
-pytest tests/ -v
+pytest
 
 # Lint
-ruff check src/
+ruff check src/ tests/
 ```
 
-## How It Relates to OpenSSF
-
-This tool is **not** a replacement for any OpenSSF project. It's a **unifier** — it makes it trivially easy to adopt the best practices and tools that OpenSSF working groups have built:
-
-- **Best Practices WG** → SECURITY.md template, Best Practices Badge tracking
-- **Security Tooling WG** → CodeQL setup, SBOM generation
-- **Supply Chain Integrity WG** → Sigstore signing, SLSA provenance
-- **Vulnerability Disclosures WG** → CVD-compliant SECURITY.md
-- **Securing Software Repos WG** → Dependabot, branch protection
-
-## Roadmap
-
-- [ ] `ossguard deps` — unified dependency health dashboard (Scorecard + OSV + deps.dev)
-- [ ] Interactive mode with questionary prompts
-- [ ] GitLab CI/CD support (in addition to GitHub Actions)
-- [ ] SLSA provenance workflow generation
-- [ ] OpenSSF Best Practices Badge auto-application
-- [ ] Allstar configuration generation
-- [ ] Pre-commit hooks for security linting
-- [ ] Language-specific security linters (bandit, eslint-plugin-security, gosec)
-- [ ] Renovate as an alternative to Dependabot
-- [ ] SBOM drift detection between releases
-
 ## Contributing
 
 Contributions are welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

src/ossguard/analyzers/badge.py

@@ -6,7 +6,6 @@
 from pathlib import Path
 
 from ossguard.detector import ProjectInfo, detect_project
-from ossguard.parsers.dependencies import parse_dependencies
 
 
 @dataclass
@@ -88,7 +87,6 @@ def assess_badge_readiness(project_path: str | Path) -> BadgeReport:
     met = sum(1 for c in criteria if c.status == "met")
     unmet = sum(1 for c in criteria if c.status == "unmet")
     unknown = sum(1 for c in criteria if c.status == "unknown")
-    total_assessable = met + unmet
     readiness = (met / len(criteria) * 100) if criteria else 0.0
 
     return BadgeReport(

src/ossguard/analyzers/baseline.py

@@ -2,7 +2,6 @@
 
 from __future__ import annotations
 
-import json
 from dataclasses import dataclass, field
 from pathlib import Path
 

src/ossguard/analyzers/drift.py

@@ -6,7 +6,7 @@
 
 from ossguard.apis.osv import OSVClient, VulnInfo
 from ossguard.parsers.dependencies import Dependency
-from ossguard.parsers.sbom import SBOMInfo, parse_sbom
+from ossguard.parsers.sbom import parse_sbom
 
 
 @dataclass

src/ossguard/analyzers/insights.py

@@ -2,7 +2,6 @@
 
 from __future__ import annotations
 
-import re
 from dataclasses import dataclass, field
 from datetime import datetime, timezone
 from pathlib import Path

src/ossguard/analyzers/license_check.py

@@ -3,9 +3,8 @@
 from __future__ import annotations
 
 from dataclasses import dataclass, field
-from pathlib import Path
 
-from ossguard.apis.deps_dev import DepsDevClient, PackageInfo
+from ossguard.apis.deps_dev import DepsDevClient
 from ossguard.parsers.dependencies import Dependency
 
 
@@ -173,8 +172,8 @@ def _detect_conflicts(
     if not project_license:
         # Can't check compatibility without knowing the project license
         # But we can still detect obviously problematic combinations
-        copyleft_deps = [l for l in licenses if l.category == "copyleft"]
-        permissive_deps = [l for l in licenses if l.category == "permissive"]
+        copyleft_deps = [lic for lic in licenses if lic.category == "copyleft"]
+        permissive_deps = [lic for lic in licenses if lic.category == "permissive"]
 
         if copyleft_deps and permissive_deps:
             for cp in copyleft_deps[:3]:

src/ossguard/analyzers/report.py

@@ -3,7 +3,6 @@
 from __future__ import annotations
 
 import json
-from datetime import datetime, timezone
 from pathlib import Path
 
 from ossguard.analyzers.audit import AuditReport, run_audit

src/ossguard/analyzers/supply_chain.py

@@ -6,7 +6,7 @@
 from dataclasses import dataclass, field
 from pathlib import Path
 
-from ossguard.apis.osv import OSVClient, VulnInfo
+from ossguard.apis.osv import OSVClient
 from ossguard.parsers.dependencies import Dependency, parse_dependencies