Adding Action to publish to GitHub Packages

.dockerignore

@@ -0,0 +1,105 @@
+# Git files
+.git
+.gitignore
+.gitattributes
+
+# GitHub
+.github
+
+# Python cache
+__pycache__
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# Virtual environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Testing
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+test-results/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Documentation
+docs/_build/
+*.md
+!README.md
+
+# Local development files
+*.log
+*.db
+*.sqlite
+*.sqlite3
+.env.example
+
+# Jupyter
+.ipynb_checkpoints
+
+# Temporary files
+tmp/
+temp/
+*.tmp
+
+# Docker
+docker-compose.yml
+Dockerfile
+dockerfile
+.dockerignore
+
+# CI/CD
+.travis.yml
+.gitlab-ci.yml
+azure-pipelines.yml
+
+# Other
+*.bak
+*.backup
+page/
+examples_dashboard.py
+demo_dashboard.py
+setup.sh
+run_dashboard.bat
+run_dashboard.ps1
+CNAME
+CHANGELOG.md
+CLAUDE.md
+CONTRIBUTING.md
+PROJECT.md

.github/workflows/README.md

@@ -30,13 +30,60 @@ The main continuous integration workflow with three sequential jobs:
 - Builds Python distribution packages (sdist and wheel)
 - Uploads build artifacts
 
-### 2. File Size Check (filesize.yml)
+### 2. Security Scan (security-scan.yml)
+**Trigger:** Push and Pull Requests to `main` and `develop` branches, Daily schedule (2 AM UTC), Manual dispatch
+
+Comprehensive security scanning with multiple jobs:
+
+#### Trivy Repository Scan
+- Scans filesystem for vulnerabilities in dependencies
+- Checks for CRITICAL, HIGH, and MEDIUM severity issues
+- Uploads results to GitHub Security tab (SARIF format)
+
+#### Trivy Config Scan
+- Scans configuration files for security misconfigurations
+- Checks Dockerfiles, GitHub Actions, and other config files
+
+#### Dependency Review
+- Reviews dependency changes in pull requests
+- Fails on high severity vulnerabilities
+- Posts summary comments on PRs
+
+#### Python Safety Check
+- Runs safety check on Python dependencies
+- Identifies known security vulnerabilities in packages
+
+### 3. Docker Build & Publish (docker-publish.yml)
+**Trigger:** Push to `main`, Version tags (v*.*.*), Pull Requests to `main`, Releases, Manual dispatch
+
+Builds and publishes Docker images to GitHub Container Registry (ghcr.io):
+
+#### Build and Push Job
+- Builds Docker image using BuildKit
+- Pushes to GitHub Container Registry (ghcr.io/dewitt4/llmguardian)
+- Supports multi-architecture builds (linux/amd64, linux/arm64)
+- Tags images with:
+  - Branch name (e.g., `main`)
+  - Semantic version (e.g., `v1.0.0`, `1.0`, `1`)
+  - Git SHA (e.g., `main-abc1234`)
+  - `latest` for main branch
+- For PRs: Only builds, doesn't push
+- Runs Trivy vulnerability scan on published images
+- Generates artifact attestation for supply chain security
+
+#### Test Image Job
+- Pulls published image
+- Validates image can run
+- Checks image size
+
+### 4. File Size Check (filesize.yml)
 **Trigger:** Pull Requests to `main` branch, Manual dispatch
 
 - Checks for large files (>10MB) to ensure compatibility with HuggingFace Spaces
 - Helps prevent repository bloat
+- Posts warnings on PRs for large files
 
-### 3. HuggingFace Sync (huggingface.yml)
+### 5. HuggingFace Sync (huggingface.yml)
 **Trigger:** Push to `main` branch, Manual dispatch
 
 - Syncs repository to HuggingFace Spaces
@@ -55,12 +102,29 @@ This project has migrated from CircleCI to GitHub Actions. The new CI workflow p
 
 ## Required Secrets
 
-- `HF_TOKEN`: HuggingFace token for syncing to Spaces (optional, only needed if using HuggingFace sync)
+### GitHub Container Registry
+- No additional secrets needed - uses `GITHUB_TOKEN` automatically provided by GitHub Actions
+
+### HuggingFace (Optional)
+- `HF_TOKEN`: HuggingFace token for syncing to Spaces (only needed if using HuggingFace sync)
+
+### Codecov (Optional)
+- Coverage reports will upload anonymously, but you can configure `CODECOV_TOKEN` for private repos
+
+## Permissions
+
+The workflows use the following permissions:
+
+- **CI Workflow**: `contents: read`
+- **Security Scan**: `contents: read`, `security-events: write`
+- **Docker Publish**: `contents: read`, `packages: write`, `id-token: write`
+- **File Size Check**: `contents: read`, `pull-requests: write`
 
 ## Local Testing
 
 To run the same checks locally before pushing:
 
+### Code Quality & Tests
 ```bash
 # Install development dependencies
 pip install -e ".[dev,test]"
@@ -76,4 +140,61 @@ pytest tests/ --cov=src --cov-report=term
 
 # Build package
 python -m build
-```
+```
+
+### Security Scanning
+```bash
+# Install Trivy (macOS)
+brew install trivy
+
+# Install Trivy (Linux)
+wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+sudo apt-get update && sudo apt-get install trivy
+
+# Run Trivy scans
+trivy fs . --severity CRITICAL,HIGH,MEDIUM
+trivy config .
+
+# Run Safety check
+pip install safety
+safety check
+```
+
+### Docker Build & Test
+```bash
+# Build Docker image
+docker build -f docker/dockerfile -t llmguardian:local .
+
+# Run container
+docker run -p 8000:8000 -p 8501:8501 llmguardian:local
+
+# Scan Docker image with Trivy
+trivy image llmguardian:local
+
+# Test image
+docker run --rm llmguardian:local python -c "import llmguardian; print(llmguardian.__version__)"
+```
+
+## Using Published Docker Images
+
+Pull and run the latest published image:
+
+```bash
+# Pull latest image
+docker pull ghcr.io/dewitt4/llmguardian:latest
+
+# Run API server
+docker run -p 8000:8000 ghcr.io/dewitt4/llmguardian:latest
+
+# Run dashboard
+docker run -p 8501:8501 ghcr.io/dewitt4/llmguardian:latest streamlit run src/llmguardian/dashboard/app.py
+
+# Run with environment variables
+docker run -p 8000:8000 \
+  -e LOG_LEVEL=DEBUG \
+  -e SECURITY_RISK_THRESHOLD=8 \
+  ghcr.io/dewitt4/llmguardian:latest
+```
+
+See `docker/README.md` for more Docker usage examples.

.github/workflows/docker-publish.yml

@@ -0,0 +1,134 @@
+name: Docker Build & Publish
+
+on:
+  push:
+    branches: [ main ]
+    tags:
+      - 'v*.*.*'
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+  release:
+    types: [published]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    
+    - name: Log in to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{major}}
+          type=sha,prefix={{branch}}-
+          type=raw,value=latest,enable={{is_default_branch}}
+    
+    - name: Build Docker image (PR)
+      if: github.event_name == 'pull_request'
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: ./docker/dockerfile
+        push: false
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+    
+    - name: Build and push Docker image
+      if: github.event_name != 'pull_request'
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: ./docker/dockerfile
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        platforms: linux/amd64,linux/arm64
+    
+    - name: Run Trivy vulnerability scanner on image
+      if: github.event_name != 'pull_request'
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+        format: 'sarif'
+        output: 'trivy-image-results.sarif'
+        severity: 'CRITICAL,HIGH'
+    
+    - name: Upload Trivy scan results to GitHub Security tab
+      if: github.event_name != 'pull_request'
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-image-results.sarif'
+    
+    - name: Generate artifact attestation
+      if: github.event_name != 'pull_request'
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        subject-digest: ${{ steps.meta.outputs.digest }}
+        push-to-registry: true
+
+  test-image:
+    name: Test Docker Image
+    runs-on: ubuntu-latest
+    needs: build-and-push
+    if: github.event_name != 'pull_request'
+    permissions:
+      contents: read
+      packages: read
+    
+    steps:
+    - name: Log in to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    
+    - name: Pull Docker image
+      run: |
+        docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+    
+    - name: Test Docker image
+      run: |
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest python -c "import llmguardian; print(llmguardian.__version__)"
+    
+    - name: Check image size
+      run: |
+        docker images ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest --format "{{.Size}}"

.github/workflows/security-scan.yml

@@ -0,0 +1,121 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  schedule:
+    # Run security scan daily at 2 AM UTC
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy-repo-scan:
+    name: Trivy Repository Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH,MEDIUM'
+        ignore-unfixed: true
+    
+    - name: Upload Trivy results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+    
+    - name: Run Trivy vulnerability scanner (table output)
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'table'
+        severity: 'CRITICAL,HIGH,MEDIUM'
+        ignore-unfixed: true
+
+  trivy-config-scan:
+    name: Trivy Config Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    
+    - name: Run Trivy config scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'config'
+        scan-ref: '.'
+        format: 'sarif'
+        output: 'trivy-config-results.sarif'
+        exit-code: '0'
+    
+    - name: Upload Trivy config results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: 'trivy-config-results.sarif'
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    
+    - name: Dependency Review
+      uses: actions/dependency-review-action@v4
+      with:
+        fail-on-severity: high
+        comment-summary-in-pr: true
+
+  python-safety-check:
+    name: Python Safety Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+        cache: 'pip'
+    
+    - name: Install safety
+      run: pip install safety
+    
+    - name: Run safety check
+      run: |
+        pip install -r requirements.txt
+        safety check --json
+      continue-on-error: true

.gitignore

@@ -167,3 +167,4 @@ cython_debug/
 CNAME
 CLAUDE.md
 PROJECT.md
+GITHUB_ACTIONS_SUMMARY.md

docker/README.md

@@ -1 +1,160 @@
-# Docker configuration
+# Docker Configuration
+
+This directory contains Docker configuration for LLMGuardian.
+
+## Quick Start
+
+### Using Pre-built Images from GitHub Container Registry
+
+Pull and run the latest image:
+
+```bash
+docker pull ghcr.io/dewitt4/llmguardian:latest
+docker run -p 8000:8000 -p 8501:8501 ghcr.io/dewitt4/llmguardian:latest
+```
+
+### Building Locally
+
+Build the Docker image:
+
+```bash
+docker build -f docker/dockerfile -t llmguardian:local .
+```
+
+Run the container:
+
+```bash
+docker run -p 8000:8000 -p 8501:8501 llmguardian:local
+```
+
+## Available Tags
+
+- `latest` - Latest stable release from main branch
+- `v*.*.*` - Specific version tags (e.g., v1.0.0)
+- `main` - Latest commit on main branch
+- `develop` - Latest commit on develop branch
+
+## Environment Variables
+
+Configure the container using environment variables:
+
+```bash
+docker run -p 8000:8000 \
+  -e SECURITY_RISK_THRESHOLD=8 \
+  -e LOG_LEVEL=DEBUG \
+  -e API_SERVER_PORT=8000 \
+  ghcr.io/dewitt4/llmguardian:latest
+```
+
+See `.env.example` in the root directory for all available environment variables.
+
+## Exposed Ports
+
+- `8000` - API Server
+- `8501` - Dashboard (Streamlit)
+
+## Volume Mounts
+
+Mount volumes for persistent data:
+
+```bash
+docker run -p 8000:8000 \
+  -v $(pwd)/logs:/app/logs \
+  -v $(pwd)/data:/app/data \
+  ghcr.io/dewitt4/llmguardian:latest
+```
+
+## Docker Compose (Example)
+
+Create a `docker-compose.yml` file:
+
+```yaml
+version: '3.8'
+
+services:
+  llmguardian-api:
+    image: ghcr.io/dewitt4/llmguardian:latest
+    ports:
+      - "8000:8000"
+    environment:
+      - LOG_LEVEL=INFO
+      - SECURITY_RISK_THRESHOLD=7
+    volumes:
+      - ./logs:/app/logs
+      - ./data:/app/data
+    restart: unless-stopped
+
+  llmguardian-dashboard:
+    image: ghcr.io/dewitt4/llmguardian:latest
+    command: ["streamlit", "run", "src/llmguardian/dashboard/app.py"]
+    ports:
+      - "8501:8501"
+    environment:
+      - DASHBOARD_PORT=8501
+      - DASHBOARD_HOST=0.0.0.0
+    depends_on:
+      - llmguardian-api
+    restart: unless-stopped
+```
+
+Run with:
+
+```bash
+docker-compose up -d
+```
+
+## Health Check
+
+The container includes a health check endpoint:
+
+```bash
+curl http://localhost:8000/health
+```
+
+## Security Scanning
+
+All published images are automatically scanned with Trivy for vulnerabilities. Check the [Security tab](https://github.com/dewitt4/LLMGuardian/security) for scan results.
+
+## Multi-Architecture Support
+
+Images are built for both AMD64 and ARM64 architectures:
+
+```bash
+# Automatically pulls the correct architecture
+docker pull ghcr.io/dewitt4/llmguardian:latest
+```
+
+## Troubleshooting
+
+### Permission Issues
+
+If you encounter permission issues with volume mounts:
+
+```bash
+docker run --user $(id -u):$(id -g) \
+  -v $(pwd)/logs:/app/logs \
+  ghcr.io/dewitt4/llmguardian:latest
+```
+
+### View Logs
+
+```bash
+docker logs <container-id>
+```
+
+### Interactive Shell
+
+```bash
+docker run -it --entrypoint /bin/bash ghcr.io/dewitt4/llmguardian:latest
+```
+
+## CI/CD Integration
+
+Images are automatically built and published via GitHub Actions:
+
+- **On push to main**: Builds and publishes `latest` tag
+- **On version tags**: Builds and publishes version-specific tags
+- **On pull requests**: Builds image but doesn't publish
+- **Daily security scans**: Automated Trivy scans
+
+See `.github/workflows/docker-publish.yml` for workflow details.

docker/dockerfile

@@ -0,0 +1,48 @@
+# LLMGuardian Docker Image
+FROM python:3.11-slim
+
+# Set environment variables
+ENV PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1
+
+# Set working directory
+WORKDIR /app
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy requirements files
+COPY requirements/ /app/requirements/
+COPY requirements.txt /app/
+
+# Install Python dependencies
+RUN pip install --upgrade pip && \
+    pip install -r requirements.txt
+
+# Copy source code
+COPY src/ /app/src/
+COPY setup.py /app/
+COPY pyproject.toml /app/
+COPY README.md /app/
+COPY LICENSE /app/
+
+# Install the package
+RUN pip install -e .
+
+# Create necessary directories
+RUN mkdir -p /app/logs /app/data /app/.cache
+
+# Expose ports for API and Dashboard
+EXPOSE 8000 8501
+
+# Add health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD python -c "import requests; requests.get('http://localhost:8000/health')" || exit 1
+
+# Default command (can be overridden)
+CMD ["python", "-m", "llmguardian.api.app"]

src/llmguardian/api/routes.py

@@ -9,6 +9,12 @@ from .security import verify_token
 router = APIRouter()
 
 
+@router.get("/health")
+async def health_check():
+    """Health check endpoint for container orchestration"""
+    return {"status": "healthy", "service": "llmguardian"}
+
+
 @router.post("/scan", response_model=SecurityResponse)
 async def scan_content(request: SecurityRequest, token: str = Depends(verify_token)):
     try: