@prodcycle/prodcycle

v0.6.6

Published

15 hours ago

Multi-framework policy-as-code compliance scanner for infrastructure and application code.

0High
0Medium
0Low

prodcyclebot

compliance soc2 hipaa nist cli security

@prodcycle/prodcycle

Multi-framework policy-as-code compliance scanner for infrastructure and application code. Scans Terraform, Kubernetes, Docker, .env, and application source against SOC 2, HIPAA, and NIST CSF policies.

Features

3 compliance frameworks: SOC 2, HIPAA, NIST CSF
Automated policy enforcement: Server-side OPA/Rego and Cedar evaluation engines
Infrastructure scanning: Terraform, Kubernetes manifests, Dockerfiles, .env files
Application code scanning: TypeScript, Python, Go, Java, Ruby
CI/CD integration: CLI with SARIF output for GitHub Code Scanning
Programmatic API: Full TypeScript API for custom integrations
Self-remediation: gate() function returns actionable remediation prompts

Installation

npm install -g @prodcycle/prodcycle

GitHub Packages (alternative)

echo "@prodcycle:registry=https://npm.pkg.github.com" > .npmrc
npm login --scope=@prodcycle --registry=https://npm.pkg.github.com
npm install @prodcycle/prodcycle

Quick Start

CLI

# Scan current directory against all 3 frameworks (default: soc2, hipaa, nist-csf).
# Auto-flips to SARIF in known CI environments so output drops into
# code-scanning dashboards without extra wiring.
prodcycle scan .

# Pin a specific framework or subset
prodcycle scan . --framework soc2,hipaa
prodcycle scan . --framework hipaa --severity-threshold high

# Explicit SARIF (overrides the CI auto-flip)
prodcycle scan . --format sarif --output results.sarif

# CI: scan only files changed in the PR
prodcycle scan . --pr origin/main..HEAD

# Auto-configure compliance hooks/instructions for your coding agents
# (Claude Code, Cursor, Codex, OpenCode, GitHub Copilot, Gemini CLI)
prodcycle init --agent all

# Scaffold a CI workflow that delegates to prodcycle/actions/compliance
prodcycle init --ci github     # also: gitlab | circleci

Subcommands: scan (full repo scan), gate (JSON payload from stdin), hook (coding-agent post-edit hook), init (agent setup).

Programmatic API

import { scan, gate } from '@prodcycle/prodcycle';

// Full Repository Scan
const { report, findings, exitCode } = await scan({
  repoPath: '/path/to/repo',
  frameworks: ['soc2', 'hipaa'],
  options: {
    severityThreshold: 'high',
    failOn: ['critical', 'high'],
  },
});

console.log(`Found ${findings.length} findings`);
console.log(`Exit code: ${exitCode}`);

// Gate function (for coding agents)
const result = await gate({
  files: {
    'src/config.ts': 'export const DB_PASSWORD = "hardcoded-secret";',
    'terraform/main.tf': 'resource "aws_s3_bucket" "data" { }',
  },
  frameworks: ['soc2', 'hipaa'],
});

if (!result.passed) {
  console.log('Compliance issues found:');
  console.log(result.prompt); // Pre-formatted remediation instructions
}

API Key

An API key is required for production use to authenticate with ProdCycle. Set it via environment variable:

export PC_API_KEY=pc_your_api_key_here

API keys are created through the ProdCycle dashboard.

Requirements

Node.js >= 24.0.0

License

MIT

Published

Vulnerabilities

Links

Maintainers

Keywords

Readme

@prodcycle/prodcycle

Features

Installation

GitHub Packages (alternative)

Quick Start

CLI

Programmatic API

API Key

Requirements

License