feat: add git sparse checkout mode for batch scanning

.github/workflows/ci.yaml

@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   build-and-test:
+    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.gitignore

@@ -7,6 +7,20 @@ dist/
 *.db-wal
 *.db-shm
 
+# Private research
+prompts/
+queries/
+scans/
+findings/
+reports/
+MEMORY.md
+SECURITY-BOUNDARIES.md
+*.sql
+
+# Environment and secrets
+.env
+.env.*
+
 # Editor/OS
 .DS_Store
 *.swp

CLAUDE.md

@@ -0,0 +1,42 @@
+# Fluxgate — Claude Code Instructions
+
+## Project
+
+Fluxgate is a CI/CD pipeline security static analysis tool. It scans GitHub Actions, GitLab CI, and Azure Pipelines workflow files for dangerous security patterns (pwn requests, script injection, OIDC misconfiguration, etc.).
+
+## Security Boundaries
+
+Before every push, ask: **"Does this commit contain anything that helps an attacker evade detection or identifies an unpatched target?"** If yes, do not push.
+
+Never commit to this public repo:
+- Prompt files, BigQuery queries, scan databases, triage briefs, or real scan output
+- Specific unpatched repo names in commits, code, or documentation
+- Disclosure tracking IDs (GHSA-*, VULN-*, HackerOne report numbers)
+- SECURITY-BOUNDARIES.md or any file describing what we consider sensitive
+
+Test fixtures must be synthetic — never copy real workflow files from scanned repos. When in doubt, keep it private.
+
+## Code Structure
+
+- `cmd/fluxgate/` — CLI entry point (cobra)
+- `internal/scanner/` — GitHub Actions parser, rules (FG-xxx), scanner orchestration
+- `internal/cicd/` — GitLab CI parser+rules (GL-xxx), Azure Pipelines parser+rules (AZ-xxx)
+- `internal/github/` — GitHub API client, batch scanning, discovery
+- `internal/report/` — Output formatters (table, JSON, SARIF, markdown)
+- `internal/store/` — SQLite persistence
+- `test/fixtures/` — Synthetic YAML fixtures for rule tests
+
+## Testing
+
+```bash
+go test ./...
+```
+
+All rules must have corresponding test fixtures and test functions in `*_test.go`.
+
+## Style
+
+- Go standard library style, no unnecessary abstractions
+- Rules are functions with signature `func(wf *Workflow) []Finding`
+- Platform-specific rules live in their parser package (internal/cicd/)
+- Bridge functions in scanner.go convert platform findings to common Finding type

README.md

@@ -22,13 +22,40 @@ go install github.com/north-echo/fluxgate/cmd/fluxgate@latest
 
 ## What It Detects
 
+### GitHub Actions (FG-xxx)
+
 | Rule    | Severity | Description |
 |---------|----------|-------------|
 | FG-001  | Critical | Pwn Request: pull_request_target with fork checkout |
-| FG-002  | High     | Script Injection via expression interpolation |
+| FG-002  | High     | Script Injection via expression interpolation (PR context, dispatch inputs, reusable workflow inputs) |
 | FG-003  | Medium   | Tag-based action pinning (mutable references) |
 | FG-004  | Medium   | Overly broad workflow permissions |
 | FG-005  | Low      | Secrets exposed in workflow logs |
+| FG-006  | Medium   | Fork PR code execution via build hooks |
+| FG-007  | Medium   | Inconsistent GITHUB_TOKEN blanking |
+| FG-008  | Critical | OIDC misconfiguration on external triggers |
+| FG-009  | High     | Self-hosted runner on external triggers |
+| FG-010  | High     | Cache poisoning via shared cache on PR workflows |
+| FG-011  | Medium   | Bot actor guard TOCTOU bypass risk |
+
+### GitLab CI (GL-xxx)
+
+| Rule    | Severity | Description |
+|---------|----------|-------------|
+| GL-001  | High     | Merge request pipeline with privileged variables |
+| GL-002  | High     | Script injection via CI predefined variables |
+| GL-003  | Medium   | Unpinned include templates |
+
+### Azure Pipelines (AZ-xxx)
+
+| Rule    | Severity | Description |
+|---------|----------|-------------|
+| AZ-001  | High     | Fork PR builds with secret/variable group exposure |
+| AZ-002  | High     | Script injection via Azure predefined variables |
+| AZ-003  | Medium   | Unpinned template extends and repository resources |
+| AZ-009  | High     | Self-hosted agent pools on PR-triggered pipelines |
+
+**21 rules across 3 CI/CD platforms.**
 
 ## Why This Exists
 

SECURITY.md

@@ -6,7 +6,7 @@ If you discover a security vulnerability in Fluxgate, please report it responsib
 
 ### Contact
 
-- **Email:** christopherdlusk@gmail.com
+- **Email:** clusk@northecho.dev
 - **GitHub Security Advisory:** Open a [GitHub Security Advisory](https://github.com/north-echo/fluxgate/security/advisories/new) on this repository.
 
 ### What to Include