Smithy is a framework for building, automating, and standardizing security workflows, without drowning in dashboards or duct, taped scripts.
Security teams today juggle dozens of tools. Each is great at one thing, but none built to work together. Smithy solves this by letting you:
- Define workflows as code
- Integrate any tool with a simple SDK
- Normalize outputs into OCSF for consistent reporting
- Automate triaging, reporting or remedial actions with reusable, testable components
- Validate security controls for DevSecOps and GRC programs
- Use or contribute open workflows built by the community
Whether you're managing cloud gremlins, AppSec scanners, compliance checks or evidence gathering, Smithy helps teams automate what matters—without building brittle glue code, because your bash scripts hate you.
# Example: Run SAST, SCA, Secrets and IAC scanning
name: basic-devsecops
description: do the devsecops thing, look mum, i'm shifting left
components:
- component: ghcr.io/smithy-security/smithy/manifests/components/targets/git-clone:v1.4.0
- component: ghcr.io/smithy-security/smithy/manifests/components/scanners/osv-scanner:v1.2.3
- component: ghcr.io/smithy-security/smithy/manifests/components/scanners/checkov:v1.1.1
- component: ghcr.io/smithy-security/smithy/manifests/components/scanners/semgrep:v1.3.2
- component: ghcr.io/smithy-security/smithy/manifests/components/scanners/trufflehog:v1.2.2
- component: ghcr.io/smithy-security/smithy/manifests/components/enrichers/custom-annotation:v0.2.1
- component: ghcr.io/smithy-security/smithy/manifests/components/reporters/vulnerability-logger:v0.0.1
Create the following files with the following contents:
# workflow.yaml
name: basic-devsecops
description: do the devsecops thing, look mum, I'm shifting left
components:
- component: ghcr.io/smithy-security/smithy/manifests/components/targets/git-clone:v1.4.0
- component: ghcr.io/smithy-security/smithy/manifests/components/scanners/semgrep:v1.3.2
- component: ghcr.io/smithy-security/smithy/manifests/components/enrichers/custom-annotation:v0.2.1
- component: ghcr.io/smithy-security/smithy/manifests/components/reporters/vulnerability-logger:v0.0.1
# overrides.yaml
git-clone:
- name: "repo_url"
type: "string"
value: "https://github.com/smithy-security/e2e-monorepo.git"
Then run the following command to run your workflow
smithyctl workflow run --build-component-images=true --overrides=./overrides.yaml ./workflow.yaml
Check the findings in the logs.
We’re building Smithy in the open and we’d love to keep you updated.
Subscribe to the Smithy newsletter for:
- New workflow and component drops
- Release announcements
- Upcoming talks and workshops (BSides, DEFCON, OWASP, etc.)
- Tips on building smarter security workflows
Sign up here it’s low-volume, high-signal.
Please check the docs
Join our Discord server to get support and ask questions.