Windmill

v0.4.3 · Forge by Windmill

Ship to production with proof, not promises.

Forge audits every release against an 18-domain framework — 29 gates across Python, Node, Java and Flutter repos — scrubs secrets, and gates delivery through recorded admin approval. One repo or a whole campaign roster. Ships as both a CLI and a multi-tenant platform.

Get startedRequest demo

Why Forge

Designed for pipelines that can't afford a bypass.

Three principles differentiate Forge from off-the-shelf SAST/DAST stacks. All three are load-bearing in regulated environments.

Fail-Closed Gates

Deterministic gates — Bandit, Semgrep, Trivy, Gitleaks, Checkov and more — run in pinned Docker runners on every audit. A single P0 finding forces NO-GO. There is no --force flag.

Non-Bypass Guarantee

Four enforcement layers: agent refuses locally, admin approves in-app, push-service ships with its own deploy key, git-host rejects pushes from anyone else. No single credential can ship code.

Framework-Enforced

18-domain framework + 5-judge LLM panel. Append-only registry records every verdict with reproducibility headers. The same bar for every client; per-client configs layer in policy floors, never exceptions.

What gets checked

29 gates across five families.

Deterministic gates run in pinned Docker runners; LLM lanes add a 5-judge review. Profiles are language-aware — Python, Node, Java and Flutter repos each get the gate set their stack warrants.

4

Tier-1 spine

The deterministic Python baseline on every audit — Bandit SAST, pip-audit SCA, a coverage floor, and an SBOM.

10

Quality

Maintainability per language — Lizard complexity, ruff/vulture/pylint, deptry dependency hygiene, PMD for Java, dart analyze for Flutter, ESLint/jscpd/knip for Node — plus API-contract, architecture, IaC, observability and documentation gates.

9

Security

SAST, SCA, container, IaC-security, secret-history, auth, encryption and security-logging gates — plus a phantom-dependency / slopsquatting check for hallucinated packages.

2

Governance

Row-level access-control enforcement and waiver hygiene — expired or over-long waivers are flagged, never silently honoured.

4

AI-control

Prompt versioning, audit-log verification, an entitlement firewall and an adversarial test pack — the controls specific to AI-built and AI-operated systems.

How it works

Five stages, every release, every time.

  1. 1

    Scan

    Discover the project, scaffold .forge/, detect stack and project_kind.

  2. 2

    Audit

    Run the profile-aware gate set + 5-judge LLM panel; final verdict written to the registry.

  3. 3

    Stage

    Orphan worktree + 5-phase scrub (removals, renames, rewrites, sed, grep gate) under a default-deny allowlist.

  4. 4

    Verify

    Profile-dispatched build: DockerCompose, Flutter, or PureBuild — must pass before promote.

  5. 5

    Promote

    Annotated tag + SHA256 archive + dependency evidence; push command printed for the operator.

Two ways to run it

One repo, or a whole campaign.

The same gate engine and the same verdict bar, whether you gate a single service or orchestrate a release across dozens of repos.

Single repo

One repository, scaffolded once and gated on every release. Runs locally or in CI.

  1. 1forge scandiscover the stack, scaffold .forge/
  2. 2forge auditrun the profile-aware gate set + judge panel
  3. 3forge releasescrub, stage, verify, tag — push stays gated

Multi-repo campaign

A whole roster of repositories audited and released together from one deliver folder.

  1. 1forge campaign initscaffold the deliver folder + roster
  2. 2forge campaign auditaudit every repo, unified output tree
  3. 3forge campaign releaserelease the roster at one version
  4. 4forge campaign statusone verdict table across all repos

Modules

Four surfaces. One framework.

Scan

One-shot discovery + manifest scaffolding. Recognises python, node, flutter, eval-harness, and java/Kotlin services.

Audit

Deterministic gates + LLM lanes (Claude or OpenAI) + 5-judge panel. Unified SARIF 2.1.0 report; evidence archived to the append-only registry per run.

Release

Staged delivery branch, dependency evidence (SBOM where available), annotated tag, archive with SHA256.

Approvals

Admin-only sign-off, tenant-scoped, append-only audit trail. Push-service polls and ships only after approved=true.

Industries

Built for teams whose releases matter.

Aviation & Transportation

Meet the documentation and evidence bar regulators expect.

Financial Services

Prove non-bypass to auditors; separate duties by design.

Healthcare

HIPAA-minded release trails with tamper-evident approvals.

Energy & Industrial

Supply-chain-safe releases for safety-critical software.

Ready to gate your next release?

We'll stand up a demo tenant against a repo you pick. Under 30 minutes from SSO handshake to first audit.

Get startedPricing