mackeh
diff --git a/‎.fortressci.yml‎
Lines changed: 6 additions & 0 deletions b/‎.fortressci.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/scripts/post_summary.js‎
Lines changed: 1 addition & 0 deletions b/‎.github/scripts/post_summary.js‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/devsecops.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/devsecops.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 16 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 2 additions & 1 deletion b/‎Dockerfile‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 36 additions & 3 deletions b/‎README.md‎
Lines changed: 36 additions & 3 deletions
diff --git a/‎ROADMAP.md‎
Lines changed: 33 additions & 1 deletion b/‎ROADMAP.md‎
Lines changed: 33 additions & 1 deletion
diff --git a/‎fortressci-roadmap.md‎
Lines changed: 9 additions & 2 deletions b/‎fortressci-roadmap.md‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎integrations/mcp-server/server.py‎
Lines changed: 13 additions & 0 deletions b/‎integrations/mcp-server/server.py‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎scripts/fortressci-init.sh‎
Lines changed: 1 addition & 0 deletions b/‎scripts/fortressci-init.sh‎
Lines changed: 1 addition & 0 deletions
@@ -36,6 +36,7 @@ scanners:
   iac:
     enabled: true
     tool: checkov
+    # Scans Terraform, CloudFormation, Kubernetes, and Bicep
 
   container:
     enabled: true
@@ -50,3 +51,8 @@ ai:
   provider: anthropic
   model: claude-3-5-sonnet-20240620
   explain_severity: [critical, high]
+
+adoption:
+  enabled: true
+  planning_horizon_days: 90
+  target_maturity_score: 85
@@ -5,6 +5,7 @@ module.exports = async ({ github, context }) => {
     "semgrep.sarif",
     "trivy-results.sarif",
     "checkov.sarif",
+    "bicep.sarif",
     "snyk.sarif",
   ];
   let checkRows = [];
 
@@ -205,7 +205,7 @@ jobs:
         run: python3 -m pip install --upgrade pip checkov
 
       - name: Checkov Scan
-        run: checkov -d ./terraform --quiet --compact --soft-fail --output sarif > checkov.sarif || true
+        run: checkov -d . --quiet --compact --soft-fail --output sarif > checkov.sarif || true
 
       - name: Upload SARIF
         uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
 
@@ -6,6 +6,22 @@ The format is based on Keep a Changelog, and the project follows Semantic Versio
 
 ## [Unreleased]
 
+## [2.2.0] - 2026-02-16
+
+### Added
+- Added `scripts/generate-adoption-roadmap.py` to generate prioritized 30/60/90-day DevSecOps plans with maturity and feasibility scoring.
+- Added roadmap outputs in scan flow: `results/adoption-roadmap.json` and `results/adoption-roadmap.md`.
+- Added MCP tool `get_devsecops_adoption_roadmap` for assistant access to roadmap data.
+- Added dedicated Bicep SARIF handling (`bicep.sarif`) in local scan orchestration and reporting pipelines.
+- Added Bicep summary regression test: `tests/python/test_summarize_bicep.py`.
+- Added roadmap generator tests: `tests/python/test_generate_adoption_roadmap.py`.
+- Added an end-to-end Azure DevOps template flow in `templates/azure/azure-pipelines.yml` (build, scan, gate, publish artifacts, roadmap highlights).
+
+### Changed
+- Updated GitHub IaC scan scope from `./terraform` to repository root (`.`) to include Bicep and non-Terraform IaC paths.
+- Updated setup wizard detection to identify Bicep repositories.
+- Updated README and roadmap documentation to reflect roadmap intelligence, Azure integration, and Bicep coverage.
+
 ### Fixed
 - Updated `.github/workflows/devsecops.yml` run blocks to satisfy actionlint ShellCheck checks (quoted expansions and consolidated audit JSON generation).
 
 
@@ -40,10 +40,11 @@ COPY scripts/auto-fix.sh /usr/local/bin/auto-fix
 COPY scripts/build-attack-graph.py /usr/local/bin/build-attack-graph
 COPY scripts/cross-repo-analyzer.py /usr/local/bin/cross-repo-analyzer
 COPY scripts/fortressci-doctor.sh /usr/local/bin/fortressci-doctor
+COPY scripts/generate-adoption-roadmap.py /usr/local/bin/generate-adoption-roadmap
 COPY templates/ /templates/
 
 # Set permissions
-RUN chmod +x /usr/local/bin/fortressci-scan /usr/local/bin/check-thresholds.sh /usr/local/bin/fortressci-waiver /usr/local/bin/generate-sbom /usr/local/bin/fortressci-policy-check /usr/local/bin/generate-compliance-report /usr/local/bin/ai-triage /usr/local/bin/generate-badge /usr/local/bin/auto-fix /usr/local/bin/build-attack-graph /usr/local/bin/cross-repo-analyzer /usr/local/bin/fortressci-doctor
+RUN chmod +x /usr/local/bin/fortressci-scan /usr/local/bin/check-thresholds.sh /usr/local/bin/fortressci-waiver /usr/local/bin/generate-sbom /usr/local/bin/fortressci-policy-check /usr/local/bin/generate-compliance-report /usr/local/bin/ai-triage /usr/local/bin/generate-badge /usr/local/bin/auto-fix /usr/local/bin/build-attack-graph /usr/local/bin/cross-repo-analyzer /usr/local/bin/fortressci-doctor /usr/local/bin/generate-adoption-roadmap
 
 # Create results directory
 RUN mkdir -p /results
 
@@ -14,7 +14,7 @@ Catch issues before they are committed.
 
 - **Secrets Detection**: [TruffleHog](https://github.com/trufflesecurity/trufflehog) scans for hardcoded credentials.
 - **Code Quality**: Standard hooks for trailing whitespace and file integrity.
-- **IaC Scanning**: [Checkov](https://www.checkov.io/) runs locally to catch Terraform/CloudFormation issues.
+- **IaC Scanning**: [Checkov](https://www.checkov.io/) runs locally to catch Terraform/CloudFormation/Bicep issues.
 
 ### Phase 2: Automated Pipeline (CI/CD)
 
@@ -23,7 +23,7 @@ Automated checks on every push and pull request across **6 CI platforms**.
 - **Secret Scanning**: TruffleHog deep scan on git history.
 - **SAST**: [Semgrep](https://semgrep.dev/) scans source code for vulnerabilities (OWASP Top 10).
 - **SCA**: [Snyk](https://snyk.io/) checks dependencies for known CVEs.
-- **IaC Scanning**: Checkov scans Terraform, CloudFormation, and Kubernetes manifests.
+- **IaC Scanning**: Checkov scans Terraform, CloudFormation, Kubernetes, and Bicep manifests.
 - **Container Security**: [Trivy](https://github.com/aquasecurity/trivy) scans Docker images for OS and library vulnerabilities.
 - **DAST**: [OWASP ZAP](https://www.zaproxy.org/) baseline scan for runtime attack surface.
 - **Signing**: [Cosign](https://github.com/sigstore/cosign) signs container images.
@@ -33,6 +33,7 @@ Automated checks on every push and pull request across **6 CI platforms**.
 ### Phase 3: Platform & Intelligence
 
 - **AI Triage**: Automated findings analysis and prioritisation via LLMs.
+- **DevSecOps Adoption Roadmap**: 30/60/90-day prioritized plan with maturity and feasibility scores.
 - **Auto-Remediation**: Self-healing pipelines that open PRs to fix vulnerabilities.
 - **Cross-Repo Analyzer**: Shared dependency and vulnerability hotspot analysis across many repositories.
 - **Security Dashboard**: Real-time visualisations of security posture and trends.
@@ -79,7 +80,24 @@ docker run --rm \
   fortressci/scan /workspace
 ```
 
-This runs the full suite including AI triage, SBOM generation, and threshold gating.
+This runs the full suite including AI triage, SBOM generation, threshold gating, and an adoption roadmap.
+
+---
+
+## Azure DevOps Integration
+
+FortressCI ships an Azure DevOps pipeline template at `templates/azure/azure-pipelines.yml`.
+
+```bash
+# Generate Azure pipeline + FortressCI config in your repo
+./scripts/fortressci-init.sh --ci azure
+```
+
+The Azure pipeline:
+- Builds `fortressci/scan` in CI.
+- Runs the full FortressCI scan with policy gates.
+- Validates required secrets (`SNYK_TOKEN`) before scanning.
+- Publishes `results/` as a build artifact, including `adoption-roadmap.json`, `adoption-roadmap.md`, and IaC SARIF outputs such as `bicep.sarif`.
 
 ---
 
@@ -184,6 +202,20 @@ python3 scripts/ai-triage.py --results-dir results/ --config .fortressci.yml
 
 ---
 
+## DevSecOps Adoption Roadmap
+
+Generate a practical, prioritized adoption plan with maturity and feasibility scoring.
+
+```bash
+python3 scripts/generate-adoption-roadmap.py --results-dir results/ --workspace . --config .fortressci.yml
+```
+
+Outputs:
+- `results/adoption-roadmap.json` (machine-readable roadmap with scoring and priority)
+- `results/adoption-roadmap.md` (human-readable 30/60/90 plan)
+
+---
+
 ## Cross-Repo Dependency Risk Analysis
 
 Use SBOM and SCA outputs from multiple repositories to find shared dependency
@@ -224,6 +256,7 @@ Output: `./org-results/cross-repo-analysis.json`
 │   ├── auto-fix.sh                # Automated remediation
 │   ├── cross-repo-analyzer.py     # Shared dependency risk analysis
 │   ├── generate-badge.py          # Security scoring & badges
+│   ├── generate-adoption-roadmap.py # DevSecOps roadmap + feasibility scoring
 │   ├── generate-sbom.sh           # SBOM generator
 │   ├── fortressci-policy-check.sh # Policy enforcement
 │   ├── generate-report.py         # HTML report generator
 
@@ -23,7 +23,7 @@
 
 **Achievements:**
 - Implemented `scripts/fortressci-init.sh` setup wizard.
-- Automated detection of project types (Node, Python, Go, Java).
+- Automated detection of project types (Node, Python, Go, Java, Bicep).
 - Generated tailored CI/CD workflows and security configurations.
 
 ### 1.1.2 — Multi-CI Platform Templates [COMPLETED ✅]
@@ -167,6 +167,16 @@
 - Implemented `scripts/generate-compliance-report.py` to automate mapping.
 - Integrated compliance reporting into both local scans and CI/CD pipelines.
 
+### 1.2.7 — Bicep IaC Support [COMPLETED ✅]
+
+**Goal:** Add first-class IaC scanning support for Azure Bicep.
+
+**Achievements:**
+- Added Bicep detection and dedicated Bicep SARIF output in scan orchestration.
+- Included Bicep findings in summary aggregation and HTML reporting.
+- Extended CI summary handling to include `bicep.sarif`.
+- Added regression tests to preserve Bicep summary behavior.
+
 ---
 
 ## v2.0.x: Woo Factor & Platform
@@ -233,6 +243,7 @@
 **Achievements:**
 - Implemented a FastMCP-based server in `integrations/mcp-server/`.
 - Provided tools for AI assistants to query scan summaries, compliance status, and waivers.
+- Added roadmap retrieval for AI assistants (`get_devsecops_adoption_roadmap`).
 - Enabled seamless integration between FortressCI data and AI-powered development workflows.
 
 ---
@@ -248,6 +259,27 @@
 
 ---
 
+### 2.0.8 — DevSecOps Adoption Roadmap Engine [COMPLETED ✅]
+
+**Goal:** Turn findings into execution plans that teams can adopt quickly.
+
+**Achievements:**
+- Implemented `scripts/generate-adoption-roadmap.py`.
+- Added maturity and feasibility scoring dimensions.
+- Generated prioritized actions and 30/60/90-day roadmap artifacts.
+- Integrated roadmap generation into local scan flow and Docker image.
+
+### 2.0.9 — Azure DevOps End-to-End Integration [COMPLETED ✅]
+
+**Goal:** Provide production-ready Azure DevOps execution with artifacted roadmap output.
+
+**Achievements:**
+- Rebuilt Azure pipeline template to run FortressCI end-to-end in one job.
+- Added pre-scan secret validation with actionable error messaging.
+- Published full `results/` artifacts including roadmap files.
+
+---
+
 ## Long-Term Vision
 
 ### FortressCI Cloud (SaaS)
 
@@ -1,6 +1,6 @@
 # FortressCI Roadmap
 
-> Last updated: February 2026
+> Last updated: February 16, 2026
 
 ---
 
@@ -11,7 +11,7 @@
 #### Phase 1: Shift Left (Local Development)
 - Pre-commit hooks via `.pre-commit-config.yaml`
 - TruffleHog secrets detection (blocks commits with hardcoded credentials)
-- Checkov IaC scanning locally (Terraform, CloudFormation)
+- Checkov IaC scanning locally (Terraform, CloudFormation, Bicep)
 - Standard code quality hooks (trailing whitespace, file integrity)
 
 #### Phase 2: Automated Pipeline (CI/CD)
@@ -40,6 +40,13 @@
 - Delivered `scripts/fortressci-doctor.sh` for readiness checks (tooling, config, hooks, and optional governance probe)
 - Delivered script quality/test foundation: `quality-lint` CI job and `pytest` + `bats` suites under `tests/`
 
+### ✅ v2.2.x — Adoption Intelligence & Bicep Expansion (Delivered)
+- Delivered DevSecOps roadmap engine (`scripts/generate-adoption-roadmap.py`) with maturity and feasibility scores.
+- Added roadmap artifacts in scan output: `adoption-roadmap.json` and `adoption-roadmap.md`.
+- Added roadmap retrieval in MCP integration (`get_devsecops_adoption_roadmap`).
+- Added first-class Bicep SARIF handling and aggregation (`bicep.sarif`) in scan summary and reporting.
+- Upgraded Azure DevOps template to build, scan, gate, and publish complete FortressCI artifacts.
+
 ---
 
 ## Upcoming Phases
 
@@ -59,5 +59,18 @@ async def get_ai_triage_explanations() -> str:
     with open(triage_path, "r") as f:
         return f.read()
 
+
+@mcp.tool()
+async def get_devsecops_adoption_roadmap() -> str:
+    """Get the latest prioritized DevSecOps adoption roadmap and feasibility scoring."""
+    roadmap_path = os.path.join(RESULTS_DIR, "adoption-roadmap.json")
+    if not os.path.exists(roadmap_path):
+        return "No adoption roadmap found."
+
+    with open(roadmap_path, "r") as f:
+        roadmap = json.load(f)
+
+    return json.dumps(roadmap, indent=2)
+
 if __name__ == "__main__":
     mcp.run()
@@ -22,6 +22,7 @@ if [ -f "package.json" ]; then echo "✓ Detected: Node.js"; LANG="node"; fi
 if [ -f "requirements.txt" ] || [ -f "pyproject.toml" ]; then echo "✓ Detected: Python"; LANG="python"; fi
 if [ -f "go.mod" ]; then echo "✓ Detected: Go"; LANG="go"; fi
 if [ -f "pom.xml" ] || [ -f "build.gradle" ]; then echo "✓ Detected: Java"; LANG="java"; fi
+if find . -maxdepth 5 -type f -name "*.bicep" | grep -q "."; then echo "✓ Detected: Bicep"; LANG="bicep"; fi
 
 # Detect CI platform
 # Detect CI platform