feat: local endoflife.date override for pending upstream PRs (#19)

## Summary

Adds a lightweight mechanism to patch EOL lifecycle data locally when
upstream [endoflife.date](https://endoflife.date) PRs are pending
review.

## Problem

Version Guard depends on endoflife.date for all EOL data. When a product
is missing or has incomplete cycles upstream, resources show as UNKNOWN
— hiding real compliance issues. Upstream PRs can take weeks to merge.

## Solution

An nginx sidecar container that:
1. Serves local JSON overrides from `deploy/endoflife-override/api/`
2. Proxies everything else to upstream endoflife.date

No fork to maintain, no Ruby/Jekyll build. Just drop a `.json` file and
restart.

## Changes

- `deploy/endoflife-override/` — nginx config + patched JSON files +
documentation
- `cmd/server/main.go` — `EOL_BASE_URL` env var support
- `docker-compose.yaml` — `endoflife` service + wiring
- `README.md` — WIP/Experimental disclaimer, updated docs

## Current Overrides

| Product | Issue | Upstream PR |
|---------|-------|-------------|
| `amazon-aurora-mysql` | Product doesn't exist yet |
[#9534](endoflife-date/endoflife.date#9534) |
| `amazon-opensearch` | Missing 3.3 and 3.5 cycles |
[#9919](endoflife-date/endoflife.date#9919) |

## Impact

Before (upstream only): Aurora = 4,231 UNKNOWN (0% compliance)
After (with overrides): Aurora = 4,224 GREEN + 7 YELLOW (**99.8%
compliance**)

Overall compliance: 45.8% → **94.8%**

Co-authored-by: Amp <amp@ampcode.com>

Author: bakayolo

README.md

@@ -1,5 +1,7 @@
 # Version Guard
 
+> ⚠️ **Work in Progress / Experimental** — Version Guard is under active development. APIs, configuration formats, and behavior may change without notice. Use at your own risk in production environments.
+
 **Version Guard** is an open-source cloud infrastructure version monitoring system that continuously scans cloud resources (databases, caches, compute) to detect version drift and compliance issues.
 
 ## 🎯 Purpose
@@ -129,8 +131,11 @@ docker compose up --build
 |---------|---------|------|
 | `temporal` | Workflow orchestration | `7233` (gRPC), `8233` (Web UI) |
 | `minio` | S3-compatible snapshot storage | `9000` (API), `9001` (Console) |
+| `endoflife` | Local EOL data override (nginx) | `8082` |
 | `version-guard` | The server | `8080` (gRPC) |
 
+The `endoflife` service serves patched EOL data for products with pending upstream PRs on [endoflife.date](https://endoflife.date), and proxies everything else to the live API. See [`deploy/endoflife-override/README.md`](./deploy/endoflife-override/README.md) for details on adding or updating overrides.
+
 Once running, open the Temporal Web UI at http://localhost:8233 to trigger and monitor workflows.
 
 ### Run Locally (manual)
@@ -252,6 +257,7 @@ Version Guard is configured via environment variables or CLI flags:
 | `WIZ_CLIENT_ID_SECRET` | Wiz client ID (optional) | - |
 | `WIZ_CLIENT_SECRET_SECRET` | Wiz client secret (optional) | - |
 | `WIZ_REPORT_IDS` | JSON map of resource ID to Wiz report ID (optional) | - |
+| `EOL_BASE_URL` | Custom endoflife.date API base URL (optional) | `https://endoflife.date/api` |
 | `CONFIG_PATH` | Path to resources config file | `config/resources.yaml` |
 | `TAG_APP_KEYS` | Comma-separated AWS tag keys for app/service | `app,application,service` |
 | `TAG_ENV_KEYS` | Comma-separated AWS tag keys for environment | `environment,env` |

cmd/server/main.go

@@ -53,6 +53,9 @@ type ServerCLI struct {
 	WizElastiCacheReportID string `help:"Wiz saved report ID for ElastiCache inventory" env:"WIZ_ELASTICACHE_REPORT_ID"`
 	WizEKSReportID         string `help:"Wiz saved report ID for EKS inventory" env:"WIZ_EKS_REPORT_ID"`
 
+	// EOL configuration
+	EOLBaseURL string `help:"Custom base URL for endoflife.date API (e.g., http://localhost:8082/api)" env:"EOL_BASE_URL"`
+
 	// AWS configuration (for EOL APIs)
 	AWSRegion string `help:"AWS region for EOL APIs" default:"us-west-2" env:"AWS_REGION"`
 
@@ -206,7 +209,13 @@ func (s *ServerCLI) Run(_ *kong.Context) error {
 	}
 
 	// Create EOL HTTP client (shared across all resources)
-	eolHTTPClient := eolendoflife.NewRealHTTPClient()
+	var eolHTTPClient eolendoflife.Client
+	if s.EOLBaseURL != "" {
+		fmt.Printf("✓ Using custom EOL API: %s\n", s.EOLBaseURL)
+		eolHTTPClient = eolendoflife.NewRealHTTPClientWithConfig(nil, s.EOLBaseURL)
+	} else {
+		eolHTTPClient = eolendoflife.NewRealHTTPClient()
+	}
 	cacheTTL := 24 * time.Hour
 
 	// Initialize policy engine (shared across all detectors)

deploy/endoflife-override/README.md

@@ -0,0 +1,59 @@
+# endoflife.date Local Override
+
+Version Guard uses [endoflife.date](https://endoflife.date) for all EOL lifecycle data. Sometimes upstream PRs take time to merge, leaving gaps in coverage (products return 404 or are missing recent version cycles).
+
+This override mechanism lets you **patch EOL data locally** without waiting for upstream merges.
+
+## How It Works
+
+An nginx container serves local JSON files from `api/` and proxies everything else to the upstream endoflife.date API:
+
+```
+Request: GET /api/amazon-aurora-mysql.json
+  1. Check local file: deploy/endoflife-override/api/amazon-aurora-mysql.json
+  2. If found → serve it (your patched data)
+  3. If not found → proxy to https://endoflife.date/api/amazon-aurora-mysql.json
+```
+
+## Adding or Patching a Product
+
+1. Fetch the current data (or create new data from a pending PR's Netlify preview):
+
+```bash
+# Existing product — fetch and patch
+curl -s https://endoflife.date/api/amazon-opensearch.json | python3 -m json.tool > api/amazon-opensearch.json
+# Edit the file to add missing cycles
+
+# New product — fetch from PR deploy preview
+curl -s https://deploy-preview-9534--endoflife-date.netlify.app/api/amazon-aurora-mysql.json \
+  | python3 -m json.tool > api/amazon-aurora-mysql.json
+```
+
+2. Restart docker-compose — no rebuild needed:
+
+```bash
+docker compose restart endoflife
+```
+
+## Current Overrides
+
+| File | Reason | Upstream PR |
+|------|--------|-------------|
+| `amazon-aurora-mysql.json` | Product not yet on endoflife.date | [#9534](https://github.com/endoflife-date/endoflife.date/pull/9534) |
+| `amazon-opensearch.json` | Missing cycles 3.3 and 3.5 | [#9919](https://github.com/endoflife-date/endoflife.date/pull/9919) |
+
+## Configuration
+
+Set `EOL_BASE_URL` to point Version Guard at the local override container:
+
+```yaml
+# docker-compose.yaml
+environment:
+  EOL_BASE_URL: http://endoflife:8080/api
+```
+
+When `EOL_BASE_URL` is not set, Version Guard connects directly to `https://endoflife.date/api` (the default).
+
+## Removing Overrides
+
+Once an upstream PR is merged, delete the local JSON file. Nginx will then proxy that product to the upstream API automatically.

deploy/endoflife-override/api/amazon-aurora-mysql.json

@@ -0,0 +1,5 @@
+[
+  {"cycle":"3","releaseDate":"2021-11-23","eol":"2028-04-30","latest":"3.12.0","latestReleaseDate":"2026-02-17","lts":false,"extendedSupport":"2029-07-31"},
+  {"cycle":"2","releaseDate":"2018-02-06","eol":"2024-10-31","latest":"2.12.5","latestReleaseDate":"2025-04-09","lts":false,"extendedSupport":"2027-02-28"},
+  {"cycle":"1","releaseDate":"2015-07-27","eol":"2023-02-28","latest":"1.23.4","latestReleaseDate":"2022-08-11","lts":false,"extendedSupport":false}
+]

deploy/endoflife-override/api/amazon-opensearch.json

@@ -0,0 +1,114 @@
+[
+  {
+    "cycle": "3.5",
+    "releaseDate": "2026-03-25",
+    "eol": false,
+    "lts": false,
+    "extendedSupport": true
+  },
+  {
+    "cycle": "3.3",
+    "releaseDate": "2025-12-16",
+    "eol": false,
+    "lts": false,
+    "extendedSupport": true
+  },
+  {
+    "cycle": "3.1",
+    "releaseDate": "2025-09-09",
+    "eol": false,
+    "lts": false,
+    "extendedSupport": true
+  },
+  {
+    "cycle": "2.19",
+    "releaseDate": "2025-04-30",
+    "eol": false,
+    "lts": false,
+    "extendedSupport": true
+  },
+  {
+    "cycle": "2.17",
+    "releaseDate": "2024-11-13",
+    "eol": false,
+    "lts": false,
+    "extendedSupport": true
+  },
+  {
+    "cycle": "2.15",
+    "releaseDate": "2024-10-11",
+    "eol": false,
+    "lts": false,
+    "extendedSupport": true
+  },
+  {
+    "cycle": "2.13",
+    "releaseDate": "2024-05-21",
+    "eol": false,
+    "lts": false,
+    "extendedSupport": true
+  },
+  {
+    "cycle": "2.11",
+    "releaseDate": "2023-11-17",
+    "eol": false,
+    "lts": false,
+    "extendedSupport": true
+  },
+  {
+    "cycle": "2.9",
+    "releaseDate": "2023-10-02",
+    "eol": "2025-11-07",
+    "lts": false,
+    "extendedSupport": "2026-11-07"
+  },
+  {
+    "cycle": "2.7",
+    "releaseDate": "2023-07-10",
+    "eol": "2025-11-07",
+    "lts": false,
+    "extendedSupport": "2026-11-07"
+  },
+  {
+    "cycle": "2.5",
+    "releaseDate": "2023-03-13",
+    "eol": "2025-11-07",
+    "lts": false,
+    "extendedSupport": "2026-11-07"
+  },
+  {
+    "cycle": "2.3",
+    "releaseDate": "2022-11-15",
+    "eol": "2025-11-07",
+    "lts": false,
+    "extendedSupport": "2026-11-07"
+  },
+  {
+    "cycle": "1.3",
+    "releaseDate": "2022-08-16",
+    "eol": false,
+    "lts": false,
+    "extendedSupport": true
+  },
+  {
+    "cycle": "1.2",
+    "releaseDate": "2022-04-04",
+    "eol": "2025-11-07",
+    "lts": false,
+    "extendedSupport": "2026-11-07"
+  },
+  {
+    "cycle": "1.1",
+    "releaseDate": "2022-01-04",
+    "eol": "2025-11-07",
+    "lts": false,
+    "extendedSupport": "2026-11-07"
+  },
+  {
+    "cycle": "1.0",
+    "releaseDate": "2021-09-08",
+    "eol": "2025-11-07",
+    "lts": false,
+    "extendedSupport": "2026-11-07"
+  }
+]

deploy/endoflife-override/nginx.conf

@@ -0,0 +1,17 @@
+server {
+    listen 8080;
+
+    # Serve local overrides first
+    location /api/ {
+        root /data;
+        try_files $uri @upstream;
+    }
+
+    # Proxy to upstream endoflife.date for everything else
+    location @upstream {
+        proxy_pass https://endoflife.date;
+        proxy_set_header Host endoflife.date;
+        proxy_set_header User-Agent "version-guard/1.0";
+        proxy_ssl_server_name on;
+    }
+}

docker-compose.yaml

@@ -34,6 +34,14 @@ services:
         echo 'Bucket created'
       "
 
+  endoflife:
+    image: nginx:alpine
+    volumes:
+      - ./deploy/endoflife-override/nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./deploy/endoflife-override/api:/data/api:ro
+    ports:
+      - "8082:8080"
+
   version-guard:
     build:
       context: .
@@ -54,6 +62,7 @@ services:
       WIZ_CLIENT_ID_SECRET: ${WIZ_CLIENT_ID_SECRET:-}
       WIZ_CLIENT_SECRET_SECRET: ${WIZ_CLIENT_SECRET_SECRET:-}
       WIZ_REPORT_IDS: ${WIZ_REPORT_IDS:-}
+      EOL_BASE_URL: http://endoflife:8080/api
     ports:
       - "8080:8080"
       - "8081:8081"