Hardening the Documentation Pipeline: Why I Built a Security-First Markdown Analyzer in Pure Python

🛡️ Beyond Broken Links: The Architecture of Zenzic "The Sentinel" Documentation is often the weakest link in the CI/CD security chain. We protect our code with linters, SAST, and DAST, but our Markdown files—containing architecture diagrams, setup guides, and snippets—often go unchecked. I spent the last few months building Zenzic , a deterministic static analysis framework for Markdown sources. We just released v0.5.0a4 "The Sentinel" , and I want to share the architectural choices behind it. ⚓ The Core Philosophy: "Lint the Source, not the Build" Most documentation tools analyze the generated HTML. This creates a "build driver dependency": if your generator (MkDocs, Hugo, Docusaurus) has a bug or an unstable update, your security validation fails. Zenzic takes a different path. It analyzes the raw Markdown source before the build starts, using a Virtual Site Map (VSM) . 🩸 1. The "Blood Sentinel": Classifying Intent A broken link is a maintenance issue. A link that probes the host OS