Security●●Solid
Ghapin – Tool to pin GitHub Actions to SHAs for supply-chain security
Automates SHA pinning with --comment flag to preserve original tags inline.
Niche GemShip It
theden
201mo ago
Back to browse
GitHub Repository
30 starsGo
Abom – Actions Bill of Materials for GitHub Actions Supply Chains
by julietsecurity·Mar 26, 2026·2 points·1 comment
AI Analysis
●●●BangerSolve My ProblemDark Horse
SBOMs for CI/CD pipelines catch transitive action deps that grep misses entirely.
Strengths
- •Recursive resolution through composite actions and reusable workflows finds hidden dependencies
- •Detects tool wrappers by analyzing action.yml inputs, not just workflow grep patterns
- •Timely response to Trivy CVE-2026-33634 supply chain incident with concrete detection
Weaknesses
- •Security tool category is well-funded; established players may add similar features
- •Requires analyzing action metadata which may not always be accurate or complete
Category
Target Audience
DevSecOps teams and security engineers using GitHub Actions
Similar To
Snyk · Dependabot · Socket
Similar Projects
Security●●Solid
I built a Cargo supply chain auditor using Claude and GitHub Actions
Tarball diffing plus Claude analysis catches build.rs backdoors cargo-audit misses.
Big BrainSolve My Problem
T-RN-R
302mo ago
Developer Tools●●Solid
RepoWarden – Autopilot for your GitHub dependency updates
Dependabot alternative with AI test generation and supply chain poisoning checks.
Solve My ProblemSlick
joshghent
301mo ago
Security●Mid
Lateos/NPM-scan – open-source NPM supply chain scanner, v0.18.3
NPM supply chain scanner competing against Socket, Snyk, and npm audit.
Ship It
lateos-ai
101d ago
Security●Mid
I built an AI-agent skill to audit supply-chain attack exposure
Dependabot already does this without the AI agent overhead.
Ship It
WasimBhai
107d ago
Security●●Solid
ReARM – Release-Level Supply Chain Evidence Platform
ReARM zeroes in on a gritty, enterprise problem: per-release evidence, automated changelogs, and 10+ year retention with product-level bundling and approval workflows. Integrations with Dependency-Track and OWASP TEx are smart moves, but the offering reads like a sensible commercial UX layer on top of existing provenance tools rather than a technical breakthrough.
Niche GemSlick
taleodor
303mo ago