Security●●●Banger
Abom – Actions Bill of Materials for GitHub Actions Supply Chains
SBOMs for CI/CD pipelines catch transitive action deps that grep misses entirely.
Solve My ProblemDark Horse
julietsecurity
212mo ago
Back to browse
GitHub Repository
A CLI tool to pin GitHub Actions to commit SHAs for supply-chain security.
4 starsGo
Ghapin – Tool to pin GitHub Actions to SHAs for supply-chain security
by theden·Apr 12, 2026·2 points·0 comments
AI Analysis
●●SolidNiche GemShip It
Automates SHA pinning with --comment flag to preserve original tags inline.
Strengths
- •Cross-platform Go binary with zero dependencies, easy to distribute.
- •--comment flag preserves original version refs as inline documentation.
- •Dry-run mode lets you preview changes before writing to workflows.
Weaknesses
- •Pinning to SHAs is already standard security guidance, tool just automates it.
- •No integration with Dependabot or GitHub's native security features.
Category
Target Audience
DevOps engineers, security-conscious teams using GitHub Actions
Similar To
StepSecurity/pin-github-action · manicminer/pin-github-action
Similar Projects
Security●●Solid
I built a Cargo supply chain auditor using Claude and GitHub Actions
Tarball diffing plus Claude analysis catches build.rs backdoors cargo-audit misses.
Big BrainSolve My Problem
T-RN-R
302mo ago
Developer Tools●●Solid
RepoWarden – Autopilot for your GitHub dependency updates
Dependabot alternative with AI test generation and supply chain poisoning checks.
Solve My ProblemSlick
joshghent
301mo ago
Security●Mid
Lateos/NPM-scan – open-source NPM supply chain scanner, v0.18.3
NPM supply chain scanner competing against Socket, Snyk, and npm audit.
Ship It
lateos-ai
101d ago
Security●Mid
I built an AI-agent skill to audit supply-chain attack exposure
Dependabot already does this without the AI agent overhead.
Ship It
WasimBhai
107d ago
Security●●●Banger
Conduit–Headless browser with SHA-256 hash chain - Ed25519 audit trails
Cryptographic proof bundles for AI agent browser actions—screenshots can be faked, hash chains can't.
WizardryZero to OneBig Brain
TaxFix
312mo ago