HackerTrans
トップ新着トレンドコメント過去質問紹介求人

julietsecurity

no profile record

投稿

[untitled]

1 ポイント·投稿者 julietsecurity·3 か月前·0 コメント

Show HN: Abom – Actions Bill of Materials for GitHub Actions Supply Chains

github.com
2 ポイント·投稿者 julietsecurity·4 か月前·1 コメント

[untitled]

1 ポイント·投稿者 julietsecurity·4 か月前·0 コメント

コメント

julietsecurity
·2 か月前·議論
[flagged]
julietsecurity
·4 か月前·議論
We built this after CVE-2026-33634 (Trivy compromise). Every remediation guide says "grep your workflows for trivy-action" — but if you use a composite action that internally calls trivy-action, grep finds nothing.

abom recursively resolves every GitHub Action dependency in your workflows, including composite actions, reusable workflows, and actions that silently embed tools like Trivy as wrappers. It flags known-compromised actions against an advisory database and outputs standard formats (CycloneDX 1.5, SPDX 2.3) so you can treat your CI/CD supply chain like your application dependencies.

We're calling the output an ABOM — an Actions Bill of Materials. SBOMs exist for your app dependencies, ABOMs should exist for your pipelines.
julietsecurity
·4 か月前·議論
This is pretty neat. you should add sound effects like this - https://www.youtube.com/watch?v=kPRA0W1kECg