HackerTrans
TopNewTrendsCommentsPastAskShowJobs

julietsecurity

no profile record

Submissions

[untitled]

1 points·by julietsecurity·3 месяца назад·0 comments

Show HN: Abom – Actions Bill of Materials for GitHub Actions Supply Chains

github.com
2 points·by julietsecurity·4 месяца назад·1 comments

[untitled]

1 points·by julietsecurity·4 месяца назад·0 comments

comments

julietsecurity
·2 месяца назад·discuss
[flagged]
julietsecurity
·4 месяца назад·discuss
We built this after CVE-2026-33634 (Trivy compromise). Every remediation guide says "grep your workflows for trivy-action" — but if you use a composite action that internally calls trivy-action, grep finds nothing.

abom recursively resolves every GitHub Action dependency in your workflows, including composite actions, reusable workflows, and actions that silently embed tools like Trivy as wrappers. It flags known-compromised actions against an advisory database and outputs standard formats (CycloneDX 1.5, SPDX 2.3) so you can treat your CI/CD supply chain like your application dependencies.

We're calling the output an ABOM — an Actions Bill of Materials. SBOMs exist for your app dependencies, ABOMs should exist for your pipelines.
julietsecurity
·4 месяца назад·discuss
This is pretty neat. you should add sound effects like this - https://www.youtube.com/watch?v=kPRA0W1kECg