How do I scan my GitHub Actions and PR packages for malware?

Add the vu1nz reusable GitHub Action to any workflow: `uses: profullstack/vu1nz-gh-actions/.github/actions/vu1nz-actions-scan@v1`. On every push and PR it runs two scanners: 17 CI/CD workflow checks plus a malware/typosquat sweep of every newly added npm, pip, cargo, gem, go.mod, or composer package in the diff. It posts a PR comment and fails the build on high+ severity findings.

What does vu1nz detect that Dependabot does not?

Dependabot flags KNOWN CVEs in existing dependencies. vu1nz catches things Dependabot cannot: brand-new packages with no CVE yet, typosquats of popular packages, packages with malicious install scripts, low-reputation maintainers, sudden version-burst patterns (xz-utils style), and tainted package domains (Polyfill.io). Every major npm/PyPI compromise of the last three years had no CVE when it hit production.

How much does vu1nz cost?

$100 per month per GitHub org. Unlimited repos, unlimited scans, both scanners included. 14-day free trial on every new org with no credit card. Pay by card or crypto via CoinPay. The CLI is MIT-licensed and free forever for self-hosted use.

Does vu1nz send my source code anywhere?

The deterministic scanners run entirely inside your GitHub-hosted runner. Source code never leaves the runner. The optional Claude AI review sends only workflow YAML files (no source, no secrets) to Anthropic, and is opt-in by passing claude_api_key.

ADT Home Security for CI/CD: A Practical Architecture Model for Software Supply-Chain Defense

Name: vu1nz
Author: vu1nz

Most teams searching for ADT home security are thinking about doors, windows, cameras, sensors, monitoring, and what happens when something trips at 2:13 a.m. DevSecOps teams have the same problem in a different building.

Your building is the CI/CD system. Your doors are workflow triggers. Your windows are third-party actions, package installs, build scripts, secrets, tokens, and release jobs. Your alarm panel is policy orchestration. Your monitoring center is whoever is accountable when a pull request changes the trust boundary.

Teams think the problem is buying another scanner. The real problem is designing a monitored security architecture that knows what to watch, who owns each signal, and what action happens before unsafe code merges.

That changes the conversation. ADT home security becomes less of a consumer product keyword and more of a useful operating model: instrument the perimeter, centralize state, reduce false alarms, validate coverage, and make response boring.

Why ADT home security is an architecture lesson for DevSecOps
Map ADT home security to CI/CD security architecture
Design the signal layer before buying more scanners
Build response workflows, not alert dashboards
Protect the pipeline perimeter
Watch dependency changes like entry events
Validate controls with adversarial tests
Common failure modes in ADT home security style CI/CD
Implementation workflow for a monitored CI/CD estate
Where vu1nz.com fits in an ADT home security model for software

Why ADT home security is an architecture lesson for DevSecOps

The reframe: from cameras to coverage

ADT home security is not just a camera on a wall. The useful part is the system: sensors, central panel, monitoring, response, escalation, maintenance, and a clear boundary between normal activity and suspicious activity.

That is exactly how CI/CD security should be designed.

The mistake teams make is treating every tool as a standalone camera. One scanner watches dependencies. Another watches IaC. Another checks secrets. Another lints workflows. Each tool sees a slice, but nobody owns the alarm model. Nobody decides which findings block a merge, which create tickets, which page a human, and which are noisy enough to suppress.

A useful way to think about it is this: a home alarm does not exist to produce more events. It exists to create a reliable decision path when something touches the perimeter.

CI/CD needs the same thing. A pull request adds a package. A GitHub Actions workflow changes permissions. A build job receives a broad token. A release job runs on a forked contribution. These are entry events. You need a system that decides whether the event is expected, risky, or unacceptable.

Why the analogy matters in 2026

In 2026, many software supply-chain attacks do not start with a remote code execution bug in production. They start earlier. A package maintainer account is compromised. A malicious dependency is introduced. A workflow grants write permissions where read would do. A build step runs untrusted code before policy checks happen. A secret leaks through logs. A release token becomes available to a job that should never publish.

This is why the practical question is not, do we have security tools? The practical question is, do we have monitored control points before code becomes an artifact?

ADT home security is useful because it forces you to ask architectural questions:

What is the perimeter?
What counts as entry?
Which sensors cover which entry points?
What happens when a sensor fires?
Who can disarm the system?
How do we know the system still works?

Those questions map cleanly to software delivery. If your CI/CD security posture cannot answer them, you have scanner coverage, not security coverage.

Where the analogy stops

The analogy has limits. A house has a relatively stable perimeter. A software delivery system changes every day. Repositories appear. Package ecosystems change. Developers modify workflows. Vendors rotate APIs. Build runners move between hosted, self-hosted, ephemeral, and long-lived environments.

Also, attackers inside CI/CD can be more subtle than someone opening a window. They can change a version range, inject a postinstall script, exploit a workflow trigger, or abuse a maintainer token without creating an obvious production symptom.

So do not stretch the analogy into theater. Use it to structure the operating model. Related reading from our network: teams designing secure communication systems face similar ownership and key-management tradeoffs in end-to-end encryption messaging architecture, where the hard part is not the cryptographic slogan but the workflow around trust, keys, and metadata.

Practical rule: if a control cannot explain what it watches, who owns it, and what happens when it fires, it is not a security system. It is telemetry.

Map ADT home security to CI/CD security architecture

Comparison of home security components mapped to CI/CD security controls

Sensors become controls

In ADT home security, sensors detect state changes: door open, window broken, motion in a room, smoke in the air. In CI/CD, controls should detect trust-boundary changes.

Examples:

A workflow file adds pull_request_target.
A job changes from read-only to write-all permissions.
A third-party action is referenced by a mutable tag.
A package lockfile adds a new transitive dependency.
A release job runs on a broader branch pattern.
A build step executes a package lifecycle script.
A self-hosted runner accepts untrusted pull requests.

These are not generic code smells. They are perimeter events.

The mistake teams make is scanning everything with the same severity lens. A stale library CVE and a new workflow that publishes artifacts from untrusted code are different classes of risk. They need different response paths.

The panel becomes policy orchestration

The home alarm panel does not replace the sensors. It coordinates them. It knows armed versus disarmed state. It handles codes, zones, bypasses, and communication with monitoring.

For CI/CD, the panel is your policy layer. It may be implemented through GitHub branch protection, required checks, workflow rules, OPA, repository settings, custom scanners, or a combination. The implementation matters less than the role: centralize security decisions and make them visible at merge time.

A comparison helps:

Home security component	CI/CD equivalent	Bad implementation	Better implementation
Door sensor	Workflow trigger check	Alert in a dashboard nobody opens	Required check on pull requests
Window sensor	Third-party action check	Weekly report of risky actions	Block mutable action refs in changed workflows
Alarm panel	Policy orchestration	Each tool decides severity differently	Shared rules for block, warn, ticket, ignore
Monitoring center	Security ownership	Security inbox receives everything	Repo owner plus security escalation path
Disarm code	Exception process	Anyone can bypass checks	Time-boxed, reviewed exception with reason
Maintenance test	Control validation	Assume scanner still works	Test fixtures that intentionally trigger rules

That changes the conversation from tool procurement to system behavior.

Monitoring becomes ownership

A monitored alarm has an operator path. Someone receives the event, validates context, escalates if needed, and records the outcome. CI/CD security needs the same ownership model.

If a scanner blocks a pull request and nobody can explain the block, developers will route around it. If a scanner only comments on a pull request and nobody is accountable, it becomes background noise. If the security team owns every finding, they become the bottleneck and developers learn to wait.

Ownership should be close to the system being changed. The team that owns the repository should own normal remediation. Security should own rule design, high-risk triage, exception governance, and incident coordination.

Design the signal layer before buying more scanners

What counts as a useful signal

A useful signal has four properties:

It is tied to a specific change.
It explains the risk in operational terms.
It recommends an action that can happen now.
It has a defined owner.

A weak signal says: vulnerable dependency found.

A stronger signal says: this pull request introduces a new npm package with an install script and no prior use in this organization; block until reviewed or replace with an approved package.

A weak signal says: workflow permissions are too broad.

A stronger signal says: this workflow changed permissions from contents: read to contents: write and runs on pull requests; require review from a repository maintainer and security owner before merge.

The practical question is whether the signal shortens decision time. If it does not help someone decide block, allow, investigate, or escalate, it is incomplete.

Signal quality beats signal volume

Security teams often inherit dashboards full of low-context alerts. That feels like coverage, but it usually hides the attacks that matter. In production, noise does not stay neutral. Noise trains people to ignore the system.

High-quality CI/CD signals tend to be change-aware. They compare what the pull request changed against the repository's previous trust model. That is different from periodically scanning a default branch and emailing a CSV.

Prioritize signals at the point of introduction:

New dependency added.
Existing dependency source changed.
Workflow file modified.
Permission scope expanded.
Build step moved before validation.
Package manager behavior changed.
Release process touched.
Runner trust boundary changed.

These events are early enough to stop, specific enough to investigate, and close enough to the developer's context that remediation is realistic.

Normalize findings into one schema

What breaks in practice is inconsistent output. One tool uses critical, high, medium. Another uses score 1 through 10. Another uses pass or fail. Another writes comments with no stable identifier. The result is a policy mess.

Normalize findings before you enforce them. A simple internal schema can be enough:

finding_id: cicd.workflow.permissions.write_on_pr
asset: repo/name/.github/workflows/release.yml
change_source: pull_request
risk_type: token_exposure
severity: block
owner: repo-maintainers
recommended_action: restrict permissions to contents: read
exception_allowed: true
exception_ttl_days: 14

This is not bureaucracy. It is how you make the alarm panel work. If every sensor speaks a different language, policy becomes guesswork.

Practical rule: normalize findings by decision, not by vendor severity. The merge system needs block, warn, ticket, or allow.

Build response workflows, not alert dashboards

CI/CD security response workflow from signal to remediation

Decide who owns each alarm

A dashboard is not a workflow. A Slack message is not ownership. A GitHub comment is not remediation. Each alarm class needs a default owner and a default action.

For CI/CD security, start with a small ownership matrix:

Workflow permission expansion: repository maintainers, with security review for release jobs.
New package with suspicious behavior: application team, with security escalation if package executes install scripts or ships obfuscated code.
Secret exposure in build logs: security incident owner plus repo team.
Self-hosted runner exposure: platform team.
Package publishing token exposure: release engineering.
Policy bypass request: security plus engineering manager.

This feels basic until the first high-pressure release. Then it is the difference between a controlled exception and a hallway negotiation.

Separate investigation from remediation

Investigation answers what happened and how risky it is. Remediation changes the system. Keep them separate enough that neither gets skipped.

For example, a pull request introduces a new dependency. Investigation might check maintainer history, package age, install scripts, typosquatting similarity, native binaries, network behavior, and whether the dependency is necessary. Remediation might remove it, pin it, vendor it, replace it, sandbox it, or require additional review.

Do not make developers guess which one you are asking for. A good CI/CD alarm says exactly what evidence triggered it and what action clears it.

Related reading from our network: SOC teams run into the same problem when signals exist without ownership, which is why encrypted messaging security operations is framed around workflow, escalation, and response rather than message encryption alone.

Add escalation paths for merge pressure

Merge pressure is real. Production is down. A customer deadline is near. A compliance fix must ship. Someone will ask to bypass a security check.

That is not a failure condition. That is an expected operating condition. Build for it.

A sane exception process has:

Named approver.
Reason tied to business context.
Expiration date.
Compensating control.
Ticket or audit trail.
Follow-up owner.

The mistake teams make is pretending bypasses will not happen. Then bypasses happen through admin privileges, disabled branch protection, or manual merges. You lose the audit trail and the learning loop.

Protect the pipeline perimeter

Lock down workflow triggers

GitHub Actions and similar CI systems are powerful because they respond to events. That is also why they are dangerous. Triggers define when code runs, whose code runs, what token it receives, and what context it can access.

High-risk trigger patterns include:

Running privileged jobs on untrusted pull requests.
Using pull_request_target without strict checkout discipline.
Running release logic on broad branch or tag patterns.
Allowing workflow dispatch with unsafe inputs.
Mixing validation and deployment in the same workflow.

A minimal defensive pattern looks like this:

name: ci
on:
  pull_request:
    branches: [main]
permissions:
  contents: read
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm ci --ignore-scripts
      - run: npm test

This is not a universal template. It is a posture: default read-only, avoid lifecycle scripts when possible, and keep privileged release actions out of untrusted contexts.

Treat third-party actions like doors and windows

Third-party actions are executable dependencies in your delivery path. Treat them like exposed entry points.

What works:

Pin actions to commit SHAs for high-risk workflows.
Prefer maintained actions with clear source and release history.
Review action changes when workflow files change.
Restrict secrets from jobs that use untrusted actions.
Separate build, test, and release trust zones.

What fails:

Referencing actions by mutable tags everywhere.
Allowing every repository to invent its own release workflow.
Giving all jobs broad default token permissions.
Treating workflow changes as normal code changes with no extra review.

A mutable action reference in a release workflow is not just style debt. It is a trust decision.

Pin permissions before pinning blame

When a CI/CD incident happens, teams often ask who approved the workflow. Better question: why was the workflow allowed to request that much authority?

Set restrictive defaults at the organization and repository level. Then require explicit permission expansion in workflow files. That makes risky changes visible in code review and scanner output.

Practical rule: every CI job should start with the least token authority it can survive with. Add permissions only where the job proves it needs them.

Watch dependency changes like entry events

New packages deserve more scrutiny than old ones

The dependency you already run is not automatically safe, but the new dependency has a different risk profile. It is entering the estate. That moment deserves inspection.

A new package can introduce:

Install scripts.
Native binaries.
Obfuscated code.
Network calls during build.
Typosquatting risk.
Confusing ownership history.
A large transitive dependency graph.
License or maintenance problems.

The ADT home security model is useful here because it treats entry as a distinct event. You do not wait until the person is in the living room to decide whether the door opening mattered.

Package managers create different blast radii

npm, pip, cargo, gem, Go modules, and Composer do not behave identically. Their install hooks, lockfile semantics, transitive dependency behavior, binary distribution patterns, and maintainer models differ.

Do not flatten these differences away. A package added to a frontend build toolchain may execute during install. A Go module may affect static linking and release artifacts. A Python dependency may pull native wheels. A Rust crate may bring build scripts. A Ruby gem may execute in deployment tooling.

The practical control is not one universal severity score. It is ecosystem-aware review at the moment the dependency enters the repository.

What Dependabot-style tools miss

Dependabot-style tooling is useful, but it is usually strongest after a vulnerability is known and published. Many supply-chain attacks are not known CVEs when they first hit a build. They are behavioral, contextual, or trust-based.

That is why we previously broke down what Dependabot misses in npm supply-chain attacks: known-vulnerability alerts are necessary, but they do not replace new-package inspection, maintainer-risk review, install-script analysis, or CI/CD trust-boundary checks.

What works:

Review new packages at pull request time.
Treat lockfile expansion as meaningful.
Flag lifecycle scripts and native binaries.
Compare package names against known internal and popular packages.
Escalate when dependency changes coincide with workflow changes.

What fails:

Waiting for CVEs.
Treating all dependency bumps as routine.
Ignoring transitive changes because the top-level package looks familiar.
Allowing package additions in emergency patches with no follow-up.

Validate controls with adversarial tests

Test bypasses, not happy paths

Most teams test that scanners run. Fewer test whether scanners catch realistic bypasses. That is the gap attackers use.

For CI/CD, adversarial validation should include cases like:

Workflow permission expansion hidden in a large formatting change.
pull_request_target combined with unsafe checkout of attacker-controlled code.
A new dependency with a postinstall script.
A third-party action referenced by tag instead of SHA.
A release job that exposes secrets to a broader event.
A lockfile change that introduces a suspicious transitive package.

The point is not to create a theatrical red-team exercise for every repository. The point is to keep a compact suite of fixtures that prove your alarm system still detects the behaviors you care about.

Keep attack fixtures close to CI

Store test fixtures where the CI/CD policy can evaluate them. A separate wiki page of attack examples will rot. A repository with intentionally bad workflow snippets, suspicious package manifests, and expected scanner outputs is more useful.

For each fixture, record:

Triggering change.
Expected finding ID.
Expected severity decision.
Expected owner.
Expected remediation guidance.
Whether an exception is allowed.

When policy changes, run the fixtures. When the scanner changes, run the fixtures. When GitHub changes event behavior, run the fixtures.

Measure time to useful decision

The metric that matters is not alert count. It is time to useful decision.

Can the team decide within minutes whether to block, allow, investigate, or escalate? Can they see why the signal fired? Can the developer clear the finding without a meeting? Can security audit the exception later?

A useful set of operating metrics:

Median time from pull request open to security decision.
Percentage of blocking findings cleared by code change versus exception.
Number of expired exceptions still present.
Repeated findings by repository.
False-positive rate by rule.
High-risk workflow changes merged without required review.

Those metrics tell you whether the alarm system is improving behavior or just creating friction.

Common failure modes in ADT home security style CI/CD

Alarm fatigue

Alarm fatigue happens when everything is urgent. In home security, a motion sensor that fires every time the dog walks by is eventually ignored. In CI/CD, a scanner that blocks on low-context findings gets disabled, bypassed, or politically neutered.

Fix this by splitting decisions:

Block trust-boundary changes with clear exploit paths.
Warn on hygiene issues that are not immediately exploitable.
Ticket systemic cleanup separately from pull request review.
Suppress repeated non-actionable findings until the rule is improved.

Related reading from our network: even media and privacy workflows hit similar alert-design problems; encrypted messaging streaming privacy architecture is a useful adjacent example of how notifications, bots, and groups can leak context if the workflow is not designed carefully.

Orphaned ownership

A finding without an owner becomes a tax. Developers assume security owns it. Security assumes the repo team owns it. Platform assumes application teams own it. Everyone waits.

Create ownership defaults before enforcement. If you cannot assign a finding class to an owner, do not make it a hard block yet. Start in observe mode, learn the routing, then enforce.

The mistake teams make is turning on blocking checks globally and discovering ownership gaps during a release. That creates resentment and emergency bypasses.

Monitoring without response

Monitoring without response is the most common failure mode. The system detects risky behavior, but the response path is vague. A comment appears. A dashboard updates. A ticket lands in a backlog. The pull request merges anyway.

What breaks in practice is the merge boundary. If the risky change can merge before the decision happens, the control is advisory. Advisory controls can be useful, but do not confuse them with prevention.

For high-risk CI/CD changes, put the decision before merge. For lower-risk issues, create tickets and track remediation. Mixing those modes without clarity creates false confidence.

Practical rule: prevention belongs at the merge boundary. Cleanup belongs in backlog systems. Do not route both through the same severity label.

Implementation workflow for a monitored CI/CD estate

Implementation phases for monitored CI/CD security

Phase 1: inventory

Start by finding the doors and windows.

Inventory repositories, default branches, protected branches, and release branches.
Inventory workflow files and the events that trigger them.
Identify jobs with write permissions, secrets, deployment authority, or package publishing rights.
Inventory third-party actions and whether they are pinned by tag, version, or SHA.
Inventory package manifests and lockfiles across npm, pip, cargo, gem, Go, and Composer.
Identify self-hosted runners and which repositories can reach them.
Map owners for repositories, release processes, and platform infrastructure.

Do not start with perfect policy. Start with visibility. You need to know where privileged execution can happen before you can protect it.

Phase 2: enforce

Once inventory is good enough, enforce a small number of high-confidence controls.

A practical first enforcement set:

Block workflow permission expansion in pull requests unless reviewed.
Block privileged workflows from running on untrusted fork code.
Warn or block mutable third-party action references in release workflows.
Block package additions with dangerous install behavior until reviewed.
Require explicit approval for changes to release jobs.
Require restrictive default token permissions.

Roll this out in stages. Start with critical repositories and release workflows. Then expand to the broader estate. Avoid the big-bang deployment unless you enjoy debugging org politics while production waits.

Phase 3: review and tune

A monitored system needs maintenance. Rules drift. Attackers adapt. Developers find edge cases. Vendor behavior changes. Package ecosystems change.

Set a monthly or quarterly review loop:

Which rules produced the most false positives?
Which blocks were bypassed?
Which exceptions expired without cleanup?
Which repositories repeatedly triggered the same findings?
Which high-risk changes merged without detection?
Which new attack patterns should become fixtures?

This is where the ADT home security model becomes operationally useful. You are not installing sensors once. You are maintaining a monitored system.

Where vu1nz.com fits in an ADT home security model for software

Product fit: sensors at pull request time

vu1nz.com fits at the pull request boundary, where CI/CD risk is still cheap to stop. The vu1nz GitHub Action for CI/CD and package security scanning is designed as a drop-in control that checks workflow security issues and newly added packages before they merge.

That matters because the pull request is where developer context, code change, and policy decision intersect. If you wait until after merge, you are already in cleanup mode. If you only scan the default branch, you miss the moment where a risky change could have been challenged.

This is not a replacement for SAST, SCA, secrets scanning, artifact signing, or runtime detection. It is a sensor layer for a specific class of entry events: CI/CD workflow risk and package supply-chain risk introduced in code review.

What works with vu1nz.com

What works is using vu1nz.com as part of a wider monitored architecture:

Required checks on repositories where workflow and dependency changes matter.
Clear ownership for blocked findings.
Exceptions with review and expiration.
Pairing with branch protection and least-privilege GitHub token settings.
Reviewing scanner output during pull request review, not weeks later.
Feeding repeated findings into platform hardening work.

What fails is treating any scanner as magic. If nobody owns findings, if branch protection can be casually disabled, or if release workflows are exempt from review, the tool becomes another camera pointed at an unlocked door.

Closing the loop

ADT home security is a useful model because it makes the workflow visible. Sensors are not enough. Cameras are not enough. Alerts are not enough. The system works when detection, policy, ownership, and response are connected.

CI/CD security works the same way. The goal is not to collect more findings. The goal is to stop unsafe workflow changes and suspicious package additions before they become trusted artifacts.

If you take one idea from this ADT home security model, make it this: define the perimeter of your software delivery system, instrument the entry points, and put the decision before merge.

Try vu1nz.com

vu1nz.com is for security engineers and DevSecOps teams who need to defend CI/CD pipelines and software supply chains from modern attacks. Try vu1nz.com.

Catch the next supply-chain attack on the PR that adds it.

14-day free trial · no card required

Start free trial More posts