Skill by sbom-tool · 14 stars
GH-Guard hardens CI/CD pipelines for Rust projects. It generates production-tested GitHub Actions workflows with SHA-pinned actions, OIDC-based Trusted Publishing, SLSA L3 provenance, and layered dependency auditing via cargo-deny, Dependabot, and osv-scanner. Five commands: /audit scans your repo against supply chain best practices, /harden walks you through fixes at three levels (Minimal/Standard/Hardened), /generate creates individual config files, /check-updates catches stale SHA pins, and /verify validates everything before you push. 14 skills provide deep context on Scorecard checks, dangerous workflow patterns, release automation, workspace publishing, fuzz testing, and compromised action incident response. All guidance is informed by real-world incidents including the March 2026 Trivy tag hijacking.
/plugin install gh-guard@claude-community