Hacker News: julietsecurity

New comment by julietsecurity in "Show HN: Abom – Actions Bill of Materials for GitHub Actions Supply Chains"

julietsecurity — Thu, 26 Mar 2026 15:54:59 +0000

We built this after CVE-2026-33634 (Trivy compromise). Every remediation guide says "grep your workflows for trivy-action" — but if you use a composite action that internally calls trivy-action, grep finds nothing.

abom recursively resolves every GitHub Action dependency in your workflows, including composite actions, reusable workflows, and actions that silently embed tools like Trivy as wrappers. It flags known-compromised actions against an advisory database and outputs standard formats (CycloneDX 1.5, SPDX 2.3) so you can treat your CI/CD supply chain like your application dependencies.

We're calling the output an ABOM — an Actions Bill of Materials. SBOMs exist for your app dependencies, ABOMs should exist for your pipelines.

Show HN: Abom – Actions Bill of Materials for GitHub Actions Supply Chains

julietsecurity — Thu, 26 Mar 2026 15:52:28 +0000

Article URL: https://github.com/JulietSecurity/abom

Comments URL: https://news.ycombinator.com/item?id=47532024

Points: 2

# Comments: 1

New comment by julietsecurity in "Algorithm Visualizer"

julietsecurity — Wed, 25 Mar 2026 12:18:51 +0000

This is pretty neat. you should add sound effects like this - https://www.youtube.com/watch?v=kPRA0W1kECg