{"id":39061428,"url":"https://github.com/cybrota/scharf","last_synced_at":"2026-01-17T18:06:12.894Z","repository":{"id":283885902,"uuid":"953194728","full_name":"cybrota/scharf","owner":"cybrota","description":"Static analysis tool to Identify and Fix GitHub Actions prone to Supply‑Chain Risks","archived":false,"fork":false,"pushed_at":"2025-12-24T20:45:06.000Z","size":349,"stargazers_count":14,"open_issues_count":5,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-15T07:27:28.769Z","etag":null,"topics":["ci-cd","cybersecurity","devsecops","github","github-actions","go","golang","security","security-tools","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://cybrota.github.io/scharf/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cybrota.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-03-22T19:34:37.000Z","updated_at":"2025-12-24T20:45:09.000Z","dependencies_parsed_at":"2025-04-13T22:23:08.776Z","dependency_job_id":"8c6a8031-0150-4805-84b8-ab14ecb51ee6","html_url":"https://github.com/cybrota/scharf","commit_stats":null,"previous_names":["cybrota/sharfer","cybrota/scharf"],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/cybrota/scharf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cybrota%2Fscharf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cybrota%2Fscharf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cybrota%2Fscharf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cybrota%2Fscharf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cybrota","download_url":"https://codeload.github.com/cybrota/scharf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cybrota%2Fscharf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28514940,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T17:57:59.192Z","status":"ssl_error","status_checked_at":"2026-01-17T17:57:52.527Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci-cd","cybersecurity","devsecops","github","github-actions","go","golang","security","security-tools","supply-chain-security"],"created_at":"2026-01-17T18:06:11.539Z","updated_at":"2026-01-17T18:06:12.879Z","avatar_url":"https://github.com/cybrota.png","language":"Go","readme":"# Scharf\n[![Go Report Card](https://goreportcard.com/badge/github.com/cybrota/scharf)](https://goreportcard.com/report/github.com/cybrota/scharf)\n\n\u003cpicture width=\"500\"\u003e\n  \u003csource\n    width=\"100%\"\n    media=\"(prefers-color-scheme: dark)\"\n    src=\"https://raw.githubusercontent.com/cybrota/scharf/refs/heads/main/logo.png\"\n    alt=\"Scharf logo (dark)\"\n  /\u003e\n  \u003cimg\n    width=\"100%\"\n    src=\"https://raw.githubusercontent.com/cybrota/scharf/refs/heads/main/logo.png\"\n    alt=\"Scharf logo (light)\"\n  /\u003e\n\u003c/picture\u003e\n\n\nSecure your CI/CD pipeline against supply-chain attacks on third-party GitHub Actions.\n\nScharf scans your workflows, identifies mutable action references, and replaces them with immutable commit SHAs. It also generates comprehensive CSV or JSON reports across repositories and lets you inspect available tags and SHAs without leaving your terminal.\n\n## Why Use Scharf?\n\nBy pinning every third-party action to a specific commit SHA, Scharf prevents unexpected or malicious changes from creeping into your CI/CD process. This ensures a stable and secure development lifecycle by eliminating risks tied to drifting dependencies and mutable tags.\n\n## Key Features\n\n* Autofix Workflows: Detect and update mutable action tags to their corresponding SHAs in your workflow files.\n\n* Quick SHA Lookup: Retrieve the latest commit SHA for any GitHub Action directly from the CLI.\n\n* Actionable Reports: Produce JSON or CSV reports that highlight insecure references across one or many repositories.\n\n* Custom Scopes: Choose to scan only the current HEAD or include all branches when you audit or find actions.\n\n\n## Supported Platforms\n\n* Linux\n* Mac OSX\n\n## Installation\n**Option 1**: Install quickly via Homebrew (requires Homebrew installed)\n\n```sh\n# Tap brew formula\nbrew tap cybrota/cybrota\n\n# Install scharf\nbrew install scharf\n```\n\n**Option 2**: Download Prebuilt Binary\n\nVisit the releases page and download the binary for your OS:\n\nhttps://github.com/cybrota/scharf/releases\n\n**Option 3**: Install via Script\n\n```sh\ncurl -sf https://raw.githubusercontent.com/cybrota/scharf/refs/heads/main/install.sh | sh\n```\n\nThis script installs the latest version automatically (requires curl).\n\n## Usage Examples\n\n### 1. Autofix Mutable Actions\n\nPoint to a Git repository, run:\n```sh\n# Auto fix a local repository\nscharf autofix git_repo\n```\n\nNote: By default audit looks for current directory (.) if repo is not passed.\n\nScharf rewrites your workflow file, replacing, for example:\n```sh\nactions/github-script@v7 ➔ actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7\n```\nInclude --dry-run to preview changes without modifying files:\n```sh\nscharf autofix git_repo --dry-run\n```\n\n### 2. Audit a Single Repository\nScan for mutable references in your current repository:\n```sh\n# Audit a local repository\nscharf audit git_repo\n\n# Audit a remote repository. This automatically clones remote to /tmp location with scharf-* prefix\nscharf audit https_or_git_url\n```\n\nThe output lists each insecure tag, its file location, and the SHA you should pin. You can pass `--raise-error` flag to return a Non-zero error code.\n\n### 3. Find Across Many Repos\nPoint Scharf at a directory of cloned repositories to scan multiple projects:\n```sh\nscharf find --root /path/to/workspace --out csv\n```\nAdd `--head-only` flag to limit scanning to each repo’s current HEAD, or omit it to include all branches.\n\n### 4. List Available Tags and SHAs\nIf you need to explore versions before pinning, run:\n```sh\nscharf list owner/repo\n# Ex: scharf list tj-actions/changed-files\n```\nThis command prints a table of tags and their corresponding commit SHAs.\n\n### 5. Lookup a Specific SHA\nWhen you know a tag and want its SHA, use:\n```sh\nscharf lookup owner/repo@version\n# Ex: scharf lookup actions/checkout@v4\n```\n\n## CI Integration\n\nEmbed Scharf in your GitHub Actions workflow to enforce secure references automatically:\n\nSee this repository for more details:\n[https://github.com/cybrota/scharf-action](https://github.com/cybrota/scharf-action)\n\n```yaml\njobs:\n  my-job:\n    runs-on: ubuntu-22.04\n\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683\n\n      - name: Audit GitHub actions\n        uses: cybrota/scharf-action@c0d0eb13ca383e5a3ec947d754f61c9e61fab5ba\n        with:\n          raise-error: true\n```\n\n## The Risk of Mutable Tags\n\nMutable tags (e.g., @v1 or @main) allow action authors to push new code without changing your workflow. If a tag gets compromised, your CI can run malicious code. Scharf eliminates this vulnerability by always pinning to a specific, audited commit.\n\n## TODO for Scharf\nCheck Issues Tab on GitHub\n\n## Further Reading:\n\nSupply Chain Compromise of Third-Party tj-actions/changed-files:\n- https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066\n\nWhose code am I running in GitHub Actions?\n- https://alexwlchan.net/2025/github-actions-audit/\n\nGitHub CVE: tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading action logs\n* https://github.com/advisories/ghsa-mrrh-fwg8-r2c3\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcybrota%2Fscharf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcybrota%2Fscharf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcybrota%2Fscharf/lists"}