whatisgithub

What is moat?

laravel/moat — explained in plain English

Analysis updated 2026-05-18

16RustAudience · ops devopsComplexity · 2/5Setup · easy

In one sentence

A command line tool that audits a GitHub org, user, or repo for supply chain security gaps like missing 2FA, unsigned commits, and unpinned Actions.

Mindmap

mindmap
  root((repo))
    What it does
      Audits GitHub security
      Flags misconfigurations
      Explains risks plainly
    Tech stack
      Rust
    Use cases
      2FA enforcement check
      Action pinning check
      Branch protection check
    Audience
      DevOps engineers
      Open source maintainers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Audit whether two factor authentication is enforced across a GitHub organization.

USE CASE 2

Check whether GitHub Actions workflows pin dependencies to hashes instead of mutable tags.

USE CASE 3

Verify branch protection, signed commits, and secret scanning are enabled before an incident happens.

What is it built with?

Rust

How does it compare?

laravel/moatcelestia-island/ratatui-markdowndollspace-gay/thermite
Stars161616
LanguageRustRustRust
Setup difficultyeasyeasyhard
Complexity2/52/55/5
Audienceops devopsdeveloperresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Needs a GitHub token with read permissions.

So what is it?

Moat is a command-line security audit tool written in Rust that checks your GitHub organization, user account, or individual repository for supply-chain hygiene problems: security misconfigurations that could let an attacker slip malicious code into your software without detection. Supply-chain attacks happen when someone compromises a dependency, a contributor account, or an automated workflow rather than attacking your code directly. Moat scans for the controls that block those attacks: whether two-factor authentication is enforced org-wide, whether branch protection rules cover release branches, whether commits must be cryptographically signed, whether secret scanning and push protection are enabled, whether Dependabot alerts are on for vulnerable dependencies, and whether GitHub Actions workflows pin dependencies to specific hashes rather than mutable tags (which can be silently repointed after a compromise). To use it, install the binary via Homebrew or a prebuilt release, provide a GitHub token with read permissions, and run a single command with your org name, username, or repo slug. No configuration file is needed. Moat resolves your GitHub token by checking the GITHUB_TOKEN environment variable first, then GH_TOKEN, and finally falling back to a logged-in GitHub CLI session, so most users do not need to set anything up manually. A verbose flag shows the full list of collaborators and members instead of a truncated view, and a theme option controls whether output is styled for a dark or light terminal. Each check includes a plain-English explanation of the risk, so the output is actionable for teams that want to understand the danger, not just see pass/fail results. It targets open-source maintainers and engineering teams wanting a quick audit of their GitHub security posture before a leaked token or compromised dependency becomes an incident. The full README is longer than what was provided.

Copy-paste prompts

Prompt 1
Help me install Moat via Homebrew and run a security audit on my GitHub organization.
Prompt 2
Explain what it means for GitHub Actions to pin dependencies to hashes versus mutable tags.
Prompt 3
Walk me through the checks Moat runs and what each one protects against.
Prompt 4
How do I generate a GitHub token with the right permissions to run Moat?

Frequently asked questions

What is moat?

A command line tool that audits a GitHub org, user, or repo for supply chain security gaps like missing 2FA, unsigned commits, and unpinned Actions.

What language is moat written in?

Mainly Rust. The stack also includes Rust.

How hard is moat to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is moat for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.