Audit whether two factor authentication is enforced across a GitHub organization.
Check whether GitHub Actions workflows pin dependencies to hashes instead of mutable tags.
Verify branch protection, signed commits, and secret scanning are enabled before an incident happens.
| laravel/moat | celestia-island/ratatui-markdown | dollspace-gay/thermite | |
|---|---|---|---|
| Stars | 16 | 16 | 16 |
| Language | Rust | Rust | Rust |
| Setup difficulty | easy | easy | hard |
| Complexity | 2/5 | 2/5 | 5/5 |
| Audience | ops devops | developer | researcher |
Figures from each repo's GitHub metadata at analysis time.
Needs a GitHub token with read permissions.
Moat is a command-line security audit tool written in Rust that checks your GitHub organization, user account, or individual repository for supply-chain hygiene problems: security misconfigurations that could let an attacker slip malicious code into your software without detection. Supply-chain attacks happen when someone compromises a dependency, a contributor account, or an automated workflow rather than attacking your code directly. Moat scans for the controls that block those attacks: whether two-factor authentication is enforced org-wide, whether branch protection rules cover release branches, whether commits must be cryptographically signed, whether secret scanning and push protection are enabled, whether Dependabot alerts are on for vulnerable dependencies, and whether GitHub Actions workflows pin dependencies to specific hashes rather than mutable tags (which can be silently repointed after a compromise). To use it, install the binary via Homebrew or a prebuilt release, provide a GitHub token with read permissions, and run a single command with your org name, username, or repo slug. No configuration file is needed. Moat resolves your GitHub token by checking the GITHUB_TOKEN environment variable first, then GH_TOKEN, and finally falling back to a logged-in GitHub CLI session, so most users do not need to set anything up manually. A verbose flag shows the full list of collaborators and members instead of a truncated view, and a theme option controls whether output is styled for a dark or light terminal. Each check includes a plain-English explanation of the risk, so the output is actionable for teams that want to understand the danger, not just see pass/fail results. It targets open-source maintainers and engineering teams wanting a quick audit of their GitHub security posture before a leaked token or compromised dependency becomes an incident. The full README is longer than what was provided.
A command line tool that audits a GitHub org, user, or repo for supply chain security gaps like missing 2FA, unsigned commits, and unpinned Actions.
Mainly Rust. The stack also includes Rust.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.