A composable CI/CD security framework for GitHub Actions. Adopters reference wrangle's reusable workflows and get source scanning, signed builds, SBOMs, and SLSA L3 provenance out of the box. Maintainers update the underlying tooling without adopters touching their repos.
Add source scanning to any GitHub repo — create .github/workflows/check_source_change.yml:
name: Check Source Change
on:
push:
branches: ["main"]
pull_request:
branches: ["**"]
jobs:
check-change:
permissions:
actions: read
contents: read
security-events: write
uses: TomHennen/wrangle/.github/workflows/check_source_change.yml@v0.1.0Runs OSV-Scanner, Zizmor, OSSF Scorecard, and dependency-review on every PR. Findings appear in the Security tab and the Actions step summary.
For build/publish — npm, Python, container, shell — see the workflow examples.
- Workflow examples — copy-paste starting points
- Reusable workflows — what adopters call via
uses: - Source scan action — OSV, Zizmor, Scorecard, dependency-review orchestration
- Build actions — npm, python, container, shell
- Tools — per-tool adapters and install scripts (OSV, Zizmor, Scorecard, Syft, dependency-review)
- Spec — architecture, contracts, threat model