Skip to content

JulietSecurity/abom-advisories

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

abom-advisories

Community-curated advisory database for abom — the Actions Bill of Materials tool.

How it works

abom --check fetches advisories.juliet.sh/db/advisories.json at runtime to flag known-compromised GitHub Actions in your CI/CD pipelines. The JSON database is compiled from the YAML sources in advisories/ and published automatically when PRs merge to main.

The database is fetched automatically — no configuration needed. If the fetch fails (offline, rate limited), abom falls back to built-in data shipped with each release.

Current advisories

See advisories.juliet.sh/db/advisories.json for the current list, or browse the YAML sources in advisories/.

Contributing

Anyone can submit a PR to add a new advisory. Your PR must:

  • Conform to the OSV schema plus ABOM extensions
  • Use a unique id in the form ABOM-YYYY-NNNN
  • Include at least one reference to a public advisory or CVE
  • Clearly describe what was compromised and when

Maintainers review and merge. No auto-merge — we're the editorial layer ensuring data quality.

Advisory format

Advisories use the OSV schema (v1.7.5). ABOM-specific fields live in two extension namespaces:

  • ecosystem_specific.abom for GitHub-Actions-specific signal (tool_names for wrapper detection, affected_period for incident time windows)
  • database_specific.abom for ABOM-wide signal (indicators for IoC data, recommended_actions for remediation steps)

License

Apache 2.0


Maintained by Juliet Security · Contact

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages