Community-curated advisory database for abom — the Actions Bill of Materials tool.
abom --check fetches advisories.juliet.sh/db/advisories.json at runtime to flag known-compromised GitHub Actions in your CI/CD pipelines. The JSON database is compiled from the YAML sources in advisories/ and published automatically when PRs merge to main.
The database is fetched automatically — no configuration needed. If the fetch fails (offline, rate limited), abom falls back to built-in data shipped with each release.
See advisories.juliet.sh/db/advisories.json for the current list, or browse the YAML sources in advisories/.
Anyone can submit a PR to add a new advisory. Your PR must:
- Conform to the OSV schema plus ABOM extensions
- Use a unique
idin the formABOM-YYYY-NNNN - Include at least one reference to a public advisory or CVE
- Clearly describe what was compromised and when
Maintainers review and merge. No auto-merge — we're the editorial layer ensuring data quality.
Advisories use the OSV schema (v1.7.5). ABOM-specific fields live in two extension namespaces:
ecosystem_specific.abomfor GitHub-Actions-specific signal (tool_namesfor wrapper detection,affected_periodfor incident time windows)database_specific.abomfor ABOM-wide signal (indicatorsfor IoC data,recommended_actionsfor remediation steps)
Maintained by Juliet Security · Contact