Enterprise-grade supply chain security scanner for CI/CD pipelines. Detects compromised dependencies, stolen credentials, network exfiltration, container escape, and 110+ real-world attack patterns across GitHub Actions, GitLab CI, Jenkins, and Azure DevOps.
Full scan with all 17 scanner modules, binary analysis, and dependency auditing. Covers workflow security, secret detection, network monitoring, permission auditing, container scanning, OIDC validation, and artifact integrity checks.
17 Scanners Binary AnalysisMaximum detection sensitivity with egress validation, /tmp and /dev/shm sweep, cross-platform CI/CD configuration audit, and strict fail thresholds. The most comprehensive scan mode available.
Paranoid Mode Zero TrustThe showcase pipeline runs 8 stages to demonstrate each capability of Supply Chain Guardian.
Attacker publishes a typosquatted package (reqeusts instead of requests) or compromises a popular GitHub Action (tj-actions/changed-files).
Malicious postinstall script runs during npm install. Obfuscated payload decodes via base64 and executes in the CI runner environment.
Payload reads GITHUB_TOKEN, AWS keys, and CI secrets from environment variables. Data exfiltrated via DNS tunneling or HTTPS to attacker C2 server.
Stolen tokens used to access private repositories, modify package releases, and inject backdoors into downstream build artifacts.
SCG identifies the attack at multiple stages: compromised action reference, malicious package in manifest, obfuscated payload, network exfiltration, and runtime behavioral anomaly.