Most supply-chain breaches exploit the pipeline, not a dependency
An unprotected branch or an over-privileged Actions token is how attackers ship malicious code — no CVE required. SBOMVault scores the SCM/CI posture of your connected repositories and tells you exactly what to fix.
The misconfigurations that get repos popped
SBOMVault reads the SCM and CI settings of each connected repository and turns them into a weighted 0–100 posture score, with a clear pass / fail / unknown and a fix for every check. A setting the token can't read is reported as unknown — never silently scored as a pass.
01
Branch protection & required reviews
Flags an unprotected default branch or zero required approving reviews — unreviewed code reaching production.
02
Force pushes blocked
Flags default branches that allow force pushes, where history can be rewritten to hide changes.
03
Default Actions token is read-only
Flags a read-write default GITHUB_TOKEN — a compromised workflow that could push code or cut releases.
04
Actions cannot approve PRs
Flags the setting that lets a workflow self-approve and bypass human review.
05
Protection applies to admins
Flags rules that admins can bypass — advisory protection for the highest-privilege accounts.
06
Required status checks
Flags branches that merge without CI / security gates passing.
07
Secret scanning & push protection
Flags repositories where committed secrets can go undetected, or be pushed before detection.
08
Dependabot alerts & signed commits
Flags disabled vulnerability alerts and missing signed-commit requirements.
What it is — and what it isn't
Pipeline posture scans the GitHub repositories your organization has connected, reading branch protection, repository security settings, and Actions configuration through the GitHub API. Reading branch protection and Actions settings needs an admin-scoped token on the repo.
Reads are best-effort: a check the token can't see is reported as unknownrather than a failure, so a repository is never penalized for a setting we couldn't read. The score reflects only what was actually verified.
GitLab and GitHub Enterprise Server (custom-host) support is on the roadmap; today the posture scan targets github.com.
Harden the pipeline, not just the dependencies
Connect GitHub and the Pipeline Posture dashboard scores every repository SBOMVault has seen — with the exact misconfiguration and the fix.
Frequently asked questions
- What is software pipeline security posture?
- It is the security configuration of your SCM and CI systems — branch protection, required reviews, Actions token scope, secret scanning, and more. SBOMVault scores these per repository because most supply-chain compromises exploit weak pipeline controls rather than a vulnerable dependency.
- Which checks does SBOMVault run?
- Branch protection, required PR reviews, force-push, required status checks, enforce-admins, signed commits, secret scanning + push protection, Dependabot vulnerability alerts, the default Actions token permission (read vs write), and whether Actions can approve pull requests — combined into a weighted 0–100 score.
- Which SCM platforms are supported?
- GitHub today (github.com). Reading branch protection and Actions settings requires an admin-scoped token on the repository. GitLab and GitHub Enterprise Server support is on the roadmap.
- What happens if a setting can’t be read?
- It is reported as unknown rather than a failure, so a repository is never penalized for a setting the token lacked permission to read. The posture score reflects only what was actually verified.