惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
MyScale Blog
MyScale Blog
Jina AI
Jina AI
爱范儿
爱范儿
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
I
Intezer
The Cloudflare Blog
T
Threat Research - Cisco Blogs
G
Google Developers Blog
Stack Overflow Blog
Stack Overflow Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
Docker
AI
AI
Scott Helme
Scott Helme
Attack and Defense Labs
Attack and Defense Labs
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
LangChain Blog
Recent Announcements
Recent Announcements
Security Latest
Security Latest
Hugging Face - Blog
Hugging Face - Blog
W
WeLiveSecurity
Last Week in AI
Last Week in AI
Security Archives - TechRepublic
Security Archives - TechRepublic
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Proofpoint News Feed
S
Securelist
S
Security Affairs
Project Zero
Project Zero
博客园 - 叶小钗
Google DeepMind News
Google DeepMind News
T
Tor Project blog
A
About on SuperTechFans
V2EX - 技术
V2EX - 技术
宝玉的分享
宝玉的分享
T
Tenable Blog
博客园 - 聂微东
人人都是产品经理
人人都是产品经理
Simon Willison's Weblog
Simon Willison's Weblog
Forbes - Security
Forbes - Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
V2EX
AWS News Blog
AWS News Blog
The GitHub Blog
The GitHub Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Privacy & Cybersecurity Law Blog
阮一峰的网络日志
阮一峰的网络日志
I
InfoQ
C
CXSECURITY Database RSS Feed - CXSecurity.com
H
Hacker News: Front Page
美团技术团队

Show HN

GitHub - steveking-gh/firmion: Firmion is DSL and engine for firmware image generation. GitHub - villagesql/villagesql-skills: Agent skills for VillageSQL - gemini-cli-extension; claude-code-plugin GitHub - flightdeckhq/flightdeck: Observability and control plane for AI agents. CSP Radar GitHub - Light-Heart-Labs/DreamServer: Turn your PC, Mac, or Linux box into an AI server. LLM inference, chat UI, voice, agents, workflows, RAG, and image generation. GitHub - Diplomat-ai/diplomat-agent-ts: What can your TypeScript AI agent do to the real world? Scan your code. See which tool calls have zero checks Code Block Selector - Visual Studio Marketplace Prometheus dependency graph — interactive showcase | Riftmap Show HN: I made a vi-like modal keyboard plugin for Figma GitHub - run-llama/liteparse: A fast, helpful, and open-source document parser GitHub - dalemyers/Roar: A macOS CLI tool for notifications GitHub - district-solutions/open-agent-tools-coder: Enables small-to-large self-hosted ai models to use local source code when running tool-calling agentic workloads. We actively data mine 20,900+ (2+ TB) popular github repos using large and small ai models to create reuseable: json, markdown and parquet files for local-first tool-calling models. GitHub - progapandist/stripeek: A local TUI proxy for real-time Stripe API debugging, built for navigating complex payloads fast. GitHub - sir1st/hermes-desktop: All-in-one cross-platform desktop app for Hermes Agent — bundles Python + hermes-agent + hermes-web-ui GitHub - astefanutti/shaderbang: Shebang for Shaders Show HN: Generate Claude Code Workflows using Spec Driven Development approach GitHub - nixys/nxs-universal-chart: The Helm chart you can use to install any of your applications into Kubernetes/OpenShift Show HN: AI agents for UK GDAD PCF roles and their skills The Two Pillars: Mixer Mode and Meta-Software in the Reorganization of Software Work After AI GitHub - JaiCode08/teleport-env What 1,000+ Harness Experiments Taught Me About Self-Improving Agents Show HN: Liiists, a Markdown-first, iOS and CLI list app SwiperTab – Get this Extension for 🦊 Firefox (en-US) GitHub - kouhxp/fftext: Summarize, explain, fact-check, or translate any text, URL, or file. No GPU. No cloud. One command GitHub - sweetpad-dev/sweetpad: Develop Swift/iOS projects using VSCode GitHub - dogmaticdev/IRON: IRON a.k.a. Intermediate Representation Object Notation is a Interpreter/Database that is used to create Programming Languages. GitHub - sjhalani7/vaen: Package your AI coding harness into a portable .agent file, and share it across repos, teams, & the community without ever having to copy-paste instructions, skills, MCP config, or secrets. Show HN: Gandalf the Grader Show HN: Citadeld – replay any CI failure locally from a single file GitHub - tdortman/cuSBF: High-Performance GPU Super Bloom Filter coral-ai/claude-code-token-xray at main · Coral-Bricks-AI/coral-ai GitHub - ulyssestenn/funes: Funes is a Git-based framework for LLM-managed knowledge work: an AI Librarian ingests raw sources, builds an interlinked Markdown knowledge base, and uses it to produce cited reports, analyses, and other outputs. GitHub - ThatXliner/gah: Git Add Hunk, built for agents to use GitHub - harmont-dev/harmont-cli: Command-line client for the Harmont CI platform GitHub - brooksmcmillin/mcp-authflow: OAuth 2.0 Authorization Server framework for MCP servers GitHub - javaid-codes/audit-supply-chain-agents GitHub - amorey/gochan: A small library of common channel architectures for Go, inspired by Rust GitHub - arifozgun/OpenGem: Free, Open-Source AI API Gateway with Gemini, OpenAI & Anthropic Compatibility in 1 file GitHub - Pranesh950/BioPetals: 🌸 Run BIOxAI models at home, BitTorrent-style. Fine-tuning and inference up to 10x faster than offloading GitHub - cnguyen14/bounty-doctor: Diagnose a GitHub bounty issue before you waste hours: detects honeypot scam repos, AI-bot attempt swarms, and stale contests. Show HN: CoreMCP – MCP Server for On-Prem DBs Show HN: KittyHTML – Render HTML/CSS as an inline image in your terminal GitHub - bingud/filemat: Web-based file manager Show HN: TruthLens – Free multi-signal deepfake image detector GitHub - apexlocal-jz/claude-usage-tray: Windows system-tray app showing your Claude Code rate-limit usage at a glance. Zero deps, ~300 lines of PowerShell. Cross-IDE (works regardless of VS Code, Cursor, plain terminal). Release v0.1.2.1 · kouhxp/yapsnap GitHub - noopolis/moltnet: Self-hostable chat network for AI agents. Pre-built bridges for Claude Code, Codex, and the Claws. Rooms, DMs, history. No Slack bots, no Matrix, no glue code. GitHub - tamerh/enju: Coordinating Humans, AI Agents, and Compute as Peers on a Shared Workflow Graph Show HN: Continuity-auth – Respect-weighted rate limits for the open web GitHub - luml-ai/luml: AI lifecycle platform where engineers and agents track experiments, train models, and ship to production. GitHub - mrdanielcasper/CoreTex: A UNIX-inspired, biomimetic, flat-file AI harness and knowledge engine. GitHub - clemg/pierre-github: Pierre's diffs.com and trees.software for Github GitHub - lyriks-io/unspaghettit: Behavior-driven AI development without prompt spaghetti. GitHub - sofumel/claude-handoff-revive: Resume Claude Code work after rate/usage/context limits without replaying the prior transcript. Auto-saves at 90%/95% usage. Plugin-installable, 10 languages. GitHub - dotexorg/saferpc: Typed, end-to-end encrypted RPC over any bidirectional channel. GitHub - BeeZeeAgent/beezee: Agent harness orchestration Legato Next.js Boilerplate for Internal Tools · CoreUI GitHub - clark-labs-inc/clark-hash: Clark Hash, 32x smaller searchable sketches for embeddings GitHub - ZeroPointRepo/youtube-mcp: The fastest YouTube transcript + YouTube search MCP for AI agents. Try for free. Typing Mastery — climb toward 100+ WPM, deliberately GitHub - Andebugulin/Awareen GitHub - fayzan123/claude-workflow-composer: Visual desktop app for composing multi-agent coding workflows. Drag agents, attach skills and MCPs, wire handoffs, export to .claude/ GitHub - harshaneel/humanize: Best static AI text humanizer. Two research-grounded skills that work in any LLM (Claude, ChatGPT, Gemini, Codex): humanize beats perplexity-based detectors, ai-check produces forensic scoring with evidence-quoted flags. Nine levers, 50+ peer-reviewed sources, 2024-2026 detection literature. GitHub - StackOneHQ/stack-nudge GitHub - nodes-app/swift-markdown-engine: A native AppKit Markdown editor for macOS, built on TextKit 2 and bridged to SwiftUI. We hardened an LLM agent. Each defense we added made it more exploitable. GitHub - alkait/WhatsKept: Agent-queryable WhatsApp history from an iOS backup — a single Go binary. GitHub - octelium/cordium: Open-source, general-purpose sandbox platform for devs and AI agents that provides identity-based secure access to infrastructure without credentials. WAR.GOV/UFO Microfilm5 GitHub - scosman/videowright: Build animated explainer videos with your coding agent GitHub - dipankar/dscode: The code editor you can take apart. GitHub - zoharbabin/web-researcher-mcp: MCP server (Go) for AI assistants: web search, content extraction, academic/patent/news research. Multi-provider routing, 4-tier scraping, search lenses. Works with Claude, Cursor, and any MCP client. GitHub - ruvnet/RuView: π RuView turns commodity WiFi signals into real-time spatial intelligence, vital sign monitoring, and presence detection — all without a single pixel of video. GitHub - scanaislop/aislop: Catch the slop AI coding agents leave in your code: narrative comments, swallowed exceptions, as-any casts, dead code, oversized functions. 50+ rules across 7 languages (TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP). Sub-second, deterministic, no LLM at runtime. MIT-licensed. GitHub - kouhxp/cheap-im: CPU-only voice agent approximating Thinking Machines' Interaction Models demo GitHub - unprovable/OrchidMantis: Orchid Mantis — standalone framework for Zero-Knowledge Proofs of eXploit (ZKPoX). GitHub - MarcellM01/TinySearch: Shrink the web for your local LLMs! GitHub - TangibleResearch/Halgorithem: A Algo designed to detect AI Hallucitions GitHub - DO-SAY-GO/freelang: I love freelang GitHub - CarpseDeam/Aura-IDE: An AI coding harness that shaped itself - Planner/Worker agents, repo awareness, surgical edits, validation, recovery, and safe diff approvals. GitHub - chojs23/concord: A feature-rich TUI client for Discord GitHub - tommyjepsen/awesome-ux-skills: UX & AI Product designs skills you can use today in Claude Code GitHub - aerf-spec/aerf: Agent Evidence Receipt Format (AERF) — an open specification for tamper-evident, independently verifiable records of AI agent actions. GitHub - kklimuk/docx-cli: CLI for AI agents (Claude, Codex) to read, edit, and comment on .docx files with full format fidelity. GitHub - Jwrede/tokentoll: Catch LLM cost changes in code review. Infracost for LLM spend. GitHub - samchon/ttsc: A `typescript-go` toolchain for compiler-powered plugins and type-safe execution + 500x faster lint integrated into compiler GitHub - Higangssh/homebutler: 🏠 Manage your homelab from chat. Single binary, zero dependencies. GitHub - olalie/tapmap: See where your computer connects and what stands out on a live world map. GitHub - Diplomat-ai/diplomat-agent: What can your AI agent do to the real world? Scan your code. See which tool calls have zero checks GitHub - Bajusz15/beacon: Open-source agent for secure remote access, monitoring, and deploys across home-lab and self-hosted machines like Raspberry Pi, N100, or any Linux server. Open web based TTY or tunnel Home Assistant and other local services securely without opening ports. BigTech AI News - Chrome 应用商店 GitHub - vinhnx/VTCode: VT Code is an open-source coding agent with LLM-native code understanding and robust shell safety. Supports multiple LLM providers with automatic failover and efficient context management. GitHub - michaelaz774/decision-engine: A decision operating system for startup founders, powered by Claude Code. Synthesizes wisdom from 25+ legendary founders and investors into interactive AI-driven decision frameworks. GitHub - Chrilleweb/dotenv-diff: Validate environment variable usage in your codebase GitHub - Lumen-Labs/brainapi2: BrainAPI is a knowledge graph–powered AI memory layer that transforms unstructured data into structured knowledge, enabling intelligent search, recommendations, and contextual memory for AI agents and applications. GitHub - familiar-software/familiar: Let AI watch you work. Familiar lets your AI update its memory, skills, and knowledge by watching your screen. GitHub - skorotkiewicz/rudo: A small, elegant dock for Wayland GitHub - muxshed/shed: One stream in, or many. Every destination, simultaneously. No cloud middleman, no per-channel fees, no limits. make sidebar/address bar rounded corner toggleable
GitHub - skaldlab/muninn: 🐦‍⬛ Security scanner for GitHub Actions pipelines
sg0nzalez83 · 2026-06-20 · via Show HN

CI CodeQL Release License: AGPL v3 Go Version

Muninn is an all-in-one open-source security scanner for GitHub Actions pipelines and self-hosted CI, built by Skald Lab.

Named after Odin's raven of Memory from Norse mythology, Muninn remembers every vulnerability it has ever seen — and reports them all back in one unified format.

Muninn orchestrates eight best-in-class open-source scanners, normalizes their output into a single finding schema, and delivers results as GitHub PR comments, SARIF uploads, and structured JSON — with a single uses: line.


Quick Start

Add this to any GitHub Actions workflow:

- name: Muninn Security Scan
  uses: skaldlab/muninn@v0.3.3
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
    fail-on: high

Muninn runs all eight scanners, posts a summary comment on your pull request, uploads SARIF to the GitHub Security tab, and fails the check when findings meet or exceed your fail-on threshold.


What Muninn Scans

Scanner What it finds Upstream
gitleaks Secrets, API keys, and credentials in source gitleaks/gitleaks
zizmor CI/CD pipeline misconfigurations and injection risks woodruffw/zizmor
actionlint GitHub Actions syntax errors and security anti-patterns rhysd/actionlint
poutine Supply chain risks in CI/CD (unpinned actions, risky patterns) boostsecurityio/poutine
semgrep Application SAST (injection, insecure patterns, secrets in code) semgrep.dev
osv-scanner Known CVEs in dependencies (Go, npm, pip, and more) google/osv-scanner
trivy Container image and filesystem vulnerabilities aquasecurity/trivy
checkov Infrastructure-as-Code misconfigurations (Terraform, K8s, Docker) bridgecrewio/checkov

Cross-scanner deduplication

Running multiple dependency scanners means the same CVE can surface more than once — OSV-Scanner flags it in a lockfile while Trivy flags it in a container layer. Muninn collapses these into a single finding keyed on the advisory id (a CVE-… is preferred over GHSA-… so the same vulnerability converges across scanners) scoped to the affected package, so distinct packages sharing a CVE stay separate.

Because an aggregated finding no longer belongs to one tool, dependency findings render under a neutral [dependency] heading (rather than [osv-scanner]) with structured detail, and the scanners are surfaced via attribution instead:

  • PR commentPackage, Advisory (with the shared CVE in parentheses), Detected by, and a Sources list showing where each scanner saw it (e.g. package-lock.json (osv-scanner), node:18 (trivy)).
  • JSON reportdetected_by (the scanner list) and sources (per-scanner tool + file pairs).
  • SARIF — a detectedBy property on the result.

The severity summary counts these aggregated unique findings, not raw scanner hits, because deduplication runs before any report is written.


Configuration

Create a muninn.yml at the root of your repository to customize scanner behavior, severity thresholds, and suppressions.

version: 1

# Minimum severity to fail the run.
# Options: critical | high | medium | low | info
fail-on: critical

scanners:
  gitleaks:
    enabled: true

  zizmor:
    enabled: true

  actionlint:
    enabled: true

  poutine:
    enabled: true

  semgrep:
    enabled: true
    rulesets:
      - p/security-audit
      - p/secrets
    exclude-paths:
      - tests/
      - fixtures/

  osv-scanner:
    enabled: true

  trivy:
    enabled: true
    # Optional: narrow what Trivy reports (default: all levels).
    # severity: [CRITICAL, HIGH]
    ignore-unfixed: true

  checkov:
    enabled: true
    skip-checks: []

# Suppress specific findings. Every entry must include a reason.
suppressions:
  - id: fixtures/
    reason: "Intentional test fixtures, not real secrets or vulnerabilities"
    expires: ""

  - fingerprint: abc123def456
    reason: "Known false positive in generated code"
    expires: "2026-12-31T23:59:59Z"

  - tool: gitleaks
    rule-id: generic-api-key
    reason: "Test fixture file, not a real secret"
    expires: ""

Top-level fields

Field Type Default Description
version int 1 Config schema version. Must be 1.
fail-on string critical Minimum severity that causes a non-zero exit code

Scanner fields

Each key under scanners matches a scanner name. All scanners support enabled (default true).

Scanner Additional fields Description
semgrep rulesets, exclude-paths Semgrep rule packs and path prefixes to skip
trivy severity, ignore-unfixed Trivy severity filter (default: UNKNOWN through CRITICAL; omit to scan all levels) and whether to omit unfixed CVEs
checkov skip-checks Checkov check IDs to skip

Suppression fields

Field Description
id Suppress findings whose file path contains this substring
fingerprint Suppress a specific finding by its Muninn fingerprint
tool Scanner name; with rule-id, both must match. Alone, suppresses all findings from that scanner
rule-id Scanner-native rule identifier; with tool, both must match. Alone, suppresses that rule from any scanner
reason Required. Human-readable justification
expires Optional RFC 3339 UTC timestamp; omit for permanent suppressions

Action inputs

Input Default Description
token ${{ github.token }} GitHub token for PR comments and SARIF upload
fail-on critical Minimum severity to exit non-zero
config muninn.yml Path to config file relative to repository root
format sarif,comment Comma-separated output formats: sarif, json, comment
output muninn.sarif SARIF output path override
target . Path to scan (repository root)

Action outputs

Output Description
findings-count Total non-suppressed findings across all scanners
critical-count Critical-severity finding count
high-count High-severity finding count
medium-count Medium-severity finding count
low-count Low-severity finding count
sarif-path Path to the generated SARIF report
json-path Path to the generated JSON report

Why Muninn vs Snyk, GHAS, or Manual Tools?

Muninn Snyk GitHub Advanced Security Manual tool chain
License AGPL-3.0 (open source) Proprietary SaaS Proprietary (Enterprise or public repos) Mixed
Data leaves your repo No — runs on your runner Yes — code uploaded to Snyk Yes — processed by GitHub Depends on tool
CI/CD pipeline security Yes (zizmor, actionlint, poutine) Limited No Requires assembly
Supply chain / pipeline risks Yes (poutine) Partial No Requires assembly
Self-hostable Yes — Docker image or binary No No Yes, with effort
Unified findings Yes — one schema, one comment Partial Partial No — N different formats
Setup One uses: line Account + integration Org licensing Install and wire each tool

Muninn is not a replacement for every security program — it is a practical default for teams that want broad coverage without stitching together eight separate tools.


CLI and Self-Hosted Usage

Docker (recommended)

The official image bundles Muninn and all eight scanner binaries:

docker run --rm \
  -v "$(pwd):/github/workspace" \
  -w /github/workspace \
  ghcr.io/skaldlab/muninn:0.3.3 \
  --target . \
  --output json,sarif \
  --fail-on high

Binary

Download a release binary from GitHub Releases or install with Go:

go install github.com/skaldlab/muninn@v0.3.3

Scanner binaries (gitleaks, semgrep, checkov, and the rest) must be on PATH. The Docker image includes everything pre-installed.

Verifying releases

Every release is signed with cosign using keyless (OIDC) signing — there are no long-lived keys to trust. The container image also ships with an SBOM and a max-mode SLSA provenance attestation.

Verify the container image:

cosign verify \
  --certificate-identity-regexp '^https://github.com/skaldlab/muninn/\.github/workflows/release\.yml@' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ghcr.io/skaldlab/muninn:0.3.3

Verify release binaries via the signed checksums file (download checksums.txt and the Sigstore bundle checksums.txt.sigstore.json from the release):

cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp '^https://github.com/skaldlab/muninn/\.github/workflows/release\.yml@' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  checksums.txt

# Then confirm the binary matches the verified checksums:
shasum -a 256 -c checksums.txt

Inspect the image's SBOM and SLSA provenance attestations (attached by BuildKit):

docker buildx imagetools inspect ghcr.io/skaldlab/muninn:0.3.3 \
  --format '{{ json .SBOM }}'
docker buildx imagetools inspect ghcr.io/skaldlab/muninn:0.3.3 \
  --format '{{ json .Provenance }}'

CLI flags

Flag Env var Default Description
--config CONFIG_PATH muninn.yml Path to configuration file
--target SCAN_TARGET . Repository root to scan
--fail-on FAIL_ON from config Minimum severity to exit non-zero
--output OUTPUT_FORMATS json Comma-separated formats: json, sarif, comment
--version Print version and exit

Contributing

Contributions are welcome. See CONTRIBUTING.md for scanner development guidelines, test commands, and pull request conventions.


License

Muninn is licensed under the GNU Affero General Public License v3.0. You are free to use, modify, and distribute Muninn — including running it as a service — but modifications must remain open source under AGPL-3.0.

For commercial licensing or enterprise support, contact hello@skaldlab.dev.


Built with 🐦‍⬛ by Skald Lab