scharf
by cybrota
Scharf is a static analysis CLI tool that secures GitHub Actions workflows by replacing mutable action references with immutable commit SHAs to prevent supply-chain risks.
Static analysis tool to Identify and Fix GitHub Actions prone to Supply‑Chain Risks
Primary Use Case
Scharf is designed for developers and DevSecOps teams who want to secure their CI/CD pipelines by ensuring third-party GitHub Actions are pinned to specific commit SHAs, eliminating risks from mutable tags. It automates the detection and fixing of insecure action references across single or multiple repositories, helping maintain a stable and secure development lifecycle.
- Autofix workflows by replacing mutable action tags with immutable commit SHAs
- Quickly lookup the latest commit SHA for any GitHub Action from the CLI
- Generate actionable JSON or CSV reports highlighting insecure references across repositories
- Scan either the current HEAD or all branches with customizable scopes
- Supports scanning multiple repositories in a directory
- List available tags and SHAs for GitHub Actions without leaving the terminal
- Supports Linux and Mac OSX platforms
- Integrates with GitHub Actions workflows for automated enforcement
Installation
- Tap the brew formula: brew tap cybrota/cybrota
- Install scharf via Homebrew: brew install scharf
- Download the prebuilt binary from the releases page: https://github.com/cybrota/scharf/releases
- Install via script using curl: curl -sf https://raw.githubusercontent.com/cybrota/scharf/refs/heads/main/install.sh | sh
Usage
>_ scharf autofix git_repoAutomatically fix mutable action tags in the specified local Git repository by replacing them with commit SHAs.
>_ scharf autofix git_repo --dry-runPreview changes that would be made by autofix without modifying any files.
>_ scharf audit git_repoScan a local Git repository for mutable action references and report insecure tags with suggested SHAs.
>_ scharf audit https_or_git_urlAudit a remote repository by cloning it temporarily and scanning for insecure action references.
>_ scharf find --root /path/to/workspace --out csvScan multiple cloned repositories under the given root directory and output results in CSV format.
>_ scharf find --root /path/to/workspace --out csv --head-onlyScan multiple repositories but limit scanning to each repo’s current HEAD only.
>_ scharf list owner/repoList all available tags and their corresponding commit SHAs for a specified GitHub Action repository.
>_ scharf lookup owner/repo@versionRetrieve the specific commit SHA corresponding to a given tag or version of a GitHub Action.
- Integrate Scharf into CI/CD pipelines to automate immutable reference enforcement, reducing supply chain risks.
- Combine with vulnerability scanners to correlate detected mutable references with known vulnerabilities for prioritized remediation.
- Use generated reports for audit and compliance tracking to demonstrate supply chain security posture.
- Leverage Scharf’s CLI capabilities in purple team exercises to simulate supply chain attack vectors and test detection.
- Extend Scharf with custom scripts to trigger alerts or block merges when mutable actions are detected during pull requests.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about scharf. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
python-tuf
theupdateframework/python-tuf
Python reference implementation of The Update Framework (TUF)
in-toto
in-toto/in-toto
in-toto is a framework to protect supply chain integrity.
rebuilderd
kpcyrd/rebuilderd
Independent verification of binary packages - Reproducible Builds
dalec
Azure/dalec
📦 Produce secure packages and containers with declarative configurations
sigrun
kube-tarian/sigrun
Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.
cosign-helm-chart-keyless-signing-example
DevOpsHiveHQ/cosign-helm-chart-keyless-signing-example
Example of using Sigstore/Cosign to secure Helm chart supply chain