// gh-actions 패키지
barbaria888/SupplyChain-Guardian-AI-Github_Action
Autonomous CVE remediation system with AI patching, runtime validation, KinD testing, and zero-trust deployment gates.
AUTO-PUBLISHED·8개 버전 인덱싱됨·최근 publish: 2026-06-07
// exfil path
what is read → where it shipssteals
(no specific credential-read flag matched)
sends to
- ⚙ curl | bash(fetches + executes remote payload)
// offending code· @2026-06-07T11:33:35· 1 file flagged
llm: malicious · 0.95→ 정적 분석기가 curl-pipe-bash 패턴 검출 — 설치 경로에 원격 코드 실행 형태가 그대로 드러남.
- @2026-06-07T11:33:35··AUTO-PUBLISHED·publisher: barbaria888heuristic 72/100static flags 2llm malicious (0.95) via fast-trackpublish-burst:3new-publisher:2dhas-source-repopublisher-version-pump:11curl-pipe-bashpy-pip-install-runtime
→ 정적 분석기가 curl-pipe-bash 패턴 검출 — 설치 경로에 원격 코드 실행 형태가 그대로 드러남.
// offending code· 1 file flaggedpatterns: 2
--- action.yml --- # action.yml — GitHub Marketplace Action Definition # ================================================== # Proactive DevSecOps Supply Chain Guardian # # Autonomous CVE detection and AI-driven Dockerfile remediation. # Scans container images, patches vulnerabilities using a local or # cloud LLM, validates the fix in an ephemeral KinD cluster, and # opens a human-reviewable Pull Request. # # Usage: # - uses: barbaria888/SupplyChain-Guardian-AI@v1 # with: # dockerfile: './Dockerfile' # provider: 'ollama' # # Owner: @AIPatcher + @SecOps + @SRE # ================================================== name: 'Supply Chain Guardian AI' description: > Autonomous CVE detection & AI-driven Dockerfile remediation. Scans container images with Trivy, patches vulnerabilities using local Ollama (CPU-only, zero data egress) or cloud LLMs (Gemini, OpenAI), validates the fix in an ephemeral KinD cluster, and opens a PR with proof. author: 'barbaria888' branding: icon: 'shield' color: 'purple' # --------------------------------------------------------------------------- # Inputs # --------------------------------------------------------------------------- inputs: dockerfile: description: 'Path to the Dockerfile to scan and patch' required: false default: 'Dockerfile' image-ref: description: 'Pre-built image reference to scan (overrides dockerfile build)' required: false default: '' severity: description: 'Comma-separated Trivy sev
