GH-Guard
CI/CD supply chain hardening plugin for Claude Code, designed for Rust projects.
GH-Guard packages production-tested CI/CD security configurations into reusable templates and guided workflows. It helps Rust OSS maintainers achieve high OpenSSF Scorecard scores, set up Trusted Publishing, generate SLSA L3 provenance, and configure comprehensive dependency auditing.
Installation
From the Claude Code plugin registry:
/plugin install gh-guard
Or manually — add to your Claude Code settings (~/.claude/settings.json):
{
"plugins": [
"~/path/to/gh-guard"
]
}
Quick Start
# Audit your project's supply chain security posture
/audit
# Interactively harden your project
/harden
# Generate a specific config file
/generate ci-workflow
/generate publish-workflow
/generate deny-toml
# Check for outdated SHA pins
/check-updates
# Validate generated configs
/verify
Commands
/audit — Gap Analysis
Scans your repository and produces a structured gap analysis:
- Checks for expected files (workflows, deny.toml, SECURITY.md, etc.)
- Scores against OpenSSF Scorecard checks
- Classifies your current hardening level (Minimal / Standard / Hardened)
- Identifies SHA-pinning gaps, missing permissions, Cargo.lock issues
- Flags dangerous workflow patterns (
pull_request_target, workflow_run with untrusted input, script injection via PR title/body)
- Detects workspace projects and validates publish ordering
- Outputs prioritized recommendations with template references
/harden — Interactive Wizard
Guides you through hardening at three levels:
| Level | Components |
|---|
| Minimal | CI workflow + cargo-deny + Dependabot + SECURITY.md |
| Standard | + Trusted Publishing + CodeQL + Scorecard + release script |
| Hardened | + SLSA L3 provenance + fuzz testing + osv-scanner |
Detects your current hardening level and offers upgrade mode — generating only the delta files needed to reach the next level. Supports workspace projects with per-crate Trusted Publishing guidance.
/check-updates — SHA Pin Checker
Checks deployed workflows for outdated action SHAs and CLI tool versions:
- Compares pinned SHAs against latest tags via the GitHub API
- Detects outdated CLI tool versions (cargo-audit, cargo-fuzz)
- Shows what's out of date with current vs latest comparison
- Offers to apply updates automatically
- Respects the SLSA generator exception (must use
@tag, not SHA)
/verify — Post-Generation Validation
Validates that generated configs are syntactically correct, internally consistent, and ready to deploy:
- YAML/TOML syntax validation
- SHA pin completeness and version comment presence
- Cross-file consistency (MSRV, gate job, fuzz targets)
cargo-deny check dry run (if installed)release.sh --dry-run validation
/generate <target> — File Generator
Generates a single file with auto-detected project values. Shows a unified diff before overwriting existing files.
| Target | Output Path |
|---|
ci-workflow | .github/workflows/ci.yml |
publish-workflow | .github/workflows/publish.yml |
codeql | .github/workflows/codeql.yml |
scorecard | .github/workflows/scorecard.yml |
fuzz | .github/workflows/fuzz.yml |
deny-toml | deny.toml |
rust-toolchain | rust-toolchain.toml |
dependabot | .github/dependabot.yml |
security-md | SECURITY.md |
release-script | scripts/release.sh |
osv-scanner | osv-scanner.toml |
Templates
Production-tested config files parameterized with {{PLACEHOLDER}} syntax. Values are auto-detected from Cargo.toml, git remote, and cargo metadata:
| Placeholder | Source | Example |
|---|
{{CRATE_NAME}} | Cargo.toml name field | my-tool |
{{MSRV}} | rust-version or rust-toolchain.toml | 1.82 |
{{REPO_OWNER}} | Git remote URL | my-org |
{{REPO_NAME}} | Git remote URL | my-tool |
{{CONTACT_EMAIL}} | Cargo.toml authors field | me@example.com |
{{FUZZ_TARGETS}} | fuzz/Cargo.toml bin entries | fuzz_parse,fuzz_decode |
{{WORKSPACE_CRATES}} | cargo metadata --no-deps (publishable, dependency order) | core,parser,cli |
Security Hardening in Templates
All workflow templates follow these security practices:
