abom-advisories
April 24, 2026 · View on GitHub
Community-curated advisory database for abom — the Actions Bill of Materials tool.
How it works
abom --check fetches advisories.juliet.sh/db/advisories.json at runtime to flag known-compromised GitHub Actions in your CI/CD pipelines. The JSON database is compiled from the YAML sources in advisories/ and published automatically when PRs merge to main.
The database is fetched automatically — no configuration needed. If the fetch fails (offline, rate limited), abom falls back to built-in data shipped with each release.
Current advisories
See advisories.juliet.sh/db/advisories.json for the current list, or browse the YAML sources in advisories/.
Contributing
Anyone can submit a PR to add a new advisory. Your PR must:
- Conform to the OSV schema plus ABOM extensions
- Use a unique
idin the formABOM-YYYY-NNNN - Include at least one reference to a public advisory or CVE
- Clearly describe what was compromised and when
Maintainers review and merge. No auto-merge — we're the editorial layer ensuring data quality.
Advisory format
Advisories use the OSV schema (v1.7.5). ABOM-specific fields live in two extension namespaces:
ecosystem_specific.abomfor GitHub-Actions-specific signal (tool_namesfor wrapper detection,affected_periodfor incident time windows)database_specific.abomfor ABOM-wide signal (indicatorsfor IoC data,recommended_actionsfor remediation steps)
License
Maintained by Juliet Security · Contact