Chainguard Guardener Actions Security
Configure Chainguard Guardener to recommend and migrate your GitHub Actions to Chainguard's hardened, SHA-pinned …
For the complete documentation index, see llms.txt.
Chainguard Guardener is configured entirely through files committed to the .chainguard/ directory in each repository. This page explains the configuration model that all the Guardener features share. For the specific options of each feature, see its dedicated page.
.chainguard/ directory
The Guardener reads its configuration from the .chainguard/ directory at the root of each repository. Every feature has its own file:
.chainguard/
├── actions.yaml # Actions Security
└── source.yaml # Commit VerificationBecause these files live in your repository, your configuration is reviewed through pull requests, versioned in git history, and audited like any other code change.
Installing the Guardener GitHub App does not change any repository on its own. Each feature stays disabled until you add its configuration file and enable it. This means you can:
A repository with no .chainguard/ files is unaffected by the Guardener even when the app is installed and the organization is linked.
| Feature | Config file | What it does |
|---|---|---|
| Actions Security | .chainguard/actions.yaml | Recommends and migrates GitHub Actions to hardened, SHA-pinned equivalents. |
| Commit Verification | .chainguard/source.yaml | Verifies that commits in a pull request are signed by an authorized signer. |
Additional features will be added over time, each with its own .chainguard/ file and opt-in configuration.
To add or update the Guardener configuration:
.chainguard/ on a branch.Note: The Guardener uses the repo’s default branch (that is,
main) for its configuration.
.chainguard/actions.yaml..chainguard/source.yaml.Last updated: 2026-07-08 00:00