# Configuring Chainguard Guardener

URL: https://edu.chainguard.dev/chainguard/guardener/configuration.md
Last Modified: July 8, 2026
Tags: GitHub, Configuration

Understand Chainguard Guardener's .chainguard/ configuration model and how to enable features per repository.

Chainguard Guardener is configured entirely through files committed to the .chainguard/ directory in each repository. This page explains the configuration model that all the Guardener features share. For the specific options of each feature, see its dedicated page.
The .chainguard/ directory The Guardener reads its configuration from the .chainguard/ directory at the root of each repository. Every feature has its own file:
.chainguard/ ├── actions.yaml # Actions Security └── source.yaml # Commit VerificationBecause these files live in your repository, your configuration is reviewed through pull requests, versioned in git history, and audited like any other code change.
Features are opt-in per repository Installing the Guardener GitHub App does not change any repository on its own. Each feature stays disabled until you add its configuration file and enable it. This means you can:
Roll a feature out to one repository at a time. Try a feature in report-only or non-blocking mode before enforcing it. Keep different repositories on different configurations. A repository with no .chainguard/ files is unaffected by the Guardener even when the app is installed and the organization is linked.
Available features Feature Config file What it does Actions Security .chainguard/actions.yaml Recommends and migrates GitHub Actions to hardened, SHA-pinned equivalents. Commit Verification .chainguard/source.yaml Verifies that commits in a pull request are signed by an authorized signer. Additional features will be added over time, each with its own .chainguard/ file and opt-in configuration.
Applying configuration changes To add or update the Guardener configuration:
Create or edit the relevant file in .chainguard/ on a branch. Open a pull request with your change. Merge the pull request. The Guardener picks up the new configuration for subsequent events. Note: The Guardener uses the repo&rsquo;s default branch (that is, main) for its configuration.
Next steps Actions Security — Configure .chainguard/actions.yaml. Commit Verification — Configure .chainguard/source.yaml. 
