Chainguard Guardener GitHub App
The Chainguard Guardener GitHub App is a single, hardened bot that runs against your repositories. Its capabilities are opt-in per repository through configuration files committed to a .chainguard/ directory, so installing the app has no effect on a repository until you enable a capability.
Note: Chainguard Guardener is in beta. Available to organizations that have installed and linked the Chainguard Guardener GitHub App.
Getting set up
- Getting started — Install the GitHub App and link your Chainguard organization to your GitHub organization.
- Configuration — Understand the
.chainguard/configuration model that all the GitHub App capabilities share.
Capabilities
- Hardened Actions — Recommends and migrates your GitHub Actions to Chainguard’s hardened, SHA-pinned equivalents, either through non-blocking pull request review comments or automated migration pull requests.
- Commit Verification — Enforces cryptographically signed commits against a policy you control, supporting both keyless (Sigstore) signatures and static keys such as GPG.
Each capability is configured with its own file in the .chainguard/ directory.
Note: For Dockerfile migration, which runs locally through
chainctl agent dockerfilerather than the GitHub App, see Dockerfile migration.