For the complete documentation index, see llms.txt.

Chainguard Guardener GitHub App

The Chainguard Guardener GitHub App is a single, hardened bot that runs against your repositories. Its capabilities are opt-in per repository through configuration files committed to a .chainguard/ directory, so installing the app has no effect on a repository until you enable a capability.

Note: Chainguard Guardener is in beta. Available to organizations that have installed and linked the Chainguard Guardener GitHub App.

Getting set up

  • Getting started — Install the GitHub App and link your Chainguard organization to your GitHub organization.
  • Configuration — Understand the .chainguard/ configuration model that all the GitHub App capabilities share.

Capabilities

  • Hardened Actions — Recommends and migrates your GitHub Actions to Chainguard’s hardened, SHA-pinned equivalents, either through non-blocking pull request review comments or automated migration pull requests.
  • Commit Verification — Enforces cryptographically signed commits against a policy you control, supporting both keyless (Sigstore) signatures and static keys such as GPG.

Each capability is configured with its own file in the .chainguard/ directory.

Note: For Dockerfile migration, which runs locally through chainctl agent dockerfile rather than the GitHub App, see Dockerfile migration.