Chainguard Guardener Commit Verification
Configure Chainguard Guardener to verify that every commit in a pull request is cryptographically signed by an …
For the complete documentation index, see llms.txt.
Chainguard Guardener is configured entirely through files committed to a .chainguard/ directory — either in each repository, or once at the organization level in your .github repository. This page explains the configuration model that all the Guardener features share. For the specific options of each feature, see its dedicated page.
.chainguard/ directory
The Guardener reads its configuration from the .chainguard/ directory at the root of each repository. Every feature has its own file:
.chainguard/
├── actions.yaml # Hardened Actions
└── source.yaml # Commit VerificationBecause these files live in your repository, your configuration is reviewed through pull requests, versioned in git history, and audited like any other code change.
Installing the Guardener GitHub App does not change any repository on its own. Each feature stays disabled until you add its configuration file and enable it. This means you can:
A repository with no .chainguard/ files is unaffected by the Guardener even when the app is installed and the organization is linked.
| Feature | Config file | What it does |
|---|---|---|
| Hardened Actions | .chainguard/actions.yaml | Recommends and migrates GitHub Actions to hardened, SHA-pinned equivalents. |
| Commit Verification | .chainguard/source.yaml | Verifies that commits in a pull request are signed by an authorized signer. |
Additional features will be added over time, each with its own .chainguard/ file and opt-in configuration.
.github repository
Rather than committing .chainguard/ files to every repository, you can define configuration once at the organization level. The Guardener reads a .chainguard/ directory from your organization’s .github repository and applies it as the default for every repository in the organization.
The .github repository is a special repository that GitHub already uses for organization-wide defaults (such as community health files and default workflows). The Guardener follows the same convention:
.github/ # your organization's .github repository
└── .chainguard/
├── actions.yaml # org-wide default for Hardened Actions
└── source.yaml # org-wide default for Commit VerificationTo use org-level configuration:
.github in your organization if you don’t already have one..github repository (or install it on All repositories)..chainguard/ configuration files to the default branch of the .github repository.Once in place, every repository the Guardener can access inherits this configuration without needing its own .chainguard/ files.
Configuration committed directly to a repository takes precedence over the organization-level configuration from the .github repository:
.chainguard/<feature>.yaml file uses that file for the feature, ignoring the org-level default for it..github repository.This lets you set a baseline for the whole organization and override it only where a specific repository needs different behavior.
Note: The Guardener reads the org-level configuration from the default branch (that is,
main) of the.githubrepository, just as it does for per-repository configuration.
To add or update the Guardener configuration:
.chainguard/ on a branch.Note: The Guardener uses the repo’s default branch (that is,
main) for its configuration.
.chainguard/actions.yaml..chainguard/source.yaml.Last updated: 2026-07-08 00:00