Why this matters right now Software supply chain attacks aren’t slowing down. Over the past year, incidents targeting projects like **tj-actions/changed-files**, **Nx**, and ** trivy-action** show a clear pattern: attackers are targeting CI/CD automation itself, not just the software it builds. The playbook is consistent: - Vulnerabilities allow untrusted code execution - Malicious workflows run without observability or control - Compromised dependencies spread across thousands of repositories - Over-permissioned credentials get exfiltrated via unrestricted network access Today, too many of these vulnerabilities are easy to introduce and hard to detect. We’re working to address this gap.…