GitHub Action — scan your npm, PyPI, Cargo, and Go dependencies for supply chain risk before they land in main.
Commit scores each dependency on behavioral commitment signals:
- Solo maintainer + massive download volume = historically high attack target
- New packages that spiked overnight
- Packages with no recent releases (potentially abandoned)
CRITICAL packages share the risk profile of axios (April 2026) and LiteLLM (March 2026) — the ones that actually got exploited.
| Ecosystem | Auto-detects | Manifest files |
|---|---|---|
| npm | package.json |
package.json, package-lock.json |
| Cargo (Rust) | Cargo.toml |
Cargo.toml, Cargo.lock |
| Go | go.mod |
go.mod, go.sum |
| PyPI | requirements.txt |
requirements.txt |
name: Supply Chain Audit
on:
pull_request:
paths: ['package.json', 'package-lock.json', 'bun.lock']
jobs:
audit:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: piiiico/commit-action@v1
with:
fail-on-critical: true
comment-on-pr: truename: Supply Chain Audit
on:
pull_request:
paths: ['Cargo.toml', 'Cargo.lock']
jobs:
audit:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: piiiico/commit-action@v1
with:
packages-file: Cargo.toml
fail-on-critical: truename: Supply Chain Audit
on:
pull_request:
paths: ['go.mod', 'go.sum']
jobs:
audit:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: piiiico/commit-action@v1
with:
packages-file: go.mod
fail-on-critical: truename: Supply Chain Audit
on:
pull_request:
paths: ['requirements.txt']
jobs:
audit:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: piiiico/commit-action@v1
with:
packages-file: requirements.txt
fail-on-critical: trueOn every PR touching dependencies, Commit posts a comment:
npm example:
| Package | Risk | Score | Publishers | Downloads/wk | Age |
|---|---|---|---|---|---|
axios |
🔴 CRITICAL | 86 | 1 | 100M | 11.7y |
zod |
🔴 CRITICAL | 86 | 1 | 162M | 6.1y |
chalk |
🔴 CRITICAL | 75 | 1 | 422M | 12.7y |
Cargo example:
| Package | Risk | Score | Owners | Downloads/wk | Age |
|---|---|---|---|---|---|
serde |
🔴 CRITICAL | 78 | 1 | 13M | 11.4y |
tokio |
🟢 OK | 89 | 2 | 11M | 9.9y |
| Input | Default | Description |
|---|---|---|
packages |
(auto) | Comma-separated package names (auto-detected from manifest if omitted) |
packages-file |
(auto) | Path to manifest: package.json, Cargo.toml, Cargo.lock, go.mod, go.sum, requirements.txt |
ecosystem |
auto |
npm, pypi, cargo, golang, or auto |
fail-on-critical |
true |
Block merges when CRITICAL packages found |
max-packages |
20 |
Max packages to audit when auto-detecting |
include-dev-dependencies |
false |
Include devDependencies (npm only) |
comment-on-pr |
true |
Post results as a PR comment (updates in place on re-run) |
github-token |
${{ github.token }} |
Token for posting PR comments |
api-key |
(none) | Commit Pro API key for batch requests |
api-url |
(prod) | Override API endpoint |
| Output | Description |
|---|---|
has-critical |
true if CRITICAL packages found |
critical-count |
Number of CRITICAL packages |
audit-summary |
Audit results as a markdown table |
Add to your README:
[](https://getcommit.dev)CRITICAL = sole maintainer/owner + high download volume.
This is the exact risk profile of every major supply chain attack in 2025-2026 across npm, PyPI, and Cargo. A single account compromise poisons millions of downstream installs in hours. Commit flags these before the attack happens, not after.
The same pattern holds across ecosystems:
- npm: chalk (413M/wk, 1 publisher), axios (99M/wk, 1 publisher)
- Cargo: serde (13M/wk, 1 owner), reqwest (8M/wk, 1 owner)
- Go: Structurally safer — decentralized publishing means lower concentration risk
Built by Commit — behavioral commitment signals for supply chain trust.