// use case · ci / cd

Gate every merge on a fresh audit.

Wire unpwnd into your pipeline and it audits each change the moment it lands — flagging a new critical before it reaches your default branch.

01

Push / PR

A commit lands or a pull request opens.

02

unpwnd audits

Full source→sink audit of the change, in minutes.

03

Gate

Block on a new critical — or just annotate.

04

Merge

Clean changes ship; the fix prompt rides along.

.github/workflows/security.yml
# Audit every pull request; fail the check on a new critical on: [pull_request] jobs: unpwnd: uses: unpwnd/audit-action@v1 with: scope: changed # audit only the diff fail_on: critical # block the merge on a new critical comment_pr: true # post findings + fix prompts inline

// illustrative — the GitHub App drives audits today; a first-class CI action is on the roadmap

// why teams wire it in

Security that keeps pace with your merge queue.

Every push, fully audited

No pattern-matching, no partial scan — every check traces each finding from source to sink, fast enough to sit in a required check.

Shift left, for real

A new critical fails the check before merge — not in a quarterly pen-test three releases later.

Fix in the PR

Findings arrive as inline comments with a paste-ready remediation — the reviewer never leaves the diff.

// put it in the pipeline

Never merge a fresh critical again.

Connect a repository and let unpwnd audit every change as it lands.

CI / CD · unpwnd