One GitHub Action orchestrates eight best-in-class open-source scanners — gitleaks, zizmor, actionlint, poutine, semgrep, osv-scanner, trivy, checkov — normalizes their output into a single finding schema, and reports back as PR comments, SARIF, or JSON.

- uses: skaldlab/muninn@v0.3.3
  with:
    token: ${{ secrets.GITHUB_TOKEN }}

Secrets · SAST · CI/CD pipeline security · supply chain · dependencies · containers · IaC — in one line.

• Open source first — AGPL-3.0 core, self-hostable, trust through transparency.
• Your code stays put — scans run on your own runner; nothing is uploaded to us.
• CI/CD-native — built for GitHub Actions, results land in the Security tab automatically.
• Zero config to start — works out of the box, tune it later when you want to.

In Norse myth, a skald was a poet who kept and retold the stories that mattered. Muninn ("Memory") was one of Odin's two ravens, sent out each day to observe the world and return with what it learned. Our tools are named in that spirit — they watch, remember, and report back.

• General: hello@skaldlab.dev
• Security disclosures: security@skaldlab.dev (please don't open public issues)