This repository tracks the latest versions of all tools and packages.
Only the current main branch is actively maintained.
If you discover a security issue in this repository — such as a credentials leak, an unsafe shell pattern, or a dependency with a known CVE — please do not open a public issue.
Instead, use GitHub's private vulnerability reporting.
You can expect an acknowledgement within 7 days and a resolution or status update within 30 days.
| Layer | Tool | What It Covers |
|---|---|---|
| Secret detection | gitleaks | Scans git history for leaked credentials (pre-commit) |
| Filesystem scanning | Trivy | Secrets and misconfigurations in every push/PR |
| PowerShell analysis | PSScriptAnalyzer | Unsafe PowerShell patterns (CI, Windows runner) |
| Ansible linting | ansible-lint | Production-profile rules including unsafe shell patterns |
| Shell linting | shellcheck | Shell script bugs and unsafe constructs (pre-commit) |
| Dependency updates | Renovate | Automated PRs for outdated Actions, hooks, and collections |
The bootstrap scripts download installers over HTTPS (TLS 1.2 minimum). Users should review the scripts before running them and verify that the source URLs match the official project repositories:
| Script | Installer | Source |
|---|---|---|
bootstrap_macos.sh |
Homebrew | https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh |
bootstrap_ubuntu.sh |
just | https://just.systems/install.sh |
The Windows bootstrap script enables unencrypted WinRM (AllowUnencrypted=true)
for local Ansible control over WSL2. This is intentional and scoped to the
local machine only — see bootstrap/bootstrap_windows.ps1
for the full justification. Do not use this configuration on machines reachable
from an untrusted network.