πŸ¦β€β¬› Muninn by Skald Lab

One Action. Eight Scanners.

Muninn by Skald Lab scans every PR for secrets, vulnerabilities, and CI/CD pipeline risks β€” automatically.

workflow.yml 
- uses: skaldlab/muninn@v1
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
⭐ Star on GitHub View on Marketplace

Eight scanners. One report.

Best-in-class open-source tools, orchestrated and normalized into a single finding schema.

πŸ”‘

Secrets

gitleaks detects exposed credentials and API keys

πŸ”

SAST

Semgrep finds code vulnerabilities across 30+ languages

⚑

Pipeline Security

zizmor catches dangerous GitHub Actions patterns

πŸ”—

Supply Chain

actionlint + poutine detect workflow risks

πŸ“¦

Dependencies

OSV-Scanner finds CVEs in your packages

🐳

Containers

Trivy scans images for vulnerabilities

πŸ—οΈ

IaC

Checkov finds Terraform and Kubernetes misconfigs

πŸ¦β€β¬›

Unified Report

SARIF, JSON, or PR comment β€” your choice

How it works

From zero to full security coverage in minutes.

1

Add one line

Drop the Action into any workflow

2

Muninn scans

All 8 scanners run in parallel

3

See results

PR comments, Security tab, or JSON

Why Muninn

Security that fits how teams already ship on GitHub.

Free & Open Source

AGPL-3.0. Self-hostable. No per-seat pricing.

Zero Configuration

Works out of the box. Customize via muninn.yml when ready.

CI/CD Native

Built for GitHub Actions. Results in the Security tab automatically.

Muninn (Old Norse: “Memory”) was one of Odin’s two ravens, sent out each day to observe the world and return with intelligence. We named our scanner after him β€” because Muninn never forgets what it finds in your code.