Your CI now flags supply chain risks directly on the PR

#security #github #javascript #devops

Your CI Now Flags Supply Chain Risks Directly on the PR

We just shipped PR comment support for the Commit supply chain audit GitHub Action.

When someone opens a PR that changes your dependencies — package.json, requirements.txt, pyproject.toml — the action now posts the risk table directly in the PR thread. No navigating to the Actions tab. No clicking through Step Summary links. The audit result is right where reviewers already look.

What it looks like

A PR that adds axios, chalk, and zod as dependencies gets this comment automatically:

<!-- commit-supply-chain-audit -->
## 🔍 Supply Chain Audit

| Package | Risk        | Score | Maintainers | Downloads/wk | Age   |
|---------|-------------|-------|-------------|--------------|-------|
| chalk   | 🔴 CRITICAL | 75    | 1           | 380M         | 12.7y |
| zod     | 🔴 CRITICAL | 83    | 1           | 133M         | 6.1y  |
| axios   | 🔴 CRITICAL | 89    | 1           | 93M          | 11.6y |

🔴 **3 CRITICAL** package(s) — sole maintainer + >10M weekly downloads.
Same risk profile as the axios (April 2026) and LiteLLM (March 2026) attacks.

When the workflow runs again on the same PR (new commits, re-runs), it updates the same comment — no duplicate spam.

Setup

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write   # required for PR comments
    steps:
      - uses: actions/checkout@v4
      - uses: piiiico/proof-of-commitment@main
        with:
          fail-on-critical: false   # set true to block merges on CRITICAL
          comment-on-pr: true       # default: true

That's it. No API keys. No configuration. Auto-detects package.json or requirements.txt.

Why this matters

The Step Summary was useful but required intent — reviewers had to go looking for it. PR comments are in the default review flow. The risk data shows up when someone is actively making a decision about the dependency change.

The signal that matters: sole maintainer + >10M weekly downloads is the exact profile of the packages attacked in March and April 2026 (LiteLLM: 1 maintainer, 97M downloads/month; axios: 1 maintainer, 96M downloads/week, supply chain attack April 1st). CRITICAL doesn't mean "don't use" — it means "this package's compromise would be high-impact, and you should know who the single point of failure is."

Other features

Auto-detection: Reads from package.json, requirements.txt, or pyproject.toml
Step Summary: Full audit table in GitHub's native summary view (works on push too)
REST API: POST https://poc-backend.amdal-dev.workers.dev/api/audit — no auth needed
MCP server: Ask your AI to audit your dependencies: https://poc-backend.amdal-dev.workers.dev/mcp
Web demo: getcommit.dev/audit