gitwtfhub

wtf is moat?

laravel/moat — explained in plain English

Analysis updated 2026-05-18

16RustAudience · ops devopsComplexity · 2/5Setup · easy

TL;DR

A command line tool that audits a GitHub org, user, or repo for supply chain security gaps like missing 2FA, unsigned commits, and unpinned Actions.

Mindmap

mindmap
  root((repo))
    What it does
      Audits GitHub security
      Flags misconfigurations
      Explains risks plainly
    Tech stack
      Rust
    Use cases
      2FA enforcement check
      Action pinning check
      Branch protection check
    Audience
      DevOps engineers
      Open source maintainers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Audit whether two factor authentication is enforced across a GitHub organization.

REASON 2

Check whether GitHub Actions workflows pin dependencies to hashes instead of mutable tags.

REASON 3

Verify branch protection, signed commits, and secret scanning are enabled before an incident happens.

What's in the stack?

Rust

How it stacks up

laravel/moatcelestia-island/ratatui-markdowndollspace-gay/thermite
Stars161616
LanguageRustRustRust
Setup difficultyeasyeasyhard
Complexity2/52/55/5
Audienceops devopsdeveloperresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · easy Time to first run · 5min

Needs a GitHub token with read permissions.

Wtf does this do

Moat is a command-line security audit tool written in Rust that checks your GitHub organization, user account, or individual repository for supply-chain hygiene problems: security misconfigurations that could let an attacker slip malicious code into your software without detection. Supply-chain attacks happen when someone compromises a dependency, a contributor account, or an automated workflow rather than attacking your code directly. Moat scans for the controls that block those attacks: whether two-factor authentication is enforced org-wide, whether branch protection rules cover release branches, whether commits must be cryptographically signed, whether secret scanning and push protection are enabled, whether Dependabot alerts are on for vulnerable dependencies, and whether GitHub Actions workflows pin dependencies to specific hashes rather than mutable tags (which can be silently repointed after a compromise). To use it, install the binary via Homebrew or a prebuilt release, provide a GitHub token with read permissions, and run a single command with your org name, username, or repo slug. No configuration file is needed. Moat resolves your GitHub token by checking the GITHUB_TOKEN environment variable first, then GH_TOKEN, and finally falling back to a logged-in GitHub CLI session, so most users do not need to set anything up manually. A verbose flag shows the full list of collaborators and members instead of a truncated view, and a theme option controls whether output is styled for a dark or light terminal. Each check includes a plain-English explanation of the risk, so the output is actionable for teams that want to understand the danger, not just see pass/fail results. It targets open-source maintainers and engineering teams wanting a quick audit of their GitHub security posture before a leaked token or compromised dependency becomes an incident. The full README is longer than what was provided.

Yoink these prompts

Prompt 1
Help me install Moat via Homebrew and run a security audit on my GitHub organization.
Prompt 2
Explain what it means for GitHub Actions to pin dependencies to hashes versus mutable tags.
Prompt 3
Walk me through the checks Moat runs and what each one protects against.
Prompt 4
How do I generate a GitHub token with the right permissions to run Moat?

Frequently asked questions

wtf is moat?

A command line tool that audits a GitHub org, user, or repo for supply chain security gaps like missing 2FA, unsigned commits, and unpinned Actions.

What language is moat written in?

Mainly Rust. The stack also includes Rust.

How hard is moat to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is moat for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.