Hey HN, it's Farrukh and Umar. We're building listen.dev–a tool for proactive security monitoring in GitHub Actions to secure software releases from supply chain threats.<p>Why we built this:<p>As friends and collaborators for over a decade, we've been working on various startup ideas in dev tools and infrastructure. In 2017, while building an ML ops toolkit on Kubernetes, we got hacked. During a pilot with a fintech customer, our cluster became victim to a crypto-jacking attack.<p>As it turned out, a dependency in our container base image contained malware (a Monero miner) which triggered inside the customer's environment. Needless to say, we lost the customer and racked up a massive cloud bill as a tiny startup. This first-hand experience introduced us to one of the biggest challenges in software security today.<p>The Problem:<p>Modern engineering teams rely heavily on 3rd parties—from open source packages, base images and 3rd-party tooling to build & deploy software quickly. But this creates security blind spots exploited in modern supply chain attacks. Some high-profile cases targeting developer environments include:<p>(1) event-stream: a malicious transitive dependency injected a wallet-drainer payload into the build process for CoPay’s bitcoin wallet
(2) SolarWinds: a compromised build tool injected malicious code into downstream releases
(3) Codecov: a bash uploader script inside the testing tool stole secrets when run in CI<p>While most teams today incorporate some form of security scanning, it typically focuses on known vulnerabilities. In contrast, we detect zero-day threats and harden your build & release processes against malicious activity. With a focus on developer experience.<p>Enter listen.dev: a tool to analyze the behavior of your GitHub Actions workflows. How it works:<p>- Native integration via a simple workflow step. You can instrument your build, test, and release processes in any language or stack.
- Observes low-level behaviors using eBPF (network, file, process signals) over each run
- Detects anomalies and malicious activity using threat intelligence and out-of-the-box detections for known bads (e.g., info stealers making unknown network connections, reverse shells, tampering of builds etc.)
- Offers in-line PR feedback with context, plugging into existing toolchains via webhooks<p>Behind listen.dev is a team of builders and OSS maintainers with years of experience in security observability and developer tools—having previously worked on eBPF runtime security projects like Falco and Tracee. We're seeking feedback from DevOps and security folks to help us improve.<p>You can sign up for free at <a href="https://lstn.dev/hn" rel="nofollow">https://lstn.dev/hn</a>, install our GitHub action in under a minute, and start monitoring your repos.<p>We'd love to hear from you–any feedback and questions are welcome. To learn more see <a href="https://docs.listen.dev" rel="nofollow">https://docs.listen.dev</a> and a video of how it works: <a href="https://lstn.dev/demo-video" rel="nofollow">https://lstn.dev/demo-video</a>