Guide: Supply Chain Automation with cg tools
CascadeGuard’s cg tools command group secures the build tooling layer of your software supply chain — independently of image lifecycle management. It works on any repository that has CI/CD pipelines, not just image build repos.
What cg tools does
| Problem | Command | What it does |
|---|---|---|
GitHub Actions pinned to floating tags (@v3) | cg tools pin | Rewrites uses: references to full commit SHAs |
| Unknown or policy-violating actions in use | cg tools audit | Audits workflows against a declarative policy |
| No policy yet | cg tools policy init | Scaffolds a starter actions-policy.yaml |
Need to generate CI pipelines from images.yaml | cg tools generate | Emits GitHub Actions workflow files |
This is separate from Image Factory (cg images). You can use cg tools on any repo — application repos, infrastructure repos, anything with a .github/workflows/ directory.
Pin GitHub Actions to commit SHAs
Floating tags like actions/checkout@v4 can be silently redirected. Pinning to a commit SHA ensures you always run exactly what you reviewed.
# Preview what would be pinned
cg tools pin --dry-run
# Pin all actions in .github/workflows/
cg tools pin
# Re-pin to the latest SHA for the same tag (for updates)
cg tools pin --updateAfter pinning, your workflow steps will look like:
# Before
- uses: actions/checkout@v4
# After
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4The SHA is resolved via the GitHub API using your $GITHUB_TOKEN.
Audit workflows against a policy
Define which actions are allowed, which must be pinned, and which are blocked. Run the audit in CI to gate PRs that introduce policy violations.
1. Scaffold a starter policy
cg tools policy initThis writes .cascadeguard/actions-policy.yaml:
# .cascadeguard/actions-policy.yaml
policy:
require_pinned: true # all actions must be pinned to SHAs
allowed_owners: # only actions from these GitHub orgs/users
- actions
- github
- cascadeguard
blocked: # specific actions that are never allowed
- some-org/untrusted-action2. Run the audit
cg tools auditExits non-zero if any violations are found. Integrate into CI:
# .github/workflows/supply-chain-check.yaml
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@<SHA> # v4
- name: Audit GitHub Actions supply chain
run: |
pip install cascadeguard
cg tools auditGenerate CI pipelines from images.yaml
If you manage images with CascadeGuard, cg tools generate creates the full GitHub Actions pipeline from your images.yaml enrollment file.
cg tools generate
cg tools generate --dry-run # preview without writing
cg tools generate --platform github # explicit platform overrideThe generated files are placed under .github/workflows/. Do not edit them by hand — they carry an # Auto-generated by CascadeGuard header and will be overwritten on the next cg tools generate run.
See the GitHub Actions Integration Guide for a description of each generated workflow file.
Using cg tools alongside Image Factory
cg tools and cg images are independent — you can use either or both:
cg imagesonly — automate image builds and base image updates; write your own CI pipelinescg toolsonly — harden existing CI pipelines in any repo without touching image management- Both — full supply chain coverage: automated image lifecycle + hardened build tooling
A typical state repository uses both: cg images generate to update image state, cg tools generate to regenerate CI pipelines, and cg tools pin to keep action references pinned.
See also
- CLI Reference — full flag reference for all
cg toolssubcommands - GitHub Actions Integration Guide — structure of generated workflow files
- Getting Started — install CascadeGuard and set up Image Factory
- Security Model — how CascadeGuard handles scanning, SBOMs, and signing
Using CascadeGuard Secure Images in production? Pair them with
cg imagesto automate rebuilds whenever a base image is updated — and usecg tools pinto harden the CI pipelines that do the building.