Uncain

WE CONTAIN TRUST DRIFT

Your supply chain is shifting.We're watching.

Uncain maps your CI/CD trust graph, detects trust drift, and contains threats before the next unsafe run.

Request early access See how it works

TRUST DRIFT

Trust drift is the threat model you never drew.

A tag moves. A maintainer gets write access. A reusable workflow starts inheriting secrets. A dependency beneath an Action adds a runtime download.

None of that needs a CVE. It still changes what your pipeline trusts - and how wide your blast radius gets.

  • 412 workflows in the median GitHub org
  • 340 unverified transitive dependencies
  • 0 containment plans

HOW IT WORKS

Map. Detect. Contain.

One graph. Three actions. No alert theater.

Map the trust graph

Uncain resolves workflows, Actions, reusable workflows, images, manifests, and runtime fetch paths into one execution map.

workflows -> Actions -> images -> packages

Detect trust drift

We watch for the changes scanners miss: moved tags, permission drift, weakened protections, release authority changes, and disappearing provenance.

tag drift + permission drift + release authority

Contain before execution

When policy breaks, Uncain cancels unsafe runs, quarantines refs, and opens remediation paths before the next run lands.

cancel runs + quarantine refs + remediation PRs

NOT ANOTHER SCANNER

Trust is a graph, not a checklist.

Other tools tell you something is wrong after it runs. Uncain maps what changed, why it matters, and what to stop.

Trust graph, not a dependency list

Uncain models who trusts whom across workflows, Actions, images, packages, and runtime downloads - not just what shows up in a manifest.

what we map

  • workflows
  • Actions + nested Actions
  • container images
  • package manifests
  • runtime downloads

Trust drift, not CVE backlog

We look for trust-bearing changes: tag rewrites, permission drift, release authority changes, and evidence that quietly disappeared upstream.

what changed

  • deploy-action@v2 → new SHA
  • id-token: write added
  • release authority changed
  • provenance removed

Containment, not another alert

When the graph says stop, Uncain moves the customer toward a safer state with precise control points instead of another queue notification.

action taken

  • unsafe runs cancelled
  • refs quarantined
  • remediation PR opened

Blast radius, not generic severity

Every incident is scored against your workflows, your secrets, your environments, and your release paths - the context your team actually needs.

blast radius

  • 3 repos affected
  • 5 workflows exposed
  • 2 deploy secrets at risk

WHAT WE FIND

It's 2 AM. An upstream dependency just changed.

47 of your workflows will execute it on the next push. Two carry deploy authority. Nobody is awake for the first alert.

We built Uncain so you can sleep through that.

EARLY ACCESS

We contain trust drift.

Connect GitHub. Review drift in the portal. Set containment before the next run.

Request early access