laravel

laravel / moat

Public

Supply-chain hygiene for your GitHub organization & repositories

19
1
100% credibility
Found May 18, 2026 at 19 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Rust
AI Summary

Moat is a free security audit tool for GitHub projects. It automatically checks whether your repositories and organization have important safety measures in place - like requiring two-factor authentication, protecting important branches, scanning for accidentally committed secrets, and keeping your build tools up to date. You run it with your project name, wait a moment, and get a clear report showing your security posture. Any problems found include step-by-step instructions and direct links to fix them. It's designed to catch security gaps before attackers do.

How It Works

1
🔍 You hear about a security tool

A developer friend tells you about moat - a tool that checks your GitHub project for security gaps.

2
⬇️ You install it on your computer

You download and set up moat in minutes - it works on your type of computer right out of the box.

3
🚀 You run it with your project name

One simple command checks your entire project - every repository and all your team's settings at once.

4
It does the detective work for you

Behind the scenes, it examines dozens of security settings across all your repositories.

5
You see your security score
Everything is secure

If your project passes all checks, you get a high score and can share that your project is well-protected.

⚠️
Some things need fixing

If problems are found, you see exactly which settings are weak and why they matter, with direct links to fix each one.

6
🔧 You fix what needs attention

Each issue comes with clear step-by-step instructions and links straight to the settings you need to change.

🛡️ Your project is protected

After fixing any issues, your project has strong defenses against account takeovers, leaked secrets, and supply-chain attacks.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 19 to 19 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is moat?

Moat is a Rust CLI that audits your GitHub organization or repository for supply-chain security gaps. Point it at any org, user, or repo and it fetches settings via the GitHub API, then runs 22 checks covering two-factor authentication, branch protection, secret scanning, Dependabot alerts, workflow permissions, and more. It surfaces exactly which repos fail which controls, with direct links to the settings pages where you can fix them. You get a terminal report with a security posture score, plus JSON and Markdown output for CI integration. Configuration lives in a `moat.toml` file if you need to disable checks per-repo.

Why is it gaining traction?

The tool fills a gap between manual security audits and expensive enterprise tooling. It runs in seconds across an entire org, catching issues like members without 2FA, unprotected release branches, or workflow tokens with write access. The explanations are unusually clear—each check explains why it matters and how to fix it, with step-by-step instructions. It handles GitHub Free plan limitations gracefully, skipping checks that require Team or Enterprise without cluttering output. The Rust implementation means fast execution and a single static binary with no runtime dependencies.

Who should use this?

Security teams at organizations with multiple repositories who want baseline hygiene without manual spot-checking. DevOps leads rolling out GitHub best practices across teams. Open source maintainers auditing their own accounts. Anyone tired of discovering a missing security setting only after an incident.

Verdict

Moat does one thing well and explains it clearly. At 19 stars, it is early-stage software with the maturity that implies—limited community feedback and no production battle-testing at scale. The codebase itself is well-tested (clippy, cargo-audit, coverage reports), but the project needs real-world usage to surface edge cases. Given the 1.0% credibility score, treat it as a solid starting point rather than a finished product. Worth installing to audit your org today, but keep an eye on the releases.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.