# vu1nz Starter Ad Creative Pack ## 1. Campaign Summary vu1nz helps GitHub-heavy teams find CI/CD workflow and package supply-chain risks before they merge. The campaign should position vu1nz as an added security layer for the surfaces Dependabot, CodeQL, and traditional SCA tools often miss: workflow YAML, GitHub Actions permissions, risky PR triggers, unpinned actions, suspicious package diffs, typosquats, and install-script malware. Primary CTA: Scan your public GitHub repo free. Secondary CTA: Start a 14-day free trial. Core promise: Catch risky CI/CD and package supply-chain patterns in code review, without claiming perfect protection or replacing existing tools. ## 2. Target Audience - Software engineers who review pull requests and own CI health. - DevOps and platform engineers responsible for GitHub Actions, runners, deploy workflows, and repo templates. - Security engineers looking for coverage beyond app-code SAST and known-CVE dependency alerts. - CTOs and technical founders who want quick setup and flat org pricing. - Open-source maintainers who need a free way to sanity-check public repos. ## 3. Messaging Pillars 1. Breach prevention: Your app code may not be where the breach comes from. Your CI/CD pipeline might be. 2. Developer utility: Paste in a public GitHub repo and get findings in seconds. 3. Competitive gap: Dependabot checks known CVEs. CodeQL checks app code. vu1nz checks CI/CD and package-diff risk. 4. Fast install: One GitHub App or one workflow file. PR comments during code review. 5. Open-source trust: MIT-licensed, auditable, forkable, and built for teams that ship. ## 4. Meta Ads ### Primary Text Variations 1. Your CI/CD pipeline has deploy keys, tokens, and production access. vu1nz scans GitHub Actions workflows and package diffs for risky patterns before they merge. Scan a public GitHub repo free. 2. Dependabot and CodeQL are useful, but they do not cover every supply-chain risk. Add vu1nz for CI/CD workflow checks, package malware signals, and PR-time findings. Start with a free public repo scan. 3. A new package in a PR can be clean today and malicious tomorrow. vu1nz watches package changes and GitHub Actions workflows for suspicious patterns, then posts findings where developers already work. ### Headline Variations 1. Scan CI/CD Risk in Seconds 2. Find What Dependabot Misses 3. Secure GitHub Actions PRs ### Description Variations 1. Free public repo scanner. 14-day trial for teams. 2. CI/CD checks, package-diff signals, PR comments. 3. MIT-licensed scanner for GitHub-heavy teams. ### Image Ad Concepts 1. Split PR Review Visual - Format: 1080x1080, 1080x1350, 1200x628. - Visual: Left side shows "No known CVEs" from a generic dependency bot. Right side shows vu1nz flagging "Unpinned action", "pull_request_target risk", and "Suspicious install script". - Copy overlay: "The risk is not always in your app code." - CTA button: "Scan repo free". 2. Workflow YAML Heatmap - Format: 1080x1350 for feed and 1200x628 for link ads. - Visual: A GitHub Actions YAML file with three highlighted risk zones: secrets in run, write-all permissions, unpinned action tag. - Copy overlay: "Your CI has production access. Audit it." - CTA button: "Try vu1nz". ### Short Video Concept Title: "The PR looked safe." Length: 15 seconds. Script: - 0-3s: Developer opens a PR. Text: "Dependabot: no known CVEs." - 3-7s: The diff adds a workflow action and a new package. Text: "But the risk is in CI/CD." - 7-11s: vu1nz flags unpinned action, risky permissions, suspicious install script. - 11-15s: Product screen. Text: "Scan your public GitHub repo free." CTA: "Start a 14-day trial." ## 5. Reddit Ads ### Promoted Post Titles 1. I scanned my GitHub Actions workflow. The scary part was not the app code. 2. Dependabot said the PR was fine. The workflow YAML was not. 3. Free scanner for GitHub Actions and package-diff supply-chain risk. ### Body Copy Variations 1. Most teams already run Dependabot and CodeQL. Good. Keep them. vu1nz adds another layer: CI/CD workflow checks and package-diff scanning for risks like unpinned actions, risky PR triggers, exposed secrets patterns, typosquats, and suspicious install scripts. Try a public repo scan without signup. 2. CI/CD has tokens, cloud credentials, deploy permissions, and a lot of YAML nobody reviews closely. vu1nz scans GitHub Actions workflows and new package changes, then surfaces findings in PR review. Free public repo scans available. 3. If your team lives in GitHub, supply-chain risk often enters through workflow files and package updates. vu1nz is an MIT-licensed scanner built for those layers. It complements Dependabot, CodeQL, Snyk, and Semgrep. ### Reddit-Native / Comment-Style Angles 1. "We already had Dependabot and CodeQL. The blind spot was GitHub Actions: mutable tags, overbroad permissions, and secrets getting pulled into shell commands. This is the layer vu1nz is trying to cover." 2. "Not a replacement for your existing scanners. More like a smoke alarm for CI/CD and package changes: the stuff that gets scary because it can run before anyone audits it." ### Image Ad Concepts 1. "Code review checklist" graphic - Looks like a developer note, not corporate art. - Checklist items: App code checked, known CVEs checked, workflow YAML checked, package diff checked. - The last two are branded "vu1nz". 2. "PR comment in the thread" graphic - Mock PR comment from vu1nz with 3 findings and one-line remediations. - Keep it realistic and text-heavy for Reddit. ### Short GIF / Video Concept Loop: A PR changes from green to amber as the view zooms from app files into `.github/workflows/deploy.yml`. vu1nz highlights "permissions: write-all" and "third-party action pinned by tag". End frame: "Scan your public repo free." ## 6. Google Search Ads ### Short Headline Options 1. GitHub Actions Security 2. CI/CD Security Scanner 3. Scan GitHub Workflows 4. Package Malware Scanner 5. Supply Chain PR Checks 6. Find Risky PR Workflows 7. Free Repo Security Scan 8. Stop Risky CI Changes 9. Audit Workflow YAML 10. Dependabot Gap Scanner ### Long Headline Options 1. Scan GitHub Actions and Package Diffs Before Risky PRs Merge 2. Add CI/CD Supply-Chain Checks Alongside Dependabot and CodeQL 3. Free Public Repo Scanner for GitHub Workflow Security Findings 4. Catch Unpinned Actions, Risky Triggers, and Suspicious Packages ### Description Options 1. Scan public repos free. Find CI/CD workflow and package-diff risks in seconds. 2. Add a missing security layer for GitHub Actions, PR workflows, and new packages. 3. Use alongside Dependabot and CodeQL. Built for CI/CD and supply-chain checks. 4. One GitHub App or workflow file. PR comments appear during code review. 5. MIT-licensed scanner with a 14-day team trial. No card required. 6. Flag unpinned actions, risky permissions, suspicious packages, and more. ### Suggested Keywords - github actions security - github workflow scanner - ci/cd security scanner - supply chain security scanner - package malware scanner - npm malware scanner - pypi malware scanner - dependency confusion scanner - typosquat package scanner - pull request security scanner - dependabot alternative - codeql alternative - github app security scanner - github actions permissions audit - unpinned github actions - pull_request_target security - workflow yaml security ### Suggested Negative Keywords - jobs - hiring - resume - training - course - certification - pdf - template - free antivirus - windows scanner - port scanner - vulnerability exploit - cracked - torrent - password hack - social media scanner ## 7. Google Display Ads ### Display Headline / Body Combinations 1. Headline: "Your CI/CD Can Be the Breach Path" Body: "Scan GitHub Actions and package diffs for risky patterns before merge." CTA: "Scan repo free" 2. Headline: "Dependabot Finds CVEs. vu1nz Checks CI/CD." Body: "Add workflow and package-diff checks to your PR review flow." CTA: "Start free trial" 3. Headline: "Audit Workflow YAML in Seconds" Body: "Find unpinned actions, risky triggers, broad permissions, and more." CTA: "Try vu1nz" ### Banner Concepts 1. PR Timeline Banner - Sizes: 728x90, 970x250, 320x100. - Visual: PR opened -> vu1nz scan -> comment posted -> reviewer fixes YAML. - Copy: "Catch CI/CD risk before merge." 2. Missing Layer Stack - Sizes: 300x250, 336x280, 300x600, 160x600. - Visual stack: App code, dependencies, CI/CD workflows, package diffs. - Emphasize CI/CD workflows and package diffs as the vu1nz layer. - Copy: "Add the layer your PRs are missing." ## 8. YouTube / Video Concepts ### YouTube Shorts / Vertical Concept Title: "The 5-second repo scan" Format: 9:16 vertical. Storyboard: - 0-2s: Screen recording style. A public repo is pasted into vu1nz. - 2-5s: Scan runs. Quick flashes: GitHub Actions, package diff, workflow permissions. - 5-10s: Findings appear: "Unpinned third-party action", "permissions: write-all", "suspicious install script". - 10-14s: Text: "Use it alongside Dependabot and CodeQL." - 14-15s: CTA: "Scan your public GitHub repo free." ### 15-Second Pre-Roll Script Voiceover: "Your app code is not the only supply-chain risk. GitHub Actions and package updates can carry secrets, tokens, and deploy access. vu1nz scans CI/CD workflows and package diffs before risky PRs merge. Scan your public GitHub repo free." On-screen beats: - 0-4s: PR diff with workflow file. - 4-8s: vu1nz flags risky trigger and unpinned action. - 8-12s: Package diff gets malware and typosquat checks. - 12-15s: Product logo, CTA, "14-day trial. No card." ## 9. Image Creative Briefs 1. "The Blind Spot" - Concept: A security stack diagram with Dependabot, CodeQL, and SCA tools visible, then a highlighted gap labeled "CI/CD + package diffs". - Style: Clean terminal/editor aesthetic, dark text on light background, minimal brand color. - Copy: "Add the missing PR security layer." 2. "PR Comment That Saves a Review" - Concept: GitHub PR interface with a vu1nz comment listing three concise findings and fixes. - Style: Realistic UI mock, readable text, not abstract. - Copy: "Find risky workflow patterns before merge." 3. "5-Second Public Repo Scan" - Concept: Input field with `owner/repo`, immediate findings panel, no signup badge. - Style: Product-led, crisp, developer-native. - Copy: "Paste repo. Get findings." 4. "One GitHub App" - Concept: GitHub App install screen flowing into automatic PR checks. - Style: Simple three-step visual: install, scan, comment. - Copy: "One install. Every PR." ## 10. Recommended Ad Sizes Meta: - 1080x1080 square - 1080x1350 vertical feed - 1200x628 link Reddit: - 1200x628 image - 1080x1080 square - Short GIF or 9:16 vertical video cutdown Google Display: - 300x250 - 336x280 - 728x90 - 970x250 - 160x600 - 300x600 - 320x50 - 320x100 Video: - 9:16 vertical - 1:1 square - 16:9 landscape ## 11. Suggested Keywords - GitHub Actions security scanner - CI/CD security scanner - workflow YAML security - PR security scanner - package supply-chain security - dependency malware scanner - npm malware scanner - package diff scanner - typosquat detection - unpinned GitHub Actions - pull_request_target risk - secrets in GitHub Actions - CodeQL gaps - Dependabot gaps - GitHub App security - open source CI/CD scanner ## 12. Suggested Negative Keywords - careers - salary - tutorial - course - certification - exploit kit - hack account - social media - antivirus download - windows virus scan - port scan - network scanner - free vpn - cracked software - torrent - cheat ## 13. Best 3 Ads to Test First 1. Reddit promoted post: "Dependabot said the PR was fine. The workflow YAML was not." - Why: Native to developer/security communities and directly names the gap. - CTA: Scan your public GitHub repo free. 2. Google Search: "GitHub Actions Security" plus description "Scan public repos free. Find CI/CD workflow and package-diff risks in seconds." - Why: Captures high-intent traffic already searching for the exact problem. - CTA: Scan repo free. 3. Meta image/video: "The PR looked safe." - Why: Fast story arc, easy to visualize, and clear contrast between known-CVE tools and CI/CD/package-diff risk. - CTA: Start a 14-day free trial. ## Compliance Notes - Do not claim vu1nz prevents every attack, guarantees safety, or replaces Dependabot, CodeQL, Snyk, or Semgrep. - Prefer wording like "adds a missing layer", "checks patterns other tools often miss", and "use alongside your existing scanners". - Keep visuals product-led: GitHub PRs, workflow YAML, package diffs, findings, and one-line remediations.