# vu1nz Starter Ad Creative Pack

Prepared for the ugig.net test gig: "Create High-Quality Ads for vu1nz.com - Meta, Reddit, Google Ads."

## 1. Campaign Summary

vu1nz helps engineering and security teams scan GitHub Actions workflows and package dependency changes before risky CI/CD or supply-chain patterns reach production. The campaign should position vu1nz as a practical extra layer alongside Dependabot, CodeQL, Snyk, and Semgrep: fast to try, useful for public repo scans, and designed for the CI/CD and package-diff layer that many teams do not review deeply.

Primary CTA: Scan your public GitHub repo free.

Secondary CTA: Start a 14-day free trial.

## 2. Target Audience

- Software engineers who own GitHub Actions workflows.
- DevOps and platform engineers maintaining CI/CD templates.
- AppSec engineers reviewing pull requests and dependency changes.
- CTOs and technical founders who want lightweight supply-chain visibility.
- Open-source maintainers who accept external PRs and need safer workflows.

## 3. Messaging Pillars

1. Breach prevention: Your app code may not be where the breach starts. Your CI/CD pipeline might be.
2. Developer utility: Paste a public GitHub repo and get CI/CD findings in seconds.
3. Competitive gap: Dependabot scans known CVEs. CodeQL scans app code. vu1nz scans CI/CD and package supply-chain risk.
4. Fast install: One GitHub App install. No workflow YAML or secrets to manage.
5. Open-source trust: MIT-licensed, auditable, forkable, and built for teams that ship.

## 4. Meta Ads

### Primary Text Variations

1. Your CI/CD workflow can become part of the attack surface. vu1nz scans GitHub Actions and package changes for risky patterns before they merge. Scan a public repo free.
2. Dependabot and CodeQL are useful, but they do not cover every CI/CD and package supply-chain risk. vu1nz adds a focused review layer for GitHub-heavy teams.
3. Shipping fast should not mean ignoring workflow security. Install the vu1nz GitHub App and get PR checks for CI/CD findings and suspicious package changes.

### Headline Variations

1. Scan CI/CD Risk in Seconds
2. Add a Missing Supply-Chain Layer
3. GitHub Actions Security Checks

### Description Variations

1. Free public repo scan. 14-day trial for teams.
2. CI/CD checks, package sweeps, and PR comments.
3. MIT-licensed scanner built for GitHub workflows.

### Image Ad Concepts

1. "The Hidden Layer"  
   Visual: Split-screen pull request. Left side shows app code marked clean. Right side zooms into `.github/workflows` with risk markers.  
   Copy overlay: "Your app code passed. Did your pipeline?"

2. "One Install, Every PR"  
   Visual: GitHub App install button flowing into a PR check run card with "CI/CD findings: 3".  
   Copy overlay: "One GitHub App. CI/CD checks on every PR."

### Short Video Concept

Format: 15-second square or vertical.

Script:

- 0-3s: "A clean PR can still carry CI/CD risk."
- 3-7s: Show workflow YAML with unpinned action and permissive token warning.
- 7-11s: Show vu1nz scan result and PR check.
- 11-15s: "Scan your public GitHub repo free. Add vu1nz before the next merge."

## 5. Reddit Ads

### Promoted Post Titles

1. I checked our app code, then found the risky part in `.github/workflows`
2. Dependabot saw the package. It did not review the CI/CD path.
3. Free public repo scan for GitHub Actions and package supply-chain risk

### Body Copy Variations

1. If your team reviews app code but skims GitHub Actions YAML, vu1nz is built for that gap. Paste a public repo and get CI/CD findings quickly. Install the GitHub App when you want PR checks.
2. CI/CD supply-chain issues often hide in workflow permissions, PR triggers, unpinned actions, and package changes. vu1nz scans that layer and comments during review.
3. We use Dependabot and CodeQL too. vu1nz is not a replacement. It is a focused extra scanner for GitHub Actions and package-diff risks that traditional tools may miss.

### Reddit-Native Angles

1. "What I wish we checked before merging external PRs"  
   Tone: practical AppSec checklist. Lead with `pull_request_target`, permissions, action pinning, install scripts, and suspicious package changes.

2. "Small tool, specific job"  
   Tone: founder/open-source maintainer note. Make it clear vu1nz is not claiming to solve all security, only the CI/CD and package supply-chain review layer.

### Reddit Image Concepts

1. A terminal-style checklist:
   - Unpinned action
   - Broad workflow permissions
   - Suspicious install script
   - New package risk
   Footer: "Scan the layer your code review skips."

2. A PR comment mockup:
   - "vu1nz found 2 CI/CD risks"
   - "Workflow token permission is broad"
   - "New dependency has risky install behavior"
   Footer: "Findings before merge."

### Short GIF Concept

Loop:

1. Paste `owner/repo`.
2. "Scanning workflows..."
3. Findings card appears.
4. CTA: "Scan your public GitHub repo free."

## 6. Google Search Ads

### Short Headlines

1. GitHub Actions Scanner
2. CI/CD Security Scanner
3. Scan Public Repos Free
4. Find Workflow Risks
5. Supply Chain PR Checks
6. Package Diff Scanner
7. Secure GitHub Actions
8. PR Security Comments
9. Add CI/CD Visibility
10. 14-Day Trial

### Long Headlines

1. Scan GitHub Actions and Package Supply-Chain Risk Before Merge
2. Add a Focused CI/CD Security Layer Alongside Dependabot and CodeQL
3. Free Public Repo Scan for GitHub Workflow and Package Findings
4. Install the GitHub App and Get CI/CD Checks on Pull Requests

### Descriptions

1. Find risky GitHub Actions patterns and package changes before they merge. Scan a public repo free.
2. vu1nz adds CI/CD and package supply-chain checks alongside your existing security tools.
3. Install the GitHub App once and get PR check runs for workflow and dependency findings.
4. Built for developers, DevOps, AppSec, founders, and open-source maintainers.
5. MIT-licensed and auditable. Try a free public repo scan or start a 14-day trial.
6. Review the pipeline layer: workflow permissions, PR triggers, action pinning, and package risk.

## 7. Google Display Ads

### Display Headline/Body Combinations

1. Headline: Your Pipeline Is Code Too  
   Body: Scan GitHub Actions and package changes for CI/CD supply-chain risk.

2. Headline: PR Checks for CI/CD Risk  
   Body: Install vu1nz and catch workflow findings before merge.

3. Headline: Dependabot Is Not the Whole Story  
   Body: Add a focused layer for workflow YAML and package-diff review.

### Banner Concepts

1. 728x90 / 970x250:  
   Layout: Left: "Your app code passed." Right: "Your workflow needs review." CTA button: "Scan Free".

2. 300x250 / 300x600:  
   Layout: Vertical checklist with four items: Actions, permissions, packages, PR comments. CTA: "Scan a public repo."

## 8. YouTube / Video Concepts

### YouTube Shorts / Vertical Video

Hook: "The breach might not be in your app code."

Script:

- Shot 1: PR diff looks clean.
- Shot 2: Camera jumps to `.github/workflows/deploy.yml`.
- Shot 3: Warning callouts: unpinned action, broad token, package install script.
- Shot 4: vu1nz scan result appears.
- Shot 5: "Scan your public GitHub repo free."

### 15-Second Pre-Roll

Voiceover:

"Your code scanner checks app code. Dependabot checks known CVEs. But your CI/CD pipeline can still carry risk. vu1nz scans GitHub Actions and package changes before they merge. Try a free public repo scan, or install the GitHub App for PR checks."

On-screen CTA: Scan your public GitHub repo free.

## 9. Image Creative Briefs

1. PR Security Comment Brief  
   Create a clean GitHub-style pull request screen. A vu1nz check run card lists two findings: "Workflow permissions too broad" and "New package install script." Use restrained security colors: white, graphite, green status accents, amber warning markers. Avoid fear graphics.

2. Supply-Chain Layer Brief  
   Show a stack diagram: App Code, Dependencies, CI/CD Workflow, Package Install Scripts. Highlight the CI/CD and package layers as "often skipped in review." CTA at bottom: "Add vu1nz before merge."

3. Open-Source Trust Brief  
   Show a GitHub App install card beside "MIT licensed" and "public repo scan" badges. Make it feel developer-native, not enterprise stock art.

## 10. Recommended Ad Sizes

- Meta feed: 1080x1080, 1080x1350, 1200x628.
- Reddit image: 1200x628, 1080x1080.
- Google Display: 300x250, 336x280, 728x90, 970x250, 160x600, 300x600, 320x50, 320x100.
- YouTube/Shorts: 9:16 vertical, 1:1 square, 16:9 landscape.

## 11. Suggested Keywords

- github actions security
- ci/cd security scanner
- github workflow security
- supply chain security scanner
- package supply chain security
- npm malware scanner
- pull request security checks
- dependabot alternatives
- codeql complement
- github app security scanner
- github actions permissions
- pull_request_target security
- package diff scanner
- devsecops github actions

## 12. Suggested Negative Keywords

- free certification
- training course
- jobs
- salary
- pdf
- tutorial only
- jenkins only
- azure devops only
- gitlab only
- unrelated supply chain logistics
- warehouse
- procurement

## 13. Best 3 Ads to Test First

1. Google Search: "GitHub Actions Scanner"  
   Why: High-intent searchers already know the workflow layer needs tooling.

2. Reddit promoted post: "Dependabot saw the package. It did not review the CI/CD path."  
   Why: Speaks directly to developer/security communities without sounding like generic SaaS copy.

3. Meta/Display: "Your Pipeline Is Code Too"  
   Why: Simple mental model, memorable, and useful for founders or engineering managers who are not deep in CI/CD details.