ratchet
« Back to VersTracker
Description:
Tool for securing CI/CD workflows with version pinning
Type: Formula  |  Tracked Since: Dec 28, 2025
Links: Homepage  |  formulae.brew.sh
Category: Security
Tags: security ci-cd devops supply-chain github-actions
Install: brew install ratchet
About:
Ratchet is a security tool that prevents dependency confusion and version drift in CI/CD pipelines by enforcing explicit version pinning. It works by parsing workflow files and requiring all third-party actions and dependencies to be locked to a specific immutable reference. This significantly reduces the risk of supply chain attacks targeting your automated build and deployment processes.
Key Features:
  • Parses CI/CD configuration files (GitHub Actions, etc.) to find unpinned dependencies
  • Enforces use of immutable references like SHA hashes instead of mutable tags
  • Integrates into CI pipelines to fail builds if pinning requirements aren't met
  • Provides a CLI tool for checking and updating dependency references
Use Cases:
  • Securing GitHub Actions workflows against malicious version updates
  • Compliance auditing for software supply chain security standards
  • Preventing accidental breakage from upstream dependency changes
Alternatives:
  • Dependabot – Dependabot proactively updates dependencies, while Ratchet focuses on enforcing pinning to prevent unpinned usage
  • Renovate – Renovate automates dependency updates, whereas Ratchet is primarily a security enforcement tool for version pinning
Version History
Detected Version Rev Change Commit
Oct 9, 2025 8:06pm 0 VERSION_BUMP 65cd816d
Sep 14, 2024 1:12am 0 VERSION_BUMP b6689410