# vu1nz Starter Ad Creative Pack ## 1. Campaign Summary Product: vu1nz, a developer/security tool for finding CI/CD workflow and package supply-chain risks before they merge. Primary CTA: Scan your public GitHub repo free. Secondary CTA: Start a 14-day free trial. Positioning: Dependabot, CodeQL, Snyk, and Semgrep are useful layers. vu1nz adds a focused CI/CD and package-diff layer for risky workflow YAML, pull request workflow patterns, suspicious new packages, typosquats, install scripts, and supply-chain changes that may not have a CVE yet. Core offer: - Free public repo scanner with no signup. - GitHub App install for teams. - 17 CI/CD workflow checks. - Package sweep across npm, pip, cargo, gem, Go, and Composer. - PR comments during code review. - 14-day free trial. - MIT-licensed self-hosted CLI option. ## 2. Target Audience - Software engineers who review GitHub Actions changes. - DevOps and platform engineers responsible for CI/CD guardrails. - Security engineers covering supply-chain risk. - CTOs and technical founders at GitHub-heavy teams. - Open-source maintainers who need lightweight checks before merge. Pain points: - Unpinned GitHub Actions. - Risky `pull_request_target` workflows. - Secrets exposed through shell commands or CI logs. - Malicious or suspicious package additions. - Typosquatting and package install scripts. - Security tooling that misses workflow YAML and package-diff risk. ## 3. Messaging Pillars 1. Breach prevention: Your application code may not be where the breach starts. The CI/CD pipeline might be. 2. Developer utility: Paste a public GitHub repo and get findings in seconds. 3. Competitive gap: Dependabot covers known dependency CVEs. CodeQL covers application code. vu1nz focuses on the CI/CD and package supply-chain layer. 4. Fast install: One GitHub App install or GitHub Action path, with PR comments fast. 5. Open-source trust: MIT-licensed CLI, auditable, forkable, and practical for teams that ship. ## 4. Meta Ads ### Primary Text Variations 1. Your GitHub Actions can ship risk even when your app code looks clean. vu1nz scans CI/CD workflow patterns and newly added packages before they merge. Try the free public repo scanner. 2. Dependabot and CodeQL are useful, but they do not cover every CI/CD and package-diff risk. vu1nz adds a focused supply-chain layer for GitHub-heavy teams. Scan a public repo free. 3. Catch risky workflow YAML, unpinned actions, dangerous PR triggers, suspicious package additions, and install-script surprises during code review. Start with a free scan. ### Headline Variations 1. Find CI/CD Risk Before Merge 2. Scan GitHub Actions in Seconds 3. Add a Supply-Chain Security Layer ### Description Variations 1. Free public repo scan. No signup required. 2. 17 CI/CD checks plus package-diff scanning. 3. Use alongside Dependabot, CodeQL, Snyk, and Semgrep. ### Image Ad Concepts 1. Split-screen PR review: - Left: a pull request with “No app-code alerts.” - Right: vu1nz PR comment highlighting an unpinned action and risky workflow trigger. - Overlay text: “App code clean? Check the pipeline.” - Formats: 1080x1080, 1080x1350, 1200x628. 2. CI/CD attack path map: - Visual: repo -> workflow YAML -> dependency diff -> PR comment. - Highlight nodes: “Unpinned action,” “Install script,” “New package,” “Secrets in run.” - Overlay text: “Scan the layer other tools often miss.” - Formats: 1080x1080, 1080x1350, 1200x628. ### Short Video Ad Concept / Script Length: 15 seconds. Scene 1, 0-3s: GitHub PR opens. Text: “The app code looks fine.” Scene 2, 3-7s: Workflow YAML appears with a risky action/version. Text: “But CI/CD can be the attack path.” Scene 3, 7-11s: vu1nz posts a PR finding. Text: “17 CI/CD checks + package-diff scan.” Scene 4, 11-15s: Public repo scanner screen. Text: “Scan your public GitHub repo free.” ## 5. Reddit Ads ### Promoted Post Titles 1. I built a scanner for the GitHub Actions risks Dependabot does not cover 2. Your PR can be clean while your CI/CD pipeline is not 3. Free scanner for risky GitHub Actions and suspicious package diffs ### Body Copy Variations 1. Dependabot is good at known CVEs. CodeQL is good at app code. vu1nz is focused on workflow YAML and package-diff risks: unpinned actions, risky PR triggers, secrets in shell commands, typosquats, suspicious install scripts, and new packages with no CVE yet. Paste a public repo and get findings without signup. 2. If you review GitHub Actions changes, this is meant for you. vu1nz scans CI/CD workflow patterns and newly added npm, pip, cargo, gem, Go, and Composer packages, then turns findings into PR-review comments. Free public repo scanner; 14-day team trial. 3. CI/CD security is easy to under-scan because the risky part often lives outside app code. vu1nz adds a lightweight layer for GitHub Actions and package supply-chain changes. It is not a replacement for Dependabot or CodeQL; it is a complementary check. ### Reddit-Native / Comment-Style Angles 1. “Most dependency tools are CVE-first. That leaves a gap for brand-new packages, install scripts, and workflow YAML changes. This scanner is built for that gap.” 2. “The thing I would test first: paste your most active public repo, check the workflow findings, then decide if you want PR comments in CI.” ### Image Ad Concepts 1. Terminal-style finding list: - Background: dark terminal. - Findings: “HIGH: unpinned action,” “MEDIUM: pull_request_target,” “INFO: new package with install script.” - Copy: “Security review for the CI/CD layer.” 2. Meme-adjacent developer diagram: - Three columns: “Dependabot: known CVEs,” “CodeQL: app code,” “vu1nz: CI/CD + package diff.” - Keep it plain, not corporate. ### Short Video / GIF Concept Loop: 1. User pastes `owner/repo`. 2. Scan runs. 3. Findings appear in a PR comment. 4. Loop text: “Free public repo scan. No signup.” ## 6. Google Search Ads ### Short Headlines 1. GitHub Actions Scanner 2. CI/CD Security Scanner 3. Supply Chain PR Checks 4. Scan Workflow YAML 5. Find Risky GitHub Actions 6. Package Diff Security 7. Free Public Repo Scan 8. PR Security Comments 9. Dependabot Gap Coverage 10. CI/CD Risk Before Merge ### Long Headlines 1. Scan GitHub Actions and Package Diffs Before They Merge 2. Add CI/CD Supply-Chain Checks Alongside Dependabot and CodeQL 3. Find Risky Workflow YAML and Suspicious Package Additions Fast 4. Free Public Repo Scanner for GitHub Actions Security Findings ### Descriptions 1. vu1nz scans CI/CD workflow patterns and new package additions in PRs. Start with a free public repo scan. 2. 17 CI/CD checks plus npm, pip, cargo, gem, Go, and Composer package-diff scanning. 3. Use alongside Dependabot, CodeQL, Snyk, and Semgrep to cover the CI/CD supply-chain layer. 4. Catch unpinned actions, risky PR workflows, secrets in shell commands, and suspicious package changes. 5. GitHub App install, PR comments, 14-day free trial, and MIT-licensed CLI option. 6. No signup needed for public repo scans. Paste `owner/repo` and inspect findings in seconds. ### Suggested Keywords - github actions security scanner - github workflow security - ci cd security scanner - ci/cd vulnerability scanner - package supply chain security - npm malware scanner - dependency typosquat scanner - pull request security scanner - github actions vulnerabilities - dependabot alternative - dependabot gaps - codeql ci/cd security - supply chain attack scanner - package diff scanner ### Suggested Negative Keywords - jobs - salary - tutorial only - free course - pdf - cracked - torrent - antivirus download - package delivery - supply chain management logistics - ci cd interview questions - github actions jobs ## 7. Google Display Ads ### Headline / Body Combinations 1. Headline: Your Pipeline Can Be the Attack Path Body: Scan GitHub Actions and package diffs before they merge. 2. Headline: Add a CI/CD Security Layer Body: 17 workflow checks plus package supply-chain scanning for PRs. 3. Headline: Free Public Repo Scan Body: Paste a GitHub repo and see workflow findings in seconds. ### Banner Concepts 1. 300x250 / 336x280: - Visual: PR comment card with “vu1nz caught: unpinned action.” - Copy: “Find CI/CD risk before merge.” - CTA: “Scan free.” 2. 728x90 / 970x250: - Visual: horizontal layer model: Dependabot -> CodeQL -> vu1nz. - Copy: “Known CVEs. App code. CI/CD supply chain. Cover the missing layer.” - CTA: “Scan your repo.” ## 8. YouTube / Video Concepts ### YouTube Shorts / Vertical Video Length: 20 seconds. Hook: “Your PR can pass security checks and still ship a risky workflow.” Flow: 1. Show a PR with a workflow file change. 2. Zoom into an unpinned action or risky PR trigger. 3. Show vu1nz finding the issue. 4. Show free scanner CTA. On-screen text: - “App code is not the whole attack surface.” - “Scan workflow YAML.” - “Check new package additions.” - “Scan your public GitHub repo free.” ### 15-Second Pre-Roll Script 0-4s: “Dependabot checks known CVEs. CodeQL checks app code.” 4-8s: “But CI/CD workflows and package diffs can still introduce supply-chain risk.” 8-12s: “vu1nz scans GitHub Actions and new package additions before merge.” 12-15s: “Paste a public repo and scan free at vu1nz.com.” ## 9. Image Creative Briefs ### Creative A: PR Comment Proof Goal: Make vu1nz feel concrete and developer-native. Composition: - GitHub-like PR card with neutral styling. - One highlighted finding. - Small code snippet from workflow YAML. - CTA strip at bottom. Copy: - “Find CI/CD vulnerabilities in review.” - “Scan your public GitHub repo free.” ### Creative B: Security Layer Diagram Goal: Explain complementarity without attacking other tools. Composition: - Three stack layers: - Dependabot: known dependency CVEs. - CodeQL: application code. - vu1nz: CI/CD workflows + package diffs. - Use checkmarks for “use together.” Copy: - “Add the CI/CD supply-chain layer.” ### Creative C: Fast Utility Goal: Drive trial through the no-signup scanner. Composition: - Large input box: `owner/repo`. - Findings count card. - “No signup” badge. Copy: - “Paste repo. Get findings. Decide fast.” ## 10. Recommended Ad Sizes Meta: - 1080x1080 square. - 1080x1350 portrait. - 1200x628 landscape. Google Display: - 300x250. - 336x280. - 728x90. - 970x250. - 160x600. - 300x600. - 320x50. - 320x100. Video: - 9:16 vertical. - 1:1 square. - 16:9 landscape. ## 11. Suggested Keywords - GitHub Actions security scanner. - CI/CD security scanner. - Workflow YAML security. - Pull request security scanner. - Package supply-chain scanner. - npm malware scanner. - PyPI malware scanner. - Cargo package security. - Dependency diff scanner. - Dependabot gaps. - CodeQL supply chain. - GitHub App security scanner. - PR comment security scanner. - Typosquatting scanner. - Install script malware detection. ## 12. Suggested Negative Keywords - logistics. - warehouse. - shipping. - course. - certification. - jobs. - resume. - interview. - pdf. - cracked. - torrent. - antivirus. - windows defender. - package tracking. - ci cd tutorial. - github actions tutorial. ## 13. Best 3 Ads to Test First 1. Reddit promoted post: - Title: “Your PR can be clean while your CI/CD pipeline is not” - Body: Use the complementary-tool framing and free public repo scanner CTA. - Why: Developer/security audience will understand the gap quickly. 2. Google Search: - Headline: “GitHub Actions Scanner” - Description: “Scan CI/CD workflow patterns and new package additions before they merge. Free public repo scan.” - Why: High-intent query match. 3. Meta / Display: - Creative: PR comment proof. - Headline: “Find CI/CD Risk Before Merge” - CTA: “Scan free.” - Why: Makes the product output concrete in one glance.