A CLI tool that ingests CI run logs after a supply-chain compromise and produces a per-secret rotation impact map across repos and providers

After a CI supply-chain attack (a compromised action, a poisoned npm package injected into build steps, a malicious runner), the first responder question is always the same: which secrets did each affected run actually touch, and which therefore need to be rotated right now? No tool answers this. GitGuardian detects secrets in code. StepSecurity hardens runners before the attack. Nobody ships a post-incident forensic tool that ingests raw CI run logs from GitHub Actions, GitLab CI, CircleCI, and Buildkite, correlates them against the secret references in each workflow definition, and outputs a prioritized per-secret rotation checklist with blast-radius metadata (which runs, which repos, which environments, which secret managers). This CLI fills that gap. Engineers specify a date range and a list of affected action hashes or package versions; the tool cross-references every run log, resolves secret names to their vault origin (GitHub Secrets, AWS SSM, Doppler, Vault), and emits a JSON and Markdown report that tells the incident commander exactly what to rotate, in what order, with evidence.