drop ghcr audit export · parse package + actor + download/push · runs locally
drop ghcr audit export · local only
heuristic screener · vendor schema varies · not definitive proof