Every contribution below is a merged pull request authored by @arpitjain099 on a public repo. The bulk of recent work has been least-privilege CI hardening — quiet, mechanical, cross-cutting security fixes that ship to every downstream consumer the moment they're merged. Mixed in are substantive code, documentation, and security-disclosure contributions to the orgs people recognise.
After Codecov (2021) and SolarWinds (2020), unrestricted GitHub Actions token scope became a known supply-chain attack vector — a compromised dependency can exfiltrate secrets or push malicious commits whenever the workflow's GITHUB_TOKEN has unscoped write access. I built a scanner that finds public workflows missing explicit permissions: declarations and ship hardening PRs to the orgs I depend on most. The recurring pattern below — "declare contents: read on N workflows" — is the same systematic supply-chain work applied across hundreds of repos.
The foundation behind Kafka, Airflow, Tomcat, Beam, Superset, Arrow and a long tail of infrastructure projects that power the modern data and web stack. CI security hardening (least-privilege workflow permissions) plus correctness fixes across docs and code.
The container orchestrator that runs most of cloud-native production, plus its sister sigs organisation that holds cluster-api, controller-runtime, CSI drivers and conformance tooling. One upstream Kubernetes fix repaired a silent build-system regex; the rest are CI security hardening across the SIG repos.
Across the Google and GoogleCloudPlatform GitHub organisations: Perfetto (Android-wide tracing), gVisor (sandbox runtime), OSV-Scalibr (vulnerability scanning), oss-fuzz, oss-rebuild, Crubit (C++/Rust interop), Android Cuttlefish, plus the GCP foundation modules and gcsfuse.
The combined Microsoft estate on GitHub. Highlights: a substantive PR to Azure/azure-quickstart-templates that reverse-engineered an undocumented endpoint to add Azure Monitor observability; multiple documentation corrections at MicrosoftDocs/azure-docs (one of the most-trafficked technical doc estates on the web); CI hardening across Aspire, FLAML, copilot-for-eclipse and the Azure TypeSpec project.
The columnar OLAP database that powers a huge slice of modern analytics workloads. CI workflow permission hardening across docs, the C++ client (across Linux / macOS / Windows MSVC / MinGW workflows), the .NET / EF Core integration, the official Terraform provider, and the Postgres FDW.
One major JavaScript framework; eight merged contributions across the whole ecosystem — core, Pinia (state), Router, Test Utils, Create-Vue, the ESLint TypeScript config, and the new JSX-Vapor.
The de-facto linter for the JavaScript ecosystem. Seven merged PRs across the core (js), the website, the JSON and markdown plugins, eslintrc, the config-inspector, and the rewrite repo — least-privilege workflow permissions for the linting rules that essentially every JS CI in the world runs.
The Julia programming language and its core standard-library packages — widely used in scientific computing and high-performance numerics. Workflow permission hardening across Pkg.jl, Downloads.jl, BumpStdlibs.jl, JuliaC.jl, the version manager and the language website.
The de-facto open-source monitoring & alerting stack — runs in basically every modern observability pipeline. Workflow hardening across client_golang, jmx_exporter, statsd_exporter, compliance and proposals.
The cluster of foundations and projects that make up cloud-native production: the OCI runtime (containerd), the original container engine (Docker / Moby), the CNCF org itself, and Grafana dashboards. Workflow permission hardening across all of them.
Meta's AI research GitHub organisation. CI hardening across spdl (synthetic data pipelines), exca, prompt-siren, ProgramBench and SustainableConcrete.
The document-oriented database used at the largest scale across the modern web. Five merged contributions to the OpenAPI repo — capping GITHUB_TOKEN scope across the changelog, semantic-commit, IPA, version-reminder and report workflows.
The U.S. federal agency that authors the SSDF, OSCAL, CSF and the rest of the canon downstream cybersecurity guidance is built on. Improvements to OSCAL (the compliance-as-code framework), the macOS security baseline tooling, and the FiPy scientific solver.
The Elasticsearch + observability stack. CI hardening across the Node.js APM agent, docs-actions, ECS (the schema), and the elastic-agent itself.
The default deep-learning framework powering most modern ML research and a substantial portion of production inference. Workflow security hardening across helion, torchtitan, tensordict and the devlogs site.
The reactive web framework. CI hardening across the ESLint plugin and the Svelte ESLint parser.
NVIDIA's GitHub organisation — the hardware org that runs the modern AI stack. CI hardening across NVIDIA repos.
The AWS GitHub organisation hosts both the official SDKs and many of the security primitives (like aws-lc) the broader cloud ecosystem depends on.
Cloudflare's GitHub organisation — the edge network that handles a meaningful slice of all internet traffic.
Block (Square)'s GitHub organisation. CI hardening on Blueprint (Swift), okhttp (the dominant Java HTTP client) and Wire (gRPC for Kotlin/Swift).
The Open Worldwide Application Security Project — the foundation behind the OWASP Top 10 and the broader app-security canon.
The InfluxDB time-series database ecosystem. CI hardening across telegraf (the agent), chronograf (the UI), and the docs.
Aqua maintains Trivy, the de-facto open-source vulnerability scanner for containers, IaC, and code. Contributions into trivy-checks improve the rules every Trivy user inherits.
NASA's flight-software framework (used on actual spacecraft) and USA.gov's public services portal. Documentation and security fixes shipped into codebases that quietly power U.S. government operations.
One- and two-PR contributions across orgs people recognise: OpenAI, Apple, HuggingFace, Adobe, Uber, Shopify, Stripe, CockroachDB, LLVM, .NET, Redis, Ruby, Node.js, Rust, Vite, Prettier, JetBrains, Rapid7 (Metasploit), Splunk OCSF and more. Every entry below is a real merged pull request — click through to read the diff.
The original work — tools I started because the gap was annoying me, not because anyone asked. A few are slowly finding users; one is the seed of the larger toolkit I'm building now.
Acknowledged for responsible-disclosure security reports across these projects.