GitHub Actions Security Checker — Scan Workflows for Supply Chain Vulnerabilities
Paste your GitHub Actions workflow YAML. Checks for the most exploited misconfigurations: pull_request_target with untrusted checkout (supply chain attack vector), missing permissions blocks, hardcoded secrets, and action version issues.
Paste your GitHub Actions workflow YAML. Checks for common supply chain attack vectors and security misconfigurations: overly broad permissions, pull_request_target with untrusted code checkout, hardcoded secrets, and more.
Load example:
The most exploited GitHub Actions misconfigurations
- pull_request_target + checkout (Critical): This is the attack vector behind multiple high-profile CI system compromises.
pull_request_targetruns with write permissions against the base repo, even for PRs from untrusted forks. When you addactions/checkout, you’re running the attacker’s code with write access to your repository. - No permissions block (High): Without an explicit
permissions:block, some trigger types (likeschedule:andpull_request_target) default to write permissions on all scopes. Always declare what you need —permissions: contents: readcovers most workflows. - Secrets in run: steps (High): GitHub masks
${{ secrets.X }}when printed alone, but interpolating it into a curl URL or concatenated string bypasses masking. Always pass secrets as environment variables and reference$ENV_VARin the shell, not${{ secrets.X }}directly. - persist-credentials: true (Medium): The default. Checkout writes the GITHUB_TOKEN to git config. If any subsequent step runs user-supplied code (common in CI), it can use that token to push to your repo. Disable it unless you specifically need git operations post-checkout.
For checking if your action versions are up-to-date, use the GitHub Actions Version Auditor. For Kubernetes and Docker security, see the K8s YAML Security Linter and Docker Compose Security Checker.
Founded
2023 in London, UK
Contact
hello@releaserun.com