The linked tool can be used to scan your CI/CD workflows for potential security issues and suboptimal defaults if they are based on GitHub Actions.
For example, it warns you about
- string interpolations that may expand into attacker-controllable code
- suboptimal defaults like e.g.
persist-credentials: truefor the checkout action Show archive.org snapshot - actions that are not pinned to a tag instead of a git SHA
Some of the warnings can be auto-fixed Show archive.org snapshot . The tool comes with its own CI integration action Show archive.org snapshot .
Posted by Michael Leimstädtner to makandra dev (2025-10-06 08:28)