defensive.works

$ gha-scan --help

Scan any public GitHub Actions repository for security vulnerabilities.

25 checks across 8 categories. Free, instant, no sign-up.

$gha-scan--repo

Works with any public GitHub repository. Try: kubernetes/kubernetes, facebook/react

# categories

[supply-chain]

Supply Chain

Unpinned actions, mutable tags, known CVEs

[injection]

Injection

Expression injection in run blocks

[triggers]

Dangerous Triggers

pull_request_target misuse

[permissions]

Permissions

Overly broad GITHUB_TOKEN scope

[secrets]

Secrets Exposure

Leaked secrets in logs and artifacts

[runner]

Runner Security

Self-hosted runner risks

[hygiene]

CI/CD Hygiene

Timeouts, concurrency, error handling

[best-practices]

Best Practices

Dependabot, CODEOWNERS

25 checks inspired by real attacks: tj-actions (2025), Trivy (2026), Shai Hulud, GhostAction

No data stored. No sign-up. Open source scanner engine.