Is your GitHub Actions pipeline secure?
Scan any public repository for 25 security checks across 8 categories. Get a detailed report with specific remediation steps. Free, instant, no sign-up required.
What we check
Supply Chain
Unpinned actions, mutable tags, known CVEs
Injection
Expression injection in run blocks
Dangerous Triggers
pull_request_target misuse
Permissions
Overly broad GITHUB_TOKEN scope
Secrets Exposure
Leaked secrets in logs and artifacts
Runner Security
Self-hosted runner risks
CI/CD Hygiene
Timeouts, concurrency, error handling
Best Practices
Dependabot, CODEOWNERS
25 checks inspired by real attacks: tj-actions (2025), Trivy (2026), Shai Hulud, GhostAction
No data stored. No sign-up. Open source scanner engine.