A compromised or unpinned GitHub Action can exfiltrate your secrets and push code. We check your workflows' permissions and third-party dependencies and point out the risks.
Run a free domain scan All checks βWe review your workflows: does GITHUB_TOKEN have overly broad permissions (write instead of read), are third-party steps pinned to a commit SHA or just a movable tag, is pull_request_target used unsafely, and are secrets exposed to forks?
GitHub Actions have access to your secrets and your code. An unpinned third-party step that gets hijacked (or a malicious PR against an unsafe workflow) can exfiltrate everything. This is one of the fastest-growing supply-chain attack paths.
permissions blockpull_request_target patternspermissions: write-all when read would sufficeuses: actor/action@main β movable tag, hijackablepull_request_target that checks out and runs PR codeWhy pin to a SHA?
A tag like @v3 can be moved by the action's owner (or an attacker who hijacks the account). A commit SHA is immutable β you run exactly the code you reviewed.
What's dangerous about pull_request_target?
It runs with your secrets but against code from an external PR β a classic way to exfiltrate secrets. We flag unsafe patterns.
Do you read our code?
We read the workflow configuration via the API; no code is cloned for this check.
Run a free scan or order a full Security Assessment β prioritised, not noise.
Run a free domain scan