Security check

GitHub Actions: CI is a path straight into your secrets

A compromised or unpinned GitHub Action can exfiltrate your secrets and push code. We check your workflows' permissions and third-party dependencies and point out the risks.

Run a free domain scan All checks β†’
Relates to: NIS2 Β· art. 21 β€” supply chain ISO 27001 Β· A.8.28 secure coding SLSA Β· supply-chain OWASP Β· CI/CD-SEC

What we check

We review your workflows: does GITHUB_TOKEN have overly broad permissions (write instead of read), are third-party steps pinned to a commit SHA or just a movable tag, is pull_request_target used unsafely, and are secrets exposed to forks?

Why it matters

GitHub Actions have access to your secrets and your code. An unpinned third-party step that gets hijacked (or a malicious PR against an unsafe workflow) can exfiltrate everything. This is one of the fastest-growing supply-chain attack paths.

How Security Guru tests it

Common mistakes

  • permissions: write-all when read would suffice
  • uses: actor/action@main β€” movable tag, hijackable
  • pull_request_target that checks out and runs PR code
  • Secrets available in workflows triggered by external forks

What you get in the report

  • Workflows with overly broad permissions
  • Unpinned third-party steps that should be locked to a SHA
  • Unsafe trigger patterns with secrets exposure
  • Mapping to SLSA / OWASP CI/CD-SEC

FAQ

Why pin to a SHA?

A tag like @v3 can be moved by the action's owner (or an attacker who hijacks the account). A commit SHA is immutable β€” you run exactly the code you reviewed.

What's dangerous about pull_request_target?

It runs with your secrets but against code from an external PR β€” a classic way to exfiltrate secrets. We flag unsafe patterns.

Do you read our code?

We read the workflow configuration via the API; no code is cloned for this check.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan