GitHub Actions Workflow Security Audit (Free)
Paste a workflow and get a severity-ranked security checklist - unpinned actions, EOL versions, deprecated commands, missing permissions, and secret leaks, each with the specific fix.
Workflow files accumulate risk quietly: an action pinned to a tag instead of a SHA, a checkout still on v3, a set-output command that stopped working, a token with more scope than it needs. This audit scans the raw YAML and reports every issue grouped by severity, with the exact line and the recommended fix.
What it checks
- Unpinned actions:
@vNtags and@main/@masterbranches - recommends a full 40-char commit SHA. - Deprecated/EOL actions: checkout, cache, upload/download-artifact, setup-node on v1/v2/v3 - recommends the current major.
- Deprecated commands:
::set-output::,::save-state::,::set-env::,::add-path::- recommends the$GITHUB_*file equivalents. - Missing top-level
permissions:,pull_request_targetusage, andrun:lines that echosecrets.*.
Read the severity tags
- High: disabled commands, EOL actions, echoed secrets, and dangerous
pull_request_targetcheckout patterns. - Medium: tag-pinned actions, moving-branch refs, and a missing least-privilege
permissionsblock. - Each item shows the line number and snippet so you can jump straight to it.
Keep it hardened on Latchkey
Latchkey runs your hardened workflow on managed runners at roughly 69% lower per-minute cost, with self-healing retries - so tightening security does not mean slower or pricier CI.