Skip to content
Latchkey

GitHub Actions Workflow Security Audit (Free)

Paste a workflow and get a severity-ranked security checklist - unpinned actions, EOL versions, deprecated commands, missing permissions, and secret leaks, each with the specific fix.

Workflow files accumulate risk quietly: an action pinned to a tag instead of a SHA, a checkout still on v3, a set-output command that stopped working, a token with more scope than it needs. This audit scans the raw YAML and reports every issue grouped by severity, with the exact line and the recommended fix.

What it checks

  • Unpinned actions: @vN tags and @main/@master branches - recommends a full 40-char commit SHA.
  • Deprecated/EOL actions: checkout, cache, upload/download-artifact, setup-node on v1/v2/v3 - recommends the current major.
  • Deprecated commands: ::set-output::, ::save-state::, ::set-env::, ::add-path:: - recommends the $GITHUB_* file equivalents.
  • Missing top-level permissions:, pull_request_target usage, and run: lines that echo secrets.*.

Read the severity tags

  • High: disabled commands, EOL actions, echoed secrets, and dangerous pull_request_target checkout patterns.
  • Medium: tag-pinned actions, moving-branch refs, and a missing least-privilege permissions block.
  • Each item shows the line number and snippet so you can jump straight to it.

Keep it hardened on Latchkey

Latchkey runs your hardened workflow on managed runners at roughly 69% lower per-minute cost, with self-healing retries - so tightening security does not mean slower or pricier CI.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →