Loading GitHub Actions Supply-Chain Firewall...
CI/CD SUPPLY-CHAIN FIREWALL
GitHub Actions Supply-Chain Firewall
Paste workflow YAML and get a practical hardening packet for privileged triggers, write tokens, unpinned actions, secrets, OIDC, cache poisoning and artifact trust boundaries.
Reviewed 2026-07-08
SecurityWorkflow YAMLAttack surfaceRisk ledgerPatch queueJSON receipt
Why this is different
Most workflow scanners stop at “you used an old action tag.” This firewall looks for dangerous combinations: privileged triggers plus untrusted code, broad write tokens plus secrets, workflow-run artifacts plus deploy steps, cache restore in release jobs and shell injection from event context.