Find the CI workflow that can leak your repo before an attacker does.
Upload a repo ZIP or paste workflow YAML. ActionPin checks GitHub Actions for unpinned actions, pull_request_target traps, write-token blast radius, self-hosted runner exposure, and merge queue gaps.
Scan your workflows
Client uploads are processed in memory and not persisted.
Workflow security report
readiness score
Starter hardening patch
Pinning evidence, not vibes
Every finding names the workflow file, line, action ref, and concrete fix. No vague AI guesswork.
PR privilege traps
Flags the nasty combinations: pull_request_target, checkout of attacker code, write tokens, and self-hosted runners.
Merge queue ready
Catches required CI workflows missing merge_group, a quiet way to break required checks.
Sample finding
.github/workflows/pr.yml:4pull_request_target checks out untrusted PR code
This pattern runs attacker-controlled code with privileged base-repo secrets/tokens. Use pull_request or never checkout github.event.pull_request.head.* in privileged workflows.
FAQ
Is this an AI wrapper?
No. ActionPin is a deterministic static scanner. It parses workflow files and applies explicit security rules.
Do you store my repository?
No. ZIPs are read in memory for the request and discarded. Only workflow, Dependabot, and CODEOWNERS files are inspected.
Why pin actions to SHAs?
Tags can move and third-party actions can be compromised. SHA pinning makes CI/CD execution reproducible and reviewable.
What does it check?
Unpinned actions, moving refs, privileged PR workflows, token permissions, self-hosted runner exposure, risky shell downloads, missing Dependabot updates, CODEOWNERS coverage, and merge queue trigger gaps.