actions-audit

Scan your GitHub Actions workflows for security risks before attackers do.

GitHub Actions has no lockfile, no integrity hashes, and no transitive dependency visibility. Research found 99.7% of repos run externally-developed Actions, with 97% from unverified creators. Mutable tags (uses: action@v1) can be silently replaced with malicious code.

actions-audit scans your .github/workflows/ files and flags:

• Mutable tags — actions referenced by tag/branch instead of pinned SHA
• Missing/broad permissions — workflows without explicit permission blocks or with overly broad access
• Known vulnerabilities — action versions with published CVEs (bundled advisory database)
• Risky patterns — pull_request_target + checkout, script injection via ${{ github.event.* }}, workflow_run abuse
• Unverified creators — actions from non-verified GitHub organizations

Installation

pip install actions-audit

Quick Start

# Scan current directory
actions-audit scan

# Scan with auto-fix (pin mutable tags to SHA)
actions-audit scan --fix

# Output as SARIF for GitHub Code Scanning
actions-audit scan --format sarif

# Only show high-severity and above
actions-audit scan --severity high

# Skip network-dependent checks
actions-audit scan --no-network

# Update advisory database
actions-audit advisories update

Output Formats

Format	Flag	Use Case
text	--format text	Terminal (default, Rich tables)
json	--format json	Programmatic consumption
sarif	--format sarif	GitHub Code Scanning integration
markdown	--format markdown	PR comments, documentation

GitHub Action

- uses: ndcorder/actions-audit@v1
  with:
    directory: "."
    severity: "medium"
    format: "text"

Pre-commit Hook

repos:
  - repo: https://github.com/ndcorder/actions-audit
    rev: v0.1.0
    hooks:
      - id: actions-audit

CLI Reference

actions-audit scan [DIRECTORY]

Scan workflow files for security risks.

Option	Description
--fix	Auto-pin mutable tags to SHA hashes
--format, -f	Output format: text, json, sarif, markdown
--severity, -s	Minimum severity: critical, high, medium, low, info
--no-network	Skip rules requiring network access

Exit code 1 if any findings are detected (useful in CI).

actions-audit advisories update

Fetch the latest advisory database from the remote source.

actions-audit advisories info

Show information about the local advisory database.

Detection Rules

Rule ID	Severity	Description
mutable-tag	HIGH	Action uses tag/branch instead of pinned SHA
missing-permissions	MEDIUM	No top-level permissions block
broad-permissions	MEDIUM-HIGH	Overly broad permission grants
vulnerable-action	VARIES	Action version has known CVE
pr-target-checkout	CRITICAL	pull_request_target checks out PR head
script-injection	HIGH	User-controlled input in run commands
workflow-run-abuse	HIGH	workflow_run downloads untrusted artifacts
unverified-creator	LOW	Action from non-verified organization

Contributing

1. Fork the repository
2. Create a feature branch
3. Write tests for any new functionality
4. Ensure all tests pass: uv run pytest
5. Ensure linting passes: uv run ruff check .
6. Submit a pull request

License

MIT