gha-shield

GitHub Actions security scanner · BYOK · no logs

Workflow YAML

Pasted YAML stays in your browser. Nothing is logged.

Scan options

Your own key. Used in-session, never stored. Skip to run the 6 free rules only.

Free tier (13 rules):
• Unpinned third-party actions
pull_request_target + PR-ref checkout
• Command injection via ${{ }} interpolation
• Missing permissions: block
continue-on-error on auth/test
• Secrets in if: conditions
curl | bash / wget | sh
• Gist/raw/paste download without checksum
schedule: with broad token
workflow_run + untrusted checkout
• Hard-coded credential in env: (sk-…, ghp_…, AKIA…)
• Untrusted action receives GITHUB_TOKEN / secrets
• Job missing timeout-minutes
Pro ($9 — bulk + LLM + PDF):
• Bulk scan a whole .github/workflows/ folder
• LLM patterns (BYOK): cross-job creds, eval/exec idioms, dev/prod secret confusion
• Specific safer rewrites per finding
• Full PDF report export

Findings

Paste a workflow YAML and click Scan to see findings.

Tip the maintainer (Solana / USDC SPL)

If gha-shield saved you a CVE, drop a tip. Scan with any Solana wallet — auto-fills recipient + USDC mint via Solana Pay.

Solana Pay QR — gha-shield tip jar
Wallet: 634UtV9dWq8G7ciosqx1pcKkBK4kNkNod9yvoM8ujSdM
Token: USDC SPL
Mint: EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v
No KYC. No Stripe. Settles in ~400 ms.