GitHub Actions security analysis of the top 10,000 repositories — by Fabian Kammel
GitHub Actions automates repository workflows (CI/CD, releases, deployments); misconfigured workflows can expose secrets, allow code injection, or enable supply chain attacks.
zizmor statically analyzes workflow files and detects issues such as unpinned action references, template injection, excessive permissions, and insecure secret handling. It does not evaluate the trustworthiness of third-party actions themselves or any runtime behavior.
Security is defense in depth — no single tool eliminates all risk, and a system is only as secure as its weakest component. These findings represent one layer worth addressing.
Of the top 10,000 GitHub repositories by stars, —% of those using Actions have at least one high-severity finding — a significant number, as many of these open-source projects underpin software that critical systems worldwide depend on.
Data generated by datosh/pinned-actions. Report an issue · ⭐ Star us on GitHub if you find this useful.
| Repository | Stars | Total | High | Medium | Low | Info | |
|---|---|---|---|---|---|---|---|
| Loading... | |||||||