[PR #806] Add gha-shield - browser-based GitHub Actions workflow security scanner #13928

Open
opened 2026-06-21 00:02:38 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/sdras/awesome-actions/pull/806
Author: @Fabridev444
Created: 5/26/2026
Status: 🔄 Open

Base: mainHead: add-gha-shield


📝 Commits (1)

  • 1d31420 Add gha-shield - browser-based GitHub Actions workflow security scanner

📊 Changes

1 file changed (+1 additions, -0 deletions)

View changed files

📝 README.md (+1 -0)

📄 Description

Adds gha-shield to the Static Analysis section.

What it is: a browser-only scanner that takes a GitHub Actions workflow YAML and returns 13 categorized security findings in under 5 seconds, no install or signup required.

The 13 rules: unpinned actions (no SHA), `pull_request_target` + PR-ref checkout, `${{ github.event.* }}` interpolated into `run:` shells, missing `permissions:` block, `continue-on-error` on auth/test steps, `secrets.*` in `if:` conditions, `curl | bash`, untrusted-host downloads without checksum, `schedule:` with broad token, `workflow_run` + untrusted checkout, hard-coded provider keys (sk-, ghp_, AKIA…) in `env:`, untrusted action receiving GITHUB_TOKEN, job without `timeout-minutes`.

Receipts:

  • 45 unit tests pass (`node --test`)
  • E2E scanned over `archestra-ai/archestra` (23 workflows → 15 findings) and `vercel/next.js` (37 workflows → 87 findings including 4 criticals in `release-next-rspack.yml`)
  • Source: https://github.com/Fabridev444/gha-shield (MIT-pending, free forever)

Following the awesome-list format. Happy to adjust the description length or position if needed.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/sdras/awesome-actions/pull/806 **Author:** [@Fabridev444](https://github.com/Fabridev444) **Created:** 5/26/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `add-gha-shield` --- ### 📝 Commits (1) - [`1d31420`](https://github.com/sdras/awesome-actions/commit/1d314208dfdf0f1d6f339f746a035d1b98b42bbe) Add gha-shield - browser-based GitHub Actions workflow security scanner ### 📊 Changes **1 file changed** (+1 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+1 -0) </details> ### 📄 Description Adds [gha-shield](https://fabridev444.github.io/gha-shield/) to the Static Analysis section. **What it is:** a browser-only scanner that takes a GitHub Actions workflow YAML and returns 13 categorized security findings in under 5 seconds, no install or signup required. **The 13 rules:** unpinned actions (no SHA), \`pull_request_target\` + PR-ref checkout, \`\${{ github.event.* }}\` interpolated into \`run:\` shells, missing \`permissions:\` block, \`continue-on-error\` on auth/test steps, \`secrets.*\` in \`if:\` conditions, \`curl | bash\`, untrusted-host downloads without checksum, \`schedule:\` with broad token, \`workflow_run\` + untrusted checkout, hard-coded provider keys (sk-, ghp_, AKIA…) in \`env:\`, untrusted action receiving GITHUB_TOKEN, job without \`timeout-minutes\`. **Receipts:** - 45 unit tests pass (\`node --test\`) - E2E scanned over \`archestra-ai/archestra\` (23 workflows → 15 findings) and \`vercel/next.js\` (37 workflows → 87 findings including 4 criticals in \`release-next-rspack.yml\`) - Source: https://github.com/Fabridev444/gha-shield (MIT-pending, free forever) Following the awesome-list format. Happy to adjust the description length or position if needed. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-21 00:02:39 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/awesome-actions#13928