GitHub Workflow Checker - Secure GitHub Actions with Hash Pinning #128
Description
GitHub Workflow Checker - Secure GitHub Actions with Hash Pinning
GitHub Workflow Checker is a tool designed to improve CI/CD security by automatically pinning GitHub Actions to immutable SHA hashes instead of version tags.
Why it matters:
The recent tj-actions/changed-files supply chain attack (CVE-2025-30066) demonstrated how attackers can modify version tags to point to malicious code, leading to secrets leakage from affected repositories. Repositories using hash-pinned references were protected from this attack.
Key Features:
- Automatically updates GitHub Actions to use pinned commit SHAs
- Prevents supply chain attacks through immutable references
- Creates pull requests with security improvements
- Maintains workflow compatibility through testing
- Works as both a GitHub Action and standalone CLI tool
- Handles semantic versioning and updates appropriately
The tool balances security with maintainability by automating the update process for pinned references, addressing common concerns about potentially missing important security updates.
Available as a GitHub Action: ThreatFlux Actions Maintainer