🛡️SecOSS
+ Scan
🛡️SecOSS

No account needed

Data stays in your browser

GitHub Actions Supply Chain Scanner

Detect compromised or drifted action tags before they run in your CI pipeline

Supply chain attacks on GitHub Actions work by silently re-pointing a mutable tag — like actions/checkout@v4 — to a malicious commit. SecOSS scans every uses: reference in your .github/workflows/ files, resolves each tag to its current commit SHA, and compares against the previous scan. Any SHA change is flagged CRITICAL — a strong indicator of a compromised action.

How to use

  1. 1Enter your GitHub repository URL. SecOSS fetches all YAML files from .github/workflows/ and parses every uses: line.
  2. 2Each action tag (e.g. actions/checkout@v4) is resolved to its current commit SHA via the GitHub API.
  3. 3Results show which tags are SHA-pinned (safe), unpinned (mutable risk), or drifted (SHA changed since last scan).
  4. 4Run again later — if any SHA has changed since your previous scan, it is flagged CRITICAL as a possible supply chain attack.
Try:

What this scans

  • All .github/workflows/*.yml files
  • Every uses: owner/repo@tag reference
  • Resolves each tag to its current commit SHA
  • Detects tag drift — the TeamPCP/Trivy attack vector
  • Flags unpinned tags (mutable refs)
  • Suggests exact SHA pins for every unpinned action