GitHub Actions hardening

ActionPin

Install one GitHub App to scan workflows, explain security risks, open deterministic remediation PRs, and block unsafe workflow changes before merge.

Install GitHub AppView findings
High-signal rules
Reviewable fix PRs
PR guardrails

Org posture

Acme Labs

score 62

2

low

7

medium

5

high

1

critical

Third-party action is not pinned to a full commit SHA

.github/workflows/release.yml

pull_request_target combines privileged context with untrusted code

.github/workflows/triage.yml

acme-labs/app

48

repo score

acme-labs/api

31

repo score

acme-labs/docs

84

repo score