ACTSENSE
Abstract
GitHub Actions powers CI/CD for millions of projects, but its flexibility often introduces hidden supply chain security risks. Complex workflows depend on multiple third-party and nested actions, making it hard to detect unpinned versions, excessive permissions, unsafe triggers, and leaked secrets - especially within transitive dependencies. Existing tools fall short, focusing on syntax or relying on vendors, leaving teams without a clear or scalable way to audit their automation securely.
actsense provides a local, vendor-agnostic framework to deeply audit GitHub Actions workflows and their dependencies. It statically maps all actions, including nested composite, JavaScript, and Docker, and performs over 30 security checks covering pinning, permissions, events, and secrets. actsense also assesses Docker images and external dependencies for issues like unpinned or unpinnable references, ensuring full visibility into components that could silently change over time. The findings are presented through an interactive dependency graph that helps users trace relationships, understand impact, and triage risks quickly. By exposing the complete transitive action graph while keeping all analysis local, actsense empowers teams to secure their CI/CD pipelines with full transparency and zero data leakage.