GitHub Actions Linter
Paste a workflow file. It flags the pull_request_target plus PR-checkout RCE combo, unpinned third-party actions, write-all permissions, and shell injection from github.event inputs. Nothing is uploaded.
Paste, then run. Findings appear here.
A preview of a Tessera pack
This browser demo runs a handful of checks client-side. The full gha pack audits every workflow for the risky triggers and permissions attackers look for. It is one of 24 job packs in Tessera, an offline toolkit that turns a repository into a single reviewable HTML report.
Every pack follows one contract: normalize, validate, generate artifacts. No services, no API keys, no network calls, nothing executed against your code.
$ pip install tesserakit-gha
$ pipx install tesserakit-gha # isolated CLI install
$ uv tool install tesserakit-gha
$ tessera run --input . --output run
# then open run/index.html