Stack/GitHub Actions Linter
Security & Secrets

GitHub Actions Linter

Paste a workflow file. It flags the pull_request_target plus PR-checkout RCE combo, unpinned third-party actions, write-all permissions, and shell injection from github.event inputs. Nothing is uploaded.

INPUT
OUTPUT // tesserakit-gha

Paste, then run. Findings appear here.

A preview of a Tessera pack

This browser demo runs a handful of checks client-side. The full gha pack audits every workflow for the risky triggers and permissions attackers look for. It is one of 24 job packs in Tessera, an offline toolkit that turns a repository into a single reviewable HTML report.

Every pack follows one contract: normalize, validate, generate artifacts. No services, no API keys, no network calls, nothing executed against your code.

install.ttyoffline

$ pip install tesserakit-gha

$ pipx install tesserakit-gha # isolated CLI install

$ uv tool install tesserakit-gha

$ tessera run --input . --output run

# then open run/index.html