v1vu1nz

The GitHub Action

CI/CD & package security in 30 seconds.

Drop one workflow file into any repo. On every push and PR, vu1nz scans your workflows for 17 CI/CD vulnerabilities and sweeps any newly added npm / pip / cargo / gem / go.mod / composer package for malware. PR comment in seconds.

Start 14-day free trialView source on GitHub

Quick start

Paste & push.

Create .github/workflows/security.yml with this content and push. The next PR triggers your first scan.

.github/workflows/security.yml
# .github/workflows/security.yml
name: vu1nz Security Scan

on:
  push:
    branches: [main, master]
  pull_request:

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: profullstack/vu1nz-gh-actions/.github/actions/vu1nz-actions-scan@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          license_key: ${{ secrets.VU1NZ_LICENSE }}
          scan_packages: true
          fail_on: high

Optional

Add Claude AI code review.

Set ANTHROPIC_API_KEY in repo secrets and pass it to the action. Claude reviews each workflow for business-logic issues and over-provisioned tokens that the deterministic checks miss.

security.yml (with AI review)
# Optional: Claude AI code review
- uses: profullstack/vu1nz-gh-actions/.github/actions/vu1nz-actions-scan@v1
  with:
    token:          ${{ secrets.GITHUB_TOKEN }}
    license_key:    ${{ secrets.VU1NZ_LICENSE }}
    claude_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
    fail_on: high

The checks

17 deterministic checks. Mapped to CWE.

Every finding includes a CWE reference and a one-line remediation. Set fail_on to block merges at the severity you choose.

Critical

3 checks
CWE-77
Script injection via GitHub context

${{ github.event.* }} interpolated into run: commands — attackers inject via PR title or branch name.

CWE-269
pull_request_target + PR HEAD checkout

Running PR code with full repo token — the most dangerous workflow pattern.

CWE-200
Secrets inlined in run commands

${{ secrets.* }} interpolated directly into shell — leaks in logs and process listings.

High

7 checks
CWE-829
Unpinned third-party actions

Actions referenced by tag or short SHA instead of a full 40-character commit hash.

CWE-269
pull_request_target trigger used

Risky trigger that runs with full token — must be necessary and tightly scoped.

CWE-200
Secrets exposed to PR context

PR workflows with access to secrets — forks can steal them.

CWE-77
Matrix variable injection

${{ matrix.* }} in run: — attacker-controlled matrix values can inject.

CWE-269
Default checkout on pull_request_target

Default checkout on PR target checks PR's HEAD instead of the base branch.

CWE-732
Deployment without required reviewers

environment: defined without protection rules.

CWE-77
Expression injection in script

Any ${{ }} expression in run: blocks — potential injection vector.

Medium

6 checks
CWE-829
Unpinned Docker images

Container images referenced by tag, not digest (tags are mutable).

CWE-272
permissions: write-all

Violates least privilege — token has more power than the job needs.

CWE-829
Untrusted reusable workflow calls

Reusable workflows referenced from external repos by short SHA.

CWE-494
Upload/download artifact mismatch

Artifacts passed between jobs without integrity validation.

CWE-668
Self-hosted runners

Self-hosted runners can execute code on your infrastructure — audit required.

CWE-306
Deploy on push to main

Direct push to main deploys without PR or CI gating.

Low

1 check
CWE-272
Missing top-level permissions

No permissions: block — defaults may be too permissive.

FAQ

Common questions.

How long does it take to set up?
About 30 seconds. Paste a 6-line job into any workflow file, commit it, push. The action installs vu1nz, scans your workflows AND any newly added packages on the next PR, and posts a comment.
Does it work on private repos?
Yes. The action uses the standard GITHUB_TOKEN to read workflows in private repos. For org-wide scanning, see the enterprise plan.
Will it slow down my CI?
No. The deterministic scanners complete in seconds. The optional Claude AI review takes under a minute. The action only runs on push and pull_request — not on every job.
What gets sent to Claude?
Only the workflow YAML files. No source code, no secrets, no environment data. Claude review is opt-in by setting the claude_api_key input.
How does it compare to GitHub CodeQL?
CodeQL scans your application code. vu1nz scans the workflow files themselves AND brand-new packages added in your PR diff — the surfaces every recent supply-chain attack actually used.
Is it free?
14-day free trial per GitHub org, no credit card. Then $100/month per org. The underlying CLI scanner is MIT-licensed and free forever. Cloud/Enterprise add a hosted dashboard.

Ready?

Ship safer today.

Free 14 days. No card. Cancel anytime. MIT-licensed source you can audit.

Start free trial View source