Security scanner for GitHub Actions workflows. Catches supply chain attacks, script injection, and privilege escalation inline as you edit.
| Check | Severity | Example |
|---|---|---|
| Unpinned actions | Critical | uses: actions/checkout@v4 → should be SHA |
| Script injection | Critical | run: echo ${{ github.event.issue.title }} |
| Pwn request | Critical | pull_request_target + PR head checkout |
| Workflow_run injection | Critical | Artifact download without branch guard |
| Broad permissions | High | permissions: write-all |
| Missing permissions | High | No top-level permissions block |
Opens automatically for any file in .github/workflows/. Issues appear in the Problems panel with inline squiggles.
Commands (Ctrl+Shift+P):
Workflow Hardener: Scan Current FileWorkflow Hardener: Scan All Workflows in Workspace
Click the lightbulb on any flagged line to:
- View the recommended fix
- Suppress the check inline with
# hardener:ignore:<check>
{
"workflowHardener.enabled": true,
"workflowHardener.severityFilter": "all"
}severityFilter options: all, critical, high, medium, low
Pairs with the gh-workflow-hardener CLI for use in CI pipelines.