What it analyzes:
- Action pinning: Are Actions pinned to SHA or using mutable tags (e.g., @v3 vs. @abc123)?
- Dependency tree: For each Action used, resolve its dependencies (Actions that call other Actions)
- Permissions: Does the workflow request more permissions than needed? (permissions: write-all is a red flag)
- Secrets exposure: Which steps have access to secrets? Are secrets passed to third-party Actions?
- Outgoing network: Flag Actions known to make outbound connections (based on a curated list + heuristic analysis of Action source)