I built a static analyzer that would have caught the tj-actions supply-chain attack before it executed

Alex — Fri, 13 Mar 2026 07:50:38 +0000

CVE-2025-30066 compromised 23,000+ repositories via a simple tag reassignment. The attacker moved existing tags (v35, v44) to a malicious commit that printed CI secrets to workflow logs. No zero-day, no sophisticated exploit — just mutable Git tags and implicit trust.

The fix is well-known: pin actions to commit SHAs instead of tags. But nobody does it consistently because it's manual and tedious.

So I built PipeGuard — a CLI scanner that checks your .github/workflows/ directory for this and related issues:

Actions pinned to mutable tags instead of commit SHAs
Missing or overly broad workflow permissions (write-all, no permissions block)
Known CVEs in action dependencies
Third-party action inventory (full list of what your pipeline actually executes)

It runs entirely offline. No account, no API keys, no data leaves your machine.

pip install pipeguard-cli
pipeguard scan .github/workflows/

Real output from my own repo:

error  sha-pinning   actions/checkout pinned to 'v4' instead of commit SHA
error  sha-pinning   shivammathur/setup-php pinned to 'v2' instead of commit SHA
error  permissions-missing   no top-level permissions block found
warning  supply-chain  shivammathur/setup-php — unverified publisher

I also wrote a technical breakdown of how the tj-actions attack worked step by step if that's useful context: https://alex-jung.org/blog/github-actions/tj-actions-supply-chain-attack/

Repo: https://github.com/alex-jung/pipeguard-cli

Feedback welcome — especially on false positives and missed cases.

Forem: Alex

I built a static analyzer that would have caught the tj-actions supply-chain attack before it executed