I put together a little tool for people (it’s me, I’m people) that helps identify GitHub actions in use across the organisation.<p>It’s currently early days and I’m planning to expand it, but at the moment it:
- runs across either a single repository or an entire GitHub Org
- provides a list of actions in use per repo as well as a list of most commonly used ones (currently this list isn’t perfect I am working on improving this)
- can be run as a GitHub Action that enforces a deny or allow list of actions<p>Coming up:
- integration with GitHub Security Scanning API
- GitHub App
- static analysis for actions quality and safety
- analysis of action pinning and enforcement (similar to ratchet)
- a potential blacklist of malicious versions
- maybe some cool stuff around immmutable actions.