See where your GitHub Actions need security maintenance.
Paste a public GitHub repository. TaskBounty reviews its workflow configuration and returns a practical maintenance report in under a minute. No install or email required.
Public data only. No workflows are triggered. Sensitive candidates are never published.
The free check is public-repos only. For private repos we run a confidential review — your choice of method.
What the check covers
Actions referenced by a tag or branch that can change over time, and whether they should be pinned to a fixed commit.
Whether workflows grant only the access they need, instead of broad write scope.
Whether Dependabot or Renovate is set up to keep pinned actions current.
Patterns whose security implications depend on context. We never publish these; we review them privately with the owner.
What you receive
- A plain-language summary of what was reviewed.
- Maintenance candidates grouped by category, with the evidence we observed.
- Clear labels: observed fact, candidate to review, or recommended practice. Nothing is called a confirmed vulnerability.
- A shareable report link. Reports are unlisted by default.
What TaskBounty can fix
After you authorize a deeper review, we confirm the scope, privately review any sensitive candidates, and propose focused changes as reviewable pull requests for your approval. We can also keep the resulting security-update PRs maintained over time. Nothing is opened or changed automatically. See Security Hardening for the service, and the methodology for our safety boundaries.