Methodology
The GitHub Actions Security Check is a focused public-data review, not a penetration test. Here is exactly how it works and the boundaries it operates under.
What it reviews
The check reads public GitHub Actions workflow files (.github/workflows/*.yml) plus public repository metadata and update-automation config (Dependabot or Renovate). It looks for routine maintenance candidates: third-party actions referenced by a movable tag or branch instead of a fixed commit, workflow token permissions that are broader than needed, and missing update automation.
What it does not do
It does not clone or run repository code, trigger any workflow, test credentials, or attempt access of any kind. It reads only public data through the GitHub API. It never scans a private repository unless we are explicitly authorized.
How findings are labeled
Every result is labeled as an observed fact, a candidate requiring review, or a recommended maintenance practice. Nothing is described as a confirmed vulnerability unless a human has verified it and disclosure is appropriate. A candidate is a starting point for review, not a defect.
Sensitive findings stay private
Some configuration patterns have security implications that depend on context. We never publish details of these. The public report shows only that some items require private review; we confirm them privately with the repository owner, and we ask for ownership verification before sharing specifics. The report never publishes secrets, tokens, or exploit instructions, and never ranks or scores named companies.
Reports are unlisted
A report is shareable by its link but is not publicly listed or indexed by default. We do not add badges or comment on a repository without explicit opt-in. A report can be made publicly indexable only after the repository owner approves it.