A GitHub App that catches fork-based SHA bait-and-switch attacks in your Actions workflows.
Install on GitHub
You pin your GitHub Actions to commit SHAs for immutability. Good practice, right?
But GitHub doesn’t verify that a pinned SHA actually belongs to the repository
in the uses: directive.
Because forks share a Git object store with their parent, an attacker can swap in a SHA from their malicious fork — and to a reviewer, it looks like a routine version bump:
The owner/repo looks the same. The version comment says it’s a newer release.
But the SHA points to malicious code in a fork — and GitHub will happily execute it
with full access to your repository’s secrets.
When a pull request is opened or updated, this app checks every changed action SHA against the claimed repository. It verifies that the commit actually belongs to that repo — not just that it resolves (which fork commits also do).
If a SHA can’t be verified, the app posts a changes-requested review with inline comments on the suspicious lines. Add the app as a required reviewer in your branch protection rules to make this a hard merge gate.
Clean PRs get no noise — the app only speaks up when something looks wrong.
Install on GitHub