Comment by nyell

I am building "Scharf", a blazing-fast security scanner for reporting and hardening third-party GitHub actions.

For whoever aware of recent `tj-actions/changed-files` security incident, I built a mutable-reference scanner that performs a deep scan across branches to identify all third-party GitHub actions used in organization Git projects. The output report can be exported to CSV or JSON (default).

Using mutable references (version tags, main/master/dev etc.) is a security vulnerability that can result in supply-chain attacks.

Project link:

https://github.com/cybrota/scharf