Detection rules

Every paste is run through these 13 checks. Each rule includes the why-it-matters story and a side-by-side bad / good example.

About action-shield

On 2026-05-11, an attacker chained the pull_request_target "Pwn Request" pattern, actions/cache poisoning across the fork↔base trust boundary, and runtime memory extraction of an OIDC token from a GitHub Actions runner process to publish 84 malicious versions across 42 @tanstack/* npm packages in 6 minutes (CVE-2026-45321).

On 2026-05-19, another wave (Mini Shai-Hulud) compromised 639 versions across 323 npm packages in a 22-minute automated burst — same root cause family.

CLI scanners (zizmor, poutine, actionlint) exist. action-shield is the paste-and-scan website your team Slack actually needs after the next post-mortem drops.

Data sources

Source	URL	Refresh
GitHub Security Advisories (Actions)	api.github.com/advisories?ecosystem=actions	every 15 min
OSV.dev (GitHub Actions ecosystem)	api.osv.dev/v1/query	hourly (round-robin per action)
GitHub repo + releases	api.github.com/repos/<owner>/<repo>	every 6 hours per tracked action
GitHub repo search (discovery)	api.github.com/search/repositories?q=topic:github-actions	daily

No-mock pledge

Every numeric field on this site comes from a live HTTP fetch with a refreshed_at timestamp. No Math.random(), no hardcoded CVE arrays, no "preset" data. The only hardcoded thing is a list of names of ~50 popular actions to bootstrap the tracker; all other data is fetched at runtime. If a fetch fails the row shows —; we never fabricate.

Privacy

No signup, no cookies, no analytics. Your paste is stored as a SHA-256 hash for stats only — the YAML body is never persisted. IP addresses are SHA-256-hashed with a salt that rotates every 24 hours, used exclusively to rate-limit abuse (60 audits / hour / IP).

Open source

Self-host with git clone && npm install && npm start. Node 18+, SQLite, no external services required (a GITHUB_TOKEN is optional and only raises the GHSA poll rate from 60 to 5000 req/h).