GitHub Actions Security Checker
Check workflow YAML before it deploys risky code.
Paste a GitHub Actions workflow. Deploylint checks token permissions, pull_request_target usage, floating third-party action refs, and whether CI actually runs lint, typecheck, tests, and
build.
Automated heuristic check. It does not execute workflows, inspect repository settings, or prove a workflow is secure.
Checks up to 80,000 characters. Large repos should use the repo scan or CI gate.
Add an advisory CI report
Wire Deploylint into GitHub Actions without blocking builds on the first run.
Scan a repo
Check package scripts, lockfiles, env files, dependency risk, and payment code.
See all tools
Follow the broader builder DevOps toolbox as it grows.