GitHub Actions Audit

Name: GitHub Actions Audit
Author: UnbearableDev

UnbearableDev/github-actions-audit

Let your agent scan GitHub Actions workflows for pinning, permissions, secrets exposure, and injection risks before you merge CI changes.

Overview

io.github.UnbearableDev/github-actions-audit is a MCP server for the Ship phase that audits GitHub Actions workflows with twenty-one checks for pinning, permissions, secrets, and injection.

What is this MCP server?

21 security checks: action pinning, permissions, secrets handling, and injection patterns
Streamable-http MCP remote on Apify with secret Bearer token configuration
Purpose-built for reviewing .github/workflows without third-party SaaS dashboards
Complements manual code review when you iterate workflows from the agent
GitHub-hosted source at UnbearableDev/github-actions-audit
21 GitHub Actions workflow security checks per server description
Version 1.0.0 hosted at unbearable-dev--github-actions-audit Apify actor

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

What problem does it solve?

Your GitHub Actions workflows grew organically and you are unsure whether unpinned actions, loose permissions, or script injection gaps are exposing the repo.

Who is it for?

Solo maintainers who edit workflows in the agent and want a structured security pass without standing up a separate GHA analysis tool.

Skip if: Organizations that already run enterprise policy engines on every workflow change and treat MCP audits as redundant.

What do I get? / Deliverables

Connecting the server lets your agent flag workflow security issues with explicit check coverage so you can harden YAML before merge.

Security audit output across twenty-one GitHub Actions check categories
Pinning, permissions, secrets, and injection findings tied to workflow lines
Remediation guidance your agent can apply directly in repository files

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

Workflow YAML is authored in Build but security failures in Actions most often matter when you Ship and expose repos to supply-chain attacks. CI workflow hardening is a core ship-security concern for solo builders who rely on GitHub Actions for deploy and test gates.

How it compares

Workflow security audit MCP, not a general GitHub API integration or deployment orchestrator.

Common Questions / FAQ

Who is io.github.UnbearableDev/github-actions-audit for?

It is for developers who ship with GitHub Actions and want agent-assisted workflow security reviews backed by twenty-one targeted checks.

When should I use io.github.UnbearableDev/github-actions-audit?

Use it after adding third-party actions, changing permissions blocks, or embedding user input in run steps, ideally before merging to main.

How do I add io.github.UnbearableDev/github-actions-audit to my agent?

Configure the Apify MCP remote URL with a Bearer Apify token in your agent MCP settings, then invoke the audit tools against workflow file content.

GitHub Actions Audit

UnbearableDev/github-actions-audit

Let your agent scan GitHub Actions workflows for pinning, permissions, secrets exposure, and injection risks before you merge CI changes.

Overview

io.github.UnbearableDev/github-actions-audit is a MCP server for the Ship phase that audits GitHub Actions workflows with twenty-one checks for pinning, permissions, secrets, and injection.

What is this MCP server?

21 security checks: action pinning, permissions, secrets handling, and injection patterns
Streamable-http MCP remote on Apify with secret Bearer token configuration
Purpose-built for reviewing .github/workflows without third-party SaaS dashboards
Complements manual code review when you iterate workflows from the agent
GitHub-hosted source at UnbearableDev/github-actions-audit
21 GitHub Actions workflow security checks per server description
Version 1.0.0 hosted at unbearable-dev--github-actions-audit Apify actor

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

What problem does it solve?

Your GitHub Actions workflows grew organically and you are unsure whether unpinned actions, loose permissions, or script injection gaps are exposing the repo.

Who is it for?

Solo maintainers who edit workflows in the agent and want a structured security pass without standing up a separate GHA analysis tool.

Skip if: Organizations that already run enterprise policy engines on every workflow change and treat MCP audits as redundant.

What do I get? / Deliverables

Connecting the server lets your agent flag workflow security issues with explicit check coverage so you can harden YAML before merge.

Security audit output across twenty-one GitHub Actions check categories
Pinning, permissions, secrets, and injection findings tied to workflow lines
Remediation guidance your agent can apply directly in repository files

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

How it compares

Workflow security audit MCP, not a general GitHub API integration or deployment orchestrator.

Common Questions / FAQ

Who is io.github.UnbearableDev/github-actions-audit for?

It is for developers who ship with GitHub Actions and want agent-assisted workflow security reviews backed by twenty-one targeted checks.

When should I use io.github.UnbearableDev/github-actions-audit?

Use it after adding third-party actions, changing permissions blocks, or embedding user input in run steps, ideally before merging to main.

How do I add io.github.UnbearableDev/github-actions-audit to my agent?

Configure the Apify MCP remote URL with a Bearer Apify token in your agent MCP settings, then invoke the audit tools against workflow file content.

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is io.github.UnbearableDev/github-actions-audit for?

When should I use io.github.UnbearableDev/github-actions-audit?

How do I add io.github.UnbearableDev/github-actions-audit to my agent?

This week for builders

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is io.github.UnbearableDev/github-actions-audit for?

When should I use io.github.UnbearableDev/github-actions-audit?

How do I add io.github.UnbearableDev/github-actions-audit to my agent?