This study addresses the vulnerability of GitHub Actions workflows to software supply chain attacks and the lack of standardized evaluation criteria for existing security scanners. It presents the first comprehensive taxonomy encompassing ten categories of security weaknesses and conducts a systematic, cross-tool evaluation of nine widely used scanners based on a dataset of 596 real-world workflows. Employing both quantitative and qualitative methodologies, the research analyzes each tool’s detection coverage, capability, and usability. The findings reveal significant disparities among the tools in terms of breadth of coverage and underlying detection logic. Building on these insights, the work offers practical hardening recommendations for developers and provides empirical evidence to support the enhancement of CI/CD pipeline security.

GitHub Actions is a widely used platform that allows developers to automate the build and deployment of their projects through configurable workflows. As the platform's popularity continues to grow, it has become a target of choice for recent software supply chain attacks. These attacks exploit excessive permissions, ambiguous versions, or the absence of artifact integrity checks to compromise workflows. In response to these attacks, several security scanners have emerged to help developers harden their workflows. In this paper, we perform the first systematic comparison of 9 GitHub Actions workflow security scanners. We compare them in terms of scope (which security weaknesses they target), detection capabilities (how many weaknesses they detect), and usability (how long they take to scan a workflow). To compare scanners on a common ground, we first establish a taxonomy of 10 security weaknesses that can occur in GitHub Actions workflows. Then, we run the scanners against a curated set of 596 workflows. Our study reveals that the landscape of GitHub Actions workflow security scanners is diverse, with both broad-scope tools and very focused ones. More importantly, we show that scanners interpret security weaknesses differently, leading to significant differences in the type and number of reported weaknesses. Based on this empirical evidence, we make actionable recommendations for developers to harden their GitHub Actions workflows.