GitHub Actions scanning analyzes third-party Actions your workflows depend on. It is not the same as Scanning with GitHub Actions, which runs Endor Labs inside a CI job on GitHub-hosted runners. Here you analyze Actions referenced in workflow files underDocumentation Index
Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
Use this file to discover all available pages before exploring further.
.github/workflows/ (including subdirectories), relative to the directory you scan.
Scanning those dependencies gives you visibility into supply chain risk in CI. You can detect known vulnerabilities, malware, and unsafe patterns in workflow YAML.
How Endor Labs scans your workflows
Endor Labs discovers workflow files only under.github/workflows/ relative to the directory you scan (--path, default the current directory). It walks that folder recursively and includes files with a .yml or .yaml extension. Workflow files outside that tree are not part of discovery.
From those files, Endor Labs resolves each uses: reference as a GitHub Actions dependency and models each action as a package with direct and transitive dependencies.
Endor Labs also evaluates workflow YAML with analytics and raises findings for risky configurations.
What Endor Labs detects
The following table summarizes the main areas. For policy names and severities, see GitHub Action policies.Automate enforcement with action policies
Action policies determine the automated response when a GitHub Action finding matches. Examples include failing a CI check, adding a PR comment, or sending a notification. Use the GitHub Actions policy template to create action policies that target workflow-related findings. The template exposes parameters such as finding name (defaults include Unpinned direct dependency, Untrusted code checkout, and Imposter commit) and severity.Enable GitHub Actions scanning
You can scan GitHub Actions through the Endor Labs GitHub App, Endor Labs GitHub Action, or with endorctl.Scan GitHub Actions with GitHub App
When you install the Endor Labs GitHub App or the GitHub Enterprise Server App, enable GitHub Actions among the scanners. That schedules repository scans that include workflow dependency and posture analysis. See also Scan capabilities of the Endor Labs GitHub Apps.Scan GitHub Actions with Endor Labs GitHub Action
In your CI workflow, passscan_github_actions: true to the Endor Labs GitHub Action. See GitHub Action configuration parameters.
Scan GitHub Actions with endorctl
Run the following command to scan the GitHub Actions in your repository.ENDOR_SCAN_GHACTIONS. For the full CLI reference, see endorctl scan.
Limitations of GitHub Actions scanning
GitHub Actions scanning has the following limitations:- Endor Labs detects vulnerabilities and dependencies for GitHub Action packages written in JavaScript or TypeScript.
- Private GitHub Actions and private reusable workflows referenced from other repositories are not detected.
- Test dependencies are not detected for GitHub Action packages.