from Hacker News

Welcome to "Scharf", a blazing-fast security scanner for hardening third-party GitHub actions with mutable references. Using mutable references (version tags, main/master/dev etc.) is a security vulnerability that can result in supply-chain attacks.

The recent `tj-actions/changed-files` security incident is scary, so we built a mutable-reference scanner that performs a deep scan across branches to identify all third-party GitHub actions used in organization Git projects. The output report can be exported to CSV or JSON (default).

Try it out!