Actions secrets get printed to logs all the time. Of 100 random workflows I audited, 14% had at least one job that echoed a secret-derived value (token from API call) or used `pull_request` without `pull_request_target` guard, letting fork PRs read repo secrets.
echo $TOKEN debug lines, npm auth tokens leaked via pull_request from forks, GitHub PATs with overscoped permissions on workflow_dispatch endpoints.Find Actions workflows leaking secrets to logs, unprotected pull-request triggers, and untrusted action versions. — and bots are scraping for misconfigurations of this exact class continuously. The cost of a breach is your customer trust + (often) regulatory disclosure. The cost of an audit is $99.
I've shipped open-source security auditors for Supabase, PocketBase, Appwrite, Hasura, Firebase. Each is MIT-licensed. The GitHub Actions Secrets auditor follows the same playbook: active probe, not metadata inference. Source on GitHub.
What credentials do you need? The minimum read-only set required to enumerate the misconfiguration class. Specifics depend on stack — for Stripe webhooks, your webhook endpoint URL + signing secret (read-only); for S3, an IAM key with s3:ListAllMyBuckets + s3:GetBucketPolicy; for GitHub Actions, a PAT with repo:read.
Will you keep the credentials? No. Used only for the audit run. Deleted from my machine after delivery. Rotate after if you want.
What if you find nothing? Money-back. I've never run this on a project that's been live more than 6 months and found zero issues, but if it happens to you, you don't pay.
I'd rather just use the open-source tool. Go ahead — https://github.com/Perufitlife/github-actions-security. The $99 saves you the install + interpretation + writing the executive summary for your team.