A security tool should be willing to scan itself.
I used the public eliottreich/taskbounty-check repository as the test case for a small, local GitHub Actions maintenance check. This walkthrough shows the exact command, the result, and how to keep the check in CI without sending repository data to a third party.
Scope matters: this checks GitHub Actions and CI maintenance hygiene. It is not a penetration test or a complete application security audit.
Run the real example
git clone https://github.com/eliottreich/taskbounty-check.git
cd taskbounty-check
npx -y taskbounty-check@0.1.6 . --dry-run
The published 0.1.6 package currently returns:
[dry-run] 1 repos · 2 workflow files · 0 maintenance candidates · 0 for private review
[dry-run] would write local report files only (actions-check-report.json and actions-check-report.html); nothing would be uploaded.
The --dry-run flag performs the scan but writes no report. Remove it if you want local HTML and JSON files.
What it reads
The scanner has a narrow allowlist:
-
.github/workflows/*.ymland.github/workflows/*.yaml - Dependabot and Renovate configuration
It checks things such as mutable third-party action references, workflow token permissions, and whether update automation is configured.
It does not read application source, .env files, secrets, authentication logic, payments, webhooks, or runtime behavior. It executes no repository code.
You can print the complete data boundary at any time:
npx -y taskbounty-check@0.1.6 --explain-data
The default path has no network access, uploads nothing, and has no telemetry. The package also has zero runtime dependencies.
Add it to CI
Add a pinned version after checkout in an existing GitHub Actions workflow:
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- run: npx -y taskbounty-check@0.1.6 . --github-summary --no-network
This writes a counts-only summary to the workflow run. It does not open issues, post pull-request comments, or upload source.
For GitHub Code Scanning annotations, the package can emit SARIF:
npx -y taskbounty-check@0.1.6 . --format sarif --output taskbounty.sarif
Use it from Cursor, Claude Code, or Codex
The same package exposes a local stdio MCP server:
npx -y taskbounty-check@0.1.6 mcp
An agent can call scan_repo, explain a finding, and generate a text-only fix plan. The server does not modify files or make outbound requests.
A useful bug the self-check exposed
While preparing this example, the scanner initially reported two findings in its own CI. They were false positives: a shell script contained YAML-looking test fixtures such as permissions: write-all, and the parser mistook the fixture text for live workflow configuration.
Version 0.1.6 fixes that boundary. It ignores YAML-shaped data inside block-scalar scripts while still detecting genuine live uses: and permissions: keys. Regression tests cover both cases.
That is the main reason I prefer a real-repository tutorial over a polished mock result: dogfooding found a parser bug before wider distribution.
What to do with the result
- No findings: keep the pinned CI check and update it deliberately.
- Maintenance candidates: inspect the local report and make the smallest justified change.
- Private-review count: do not publish speculative details; review the workflow context privately.
The complete, versioned quickstart is in the public repository.
If you want a human second opinion, TaskBounty offers a free launch-safety review. Submitting the form grants TaskBounty no repository access.
Top comments (0)