What is a CI/CD security scanner?

A CI/CD security scanner analyzes pipeline configs for leaked secrets, unsafe triggers, and excessive CI permissions.

Does misconfigs scan GitHub Actions workflows?

Yes. misconfigs scans GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, and CircleCI.

GitHub Actions & CI/CD pipeline scanner
before secrets and privileges leak.

Upload workflow files, pipeline configs, or Jenkins settings. Our cicd scanner auto-detects the platform and scans for secrets exposure, unpinned actions, dangerous triggers, runner abuse, and insecure controller config — including intent vs. reality gaps where policy text claims signed commits but workflows do not enforce them.

Run security scan Learn more API quickstart

What we scan

GitHub

GitHub Actions

Secrets exposure, unpinned actions, dangerous triggers, pull-request privilege escalation.

GitLab

GitLab Pipeline

Runner abuse, secret leakage, privileged jobs, floating container images.

Jenkins

Jenkins Config

Anonymous access, script console enabled, dangerous plugins, credential logging.

API quickstart

Scan via REST with your API key — same engines as the upload form.

Endpoints

GitHub GitLab Jenkins

Example request

curl -X POST "http://api.misconfigs.com/api/v1/cicd?format=sarif&fail_on=critical,high" \
  -H "X-API-Key: mc_your_key" \
  -F "file=@sample/cicd/github-workflow.yml"

Run a CI/CD security scan

Upload workflow YAML, .gitlab-ci.yml, Jenkinsfile, config.xml, or zip them together

Drag & drop your CI/CD configs here

.yml · .yaml · .xml · Jenkinsfile · .zip · max 10 MB

Ignore markdown files (README.md, etc.)

Automated scans only — not a penetration test, compliance audit, or professional security advice. Results may contain false positives or miss issues. You are responsible for validating findings before acting. Terms · Privacy

The optional scan assistant and Explain actions use Google Gemini (a third-party AI). Responses are generated automatically and may be inaccurate or incomplete — not security, legal, or professional advice. Chat sends finding details, scan summaries, and your messages to Google for processing. Do not include secrets you cannot afford to disclose. Official Terms (AI section) and Privacy Policy (AI section) are the source of truth, not assistant replies.

GitHub Actions & CI/CD pipeline scannerbefore secrets and privileges leak.