---
title: "GitHub Actions"
description: "Policies for securing GitHub Actions workflows. Enforce pinned action versions, restrict permissions, prevent secret exposure, and validate workflow configuration."
diataxis: reference
applies_to:
  product: "kyverno"
audience: ["platform-engineer","devsecops"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/policy-sets/github-actions/
---


Kyverno JSON policies for scanning GitHub Actions workflow files with `nctl scan github-actions`.

## What's Covered

- Pin action versions to full commit SHAs (not mutable tags)
- Restrict workflow permissions to least-privilege
- Detect secret exposure in environment variables
- Enforce branch protection for workflow triggers
- Validate workflow file structure and syntax

All GitHub Actions policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/github-actions).