I built a static analyzer that would have caught the tj-actions supply-chain attack before it executed

CVE-2025-30066 compromised 23,000+ repositories via a simple tag reassignment. The attacker moved existing tags (v35, v44) to a malicious commit that printed CI secrets to workflow logs. No zero-day, no sophisticated exploit — just mutable Git tags and implicit trust. The fix is well-known: pin actions to commit SHAs instead of tags. But nobody does it consistently because it's manual and tedious. So I built PipeGuard — a CLI scanner that checks your .github/workflows/ directory for this and related issues: Actions pinned to mutable tags instead of commit SHAs Missing or overly broad workflow permissions (write-all, no permissions block) Known CVEs in action dependencies Third-party action inventory (full list of what your pipeline actually executes) It runs entirely offline. No account, no API keys, no data leaves your machine. pip install pipeguard-cli pipeguard scan .github/workflows/ Real output from my own repo: error sha-pinning actions/checkout pinned to 'v4' instead of commit S