Reusable workflow called with secrets: inherit
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A reusable-workflow call uses secrets: inherit, which passes every secret the caller can see to the called workflow. If that workflow lives in another repository or is less trusted, the whole secret set travels with the call.
Why it matters
secrets: inherit passes every secret available to the calling workflow into the reusable workflow it calls. If that reusable workflow lives in another repository or is maintained by a different team, all of your secrets travel with the call and are only as safe as that workflow. It also hides which secrets are actually in use.
How to fix it
Pass only the secrets the called workflow needs, by name, under a secrets: map (for example secrets: NPM_TOKEN: ${{ secrets.NPM_TOKEN }}). Reserve inherit for reusable workflows in the same repository that you fully control, and even then prefer explicit names for clarity.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo