Static security analyzer and policy engine for GitHub Actions workflows, detecting unsafe permissions, mutable refs, unpinned actions, pull_request_target risks, SARIF, baselines, and CI gates.