GitHub Actions benchmark 0.1

Ten workflows. Eight controls. Exact results.

CapitalGuard reproduced every declared pass and block outcome across repository scope, privileged triggers, permissions, action pins, checkout credentials, script injection, OIDC, and deployment gates.

This is a publisher-operated synthetic benchmark. It evaluates fixed workflow text and declared context; it does not execute GitHub Actions, inspect a live repository, or certify a workflow as secure.

CapitalGuard Security Research · Version 0.1.0 · Tested July 18, 2026

Case-level evidence

Each fixture declares the expected decision and exact failed controls.

CaseSynthetic conditionExpectedFailed controlsResult
CG-GHA-BENCH-001Pinned read-only pull request gatepassNone Match
CG-GHA-BENCH-002Repository write permissionblockCG-GHA-003 Match
CG-GHA-BENCH-003Mutable third-party action referencesblockCG-GHA-004 Match
CG-GHA-BENCH-004Persisted checkout credentialblockCG-GHA-005 Match
CG-GHA-BENCH-005Pull request title expanded in shellblockCG-GHA-006 Match
CG-GHA-BENCH-006Privileged trigger checks out untrusted headblockCG-GHA-002 Match
CG-GHA-BENCH-007OIDC enabled without bound receiver policyblockCG-GHA-007 Match
CG-GHA-BENCH-008Deployment command without protected environmentblockCG-GHA-008 Match
CG-GHA-BENCH-009Unauthorized cross-repository checkoutblockCG-GHA-001 Match
CG-GHA-BENCH-010Read-only gate without OIDCpassNone Match

Reproducible release

Download, rerun, and hash the same evidence.

The fixture pack contains only inert workflow text and explicit external-context declarations. The manifest binds every release file to its size and SHA-256 digest.

Run digest: 648f1fa0a3e94803fbc045196e7c80f6e078df0b489a34cb77035bfba414e24e

Limits are part of the result

The evaluator recognizes the declared fixture patterns; it is not a general YAML parser or a replacement for CodeQL, review, or GitHub policy enforcement.

Repository, environment, OIDC receiver, and authorization settings outside workflow YAML are represented by explicit synthetic context declarations.

A passing fixture means the expected rule outcome was reproduced for that fixture only.

GitHub features, plan availability, and public-preview behavior can change after the source-check date.

Primary sources checked July 18, 2026

Apply the control profile

Move from a synthetic fixture to an authorized repository baseline.

Open the GitHub Path