Hamburger Cross Icon
GitHub Actions Security Guardrails - No Dangerous Trigger Checkout

No Dangerous Trigger Checkout

Guardrail GitHub Actions Security Guardrails Beta Security And Compliance
github-actions.no-dangerous-trigger-checkout

Flags pull_request_target workflows that check out PR head code. This runs attacker-supplied code with base-branch secrets and write permissions — the pattern behind the tj-actions/changed-files breach (CVE-2025-30066).

pull-request-target checkout fork security
Get Started View All GitHub Actions Security Guardrails

Compatible Integrations

This guardrail works with the following integrations. Click to see how to use No Dangerous Trigger Checkout with each collector.

+
No Dangerous Trigger Checkout + GitHub Actions Collector Parsed workflow data at .ci.native.github_actions.workflows

Enable This Guardrail

Add the parent policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
policies:
  - uses: github://earthly/lunar-lib/policies/github-actions@v1.0.5
    include: [no-dangerous-trigger-checkout]
    # with: ...

How This Guardrail Works

This guardrail is part of the GitHub Actions Security Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.

Learn How Lunar Works
1
Integrations Gather Data
Collectors extract metadata from code, CI pipelines, tool outputs, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
This Guardrail Checks Current
No Dangerous Trigger Checkout runs and provides pass/fail feedback

Related Guardrails

Other guardrails in the GitHub Actions Security Guardrails policy.

Guardrail Security And Compliance
No Script Injection

Flags attacker-controlled ${{ }} expressions used directly in run: blocks and actions/github-script script: fields....
Guardrail Security And Compliance
Permissions Declared

Flags workflows with no permissions: key at workflow or job level. Without explicit permissions, workflows inherit...
Guardrail Security And Compliance
No Write All Permissions

Flags explicit permissions: write-all at workflow or job level. Workflows should declare only the specific scopes they...
Guardrail Security And Compliance
Checkout No Persist Credentials

Flags actions/checkout steps that don't set persist-credentials: false. The default (true) stores GITHUB_TOKEN in...
Guardrail Security And Compliance
No Secrets Inherit

Flags secrets: inherit in reusable workflow calls. This passes ALL repository and org secrets to the called workflow,...
GitHub Actions Security Guardrails

GitHub Actions Security Guardrails

This guardrail is part of the GitHub Actions Security Guardrails policy, which includes 6 guardrails for security and compliance.

View Policy

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo