SUPPLY-CHAIN REPORT

tj-actions/changed-files

:octocat: Github action to retrieve all (added, copied, modified, deleted, renamed, type changed, unmerged, unknown) files and directories.

VERDICTCOMPROMISED·61/100

View on GitHub →

STARS

2,690

FORKS

328

OPEN ISSUES

LANGUAGE

TypeScript

LICENSE

MIT

LAST PUSH

2026-04-16

SIGNALS

BAD

Historical supply-chain incidents

1 known incident on record. Worst: tj-actions/changed-files compromise — secret exfiltration.

INFO

Historical security advisories

2 disclosed advisories (0 critical, 2 high) — typically patched in newer releases. Pin to the latest version.

Maintenance activity

Actively maintained. Last push 1 days ago.

Ecosystem trust

2,690 stars.

License

MIT

HISTORICAL INCIDENTS (1)

CRITICAL2025-03-14

tj-actions/changed-files compromise — secret exfiltration

Attacker pushed malicious commit to most tags of tj-actions/changed-files, causing GitHub Actions runs to dump secrets to workflow logs. ~23,000 repos affected.

Source →

METHODOLOGY

This report is generated on demand by querying the GitHub API for repository metadata and published security advisories, then cross-referencing our curated database of known supply-chain incidents (xz-utils, event-stream, ua-parser-js, colors.js, tj-actions, Codecov, and more). Results are cached for 24 hours. We do not scan repository code or dependencies — for that, see Snyk or Socket. Verdict: CLEAN ≥80, CAUTION 50–79, COMPROMISED<50.

SCAN A DEPLOYED SITE

Repo looks clean but the live deployment might still be exposing headers, CORS, or SSL misconfigurations.

SCAN A URL →

SCANNING tj-actions/changed-files...