zizmor can find many common security issues in typical GitHub Actions CI/CD setups.

https://docs.zizmor.sh/

https://github.com/zizmorcore/zizmor

https://github.com/zizmorcore/zizmor-pre-commit

zizmor comes with audit rules and you use a configuration file zizmor.yml