# Security
Report security issues privately to Wildmason.
`gha-workflow-proof` reads local workflow and JSON files. It does not execute workflow steps, fetch remote actions, evaluate untrusted shell, or call GitHub APIs. Treat receipts as diagnostics, not as authorization decisions.