Jon developed a GitHub Actions Secrets Inheritance Detector rule for the semgrep/semgrep-rules repository, focusing on improving CI security by identifying the use of secrets: inherit in reusable workflows. Using yaml and leveraging expertise in GitHub Actions and security best practices, Jon’s rule automatically flags instances where all repository secrets are passed to called workflows, addressing the risk of unintended secret exposure. The implementation included clear, actionable messaging for developers and was linked to a specific commit for traceability. This work provided automated guardrails that help teams enforce least-privilege principles and maintain better visibility into workflow secret management practices.