Skip to content

koki-develop/ghasec

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

209 Commits
.claude/skills/add-rule
.claude/skills/add-rule
 
 
.github
.github
 
 
analyzer
analyzer
 
 
cmd
cmd
 
 
cron
cron
 
 
diagnostic
diagnostic
 
 
discover
discover
 
 
docs
docs
 
 
e2e
e2e
 
 
expression
expression
 
 
git
git
 
 
github
github
 
 
ignore
ignore
 
 
parser
parser
 
 
progress
progress
 
 
renderer
renderer
 
 
rules
rules
 
 
schemastore @ 64f8ad8
schemastore @ 64f8ad8
 
 
update
update
 
 
workflow
workflow
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
.release-please-manifest.json
.release-please-manifest.json
 
 
.wtp.yml
.wtp.yml
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CLAUDE.md
CLAUDE.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
lefthook.yml
lefthook.yml
 
 
main.go
main.go
 
 
mise.toml
mise.toml
 
 
release-please-config.json
release-please-config.json
 
 
renovate.json
renovate.json
 
 

Repository files navigation

ghasec

GitHub Release CI Go Report Card LICENSE

Catch security risks in your GitHub Actions workflows.

ghasec

Installation

Homebrew

$ brew install koki-develop/tap/ghasec

Go

$ go install github.com/koki-develop/ghasec@latest

Docker

$ docker run --rm -v "$(pwd):/mnt" ghcr.io/koki-develop/ghasec:latest

GitHub Releases

Download the binary for your platform from the Releases page.

GitHub Actions

  • ghasec-action - A GitHub Action to run ghasec.
  • setup-ghasec - A GitHub Action to install ghasec. Use this if you want to run ghasec with custom options.

Usage

$ ghasec --help
Catch security risks in your GitHub Actions workflows.

Usage:
  ghasec [files...] [flags]

Flags:
      --format string   output format ("default", "github-actions", "markdown", or "sarif") (default "default")
  -h, --help            help for ghasec
      --no-color        disable colored output
      --online          enable rules that require network access
  -v, --version         version for ghasec

When run without arguments, ghasec automatically discovers .github/workflows/*.yml|yaml and **/action.yml|yaml files in the current directory.

$ ghasec

You can also specify files explicitly:

$ ghasec example.yml

Online Rules

Some rules require network access to the GitHub API. Use the --online flag to enable them:

$ ghasec --online

The GitHub API is subject to rate limiting. Set the GHASEC_GITHUB_TOKEN or GITHUB_TOKEN environment variable to use a higher rate limit:

$ GHASEC_GITHUB_TOKEN=ghp_... ghasec --online

Markdown Format

Use --format markdown to produce Markdown output. Each diagnostic includes the source line, a description of why the issue matters, and how to fix it:

$ ghasec --format markdown

This format is useful for AI agents like Claude Code or Cursor — pass the output directly and let the agent fix the issues autonomously.

SARIF Format

Use --format sarif to produce SARIF 2.1.0 output. This enables integration with reviewdog, GitHub Code Scanning, and other SARIF-consuming tools.

Ignoring Rules

Add a # ghasec-ignore: <rule-name> comment above the line to suppress a specific diagnostic:

# ghasec-ignore: unpinned-action
- uses: actions/checkout@v6

Multiple rules can be separated by commas:

# ghasec-ignore: unpinned-action, checkout-persist-credentials
- uses: actions/checkout@v6

Omit the rule name to suppress all diagnostics on the line:

# ghasec-ignore
- uses: actions/checkout@v6

Rules

See Rules for the full list of available rules.

License

MIT

About

🫴 Catch security risks in your GitHub Actions workflows.

Topics

security github-actions

Resources

Readme

License

MIT license
Activity

Stars

19 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 16

v0.10.0 Latest
Mar 30, 2026
+ 15 releases

Packages

 
 
 

Contributors

Languages