Feature request: add option to enforce security best practices #198
Labels
enhancement
New feature or request
Comments
|
Actually I was just thinking the same haha. I am currently trying to implement something. I wanted to start (at least for now) on checking that we have the permissions set to none (or {} in gh actions jargon) at the beginning of the job. |
|
@stefreak I build a small program using actionlint as a library to solve the Pin Actions to a full length commit SHA problem, turns out there is a lot of "new" features needed to interact with the GitHub API. https://github.com/wolfeidau/github-action-workflow-check Rate limits are so low you need to authenticate, which in turn requires other security features. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It would be nice to add an option to check for security best practices.
Best practices that could be supported:
GITHUB_TOKENpermissionsSome other tools can already check for these things, like OSSF scorecard and StepSecurity SecureWorkflow.
Actionlint has an advantage over these tools though: It really understands advanced features like custom actions, reusable workflows etc. The tools I named are also hard to set up for private repositories, and actionlint is really easy to set up for private repositories.
The text was updated successfully, but these errors were encountered: