ghasec

command module

v0.10.0 Latest Latest Go to latest Published: Mar 30, 2026 License: MIT Imports: 2 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/koki-develop/ghasec

Links

Open Source Insights

README ¶

ghasec

Catch security risks in your GitHub Actions workflows.

ghasec

Installation

Homebrew

$ brew install koki-develop/tap/ghasec

Go

$ go install github.com/koki-develop/ghasec@latest

Docker

$ docker run --rm -v "$(pwd):/mnt" ghcr.io/koki-develop/ghasec:latest

GitHub Releases

Download the binary for your platform from the Releases page.

GitHub Actions

ghasec-action - A GitHub Action to run ghasec.
setup-ghasec - A GitHub Action to install ghasec. Use this if you want to run ghasec with custom options.

Usage

$ ghasec --help
Catch security risks in your GitHub Actions workflows.

Usage:
  ghasec [files...] [flags]

Flags:
      --format string   output format ("default", "github-actions", "markdown", or "sarif") (default "default")
  -h, --help            help for ghasec
      --no-color        disable colored output
      --online          enable rules that require network access
  -v, --version         version for ghasec

When run without arguments, ghasec automatically discovers .github/workflows/*.yml|yaml and **/action.yml|yaml files in the current directory.

$ ghasec

You can also specify files explicitly:

$ ghasec example.yml

Online Rules

Some rules require network access to the GitHub API. Use the --online flag to enable them:

$ ghasec --online

The GitHub API is subject to rate limiting. Set the GHASEC_GITHUB_TOKEN or GITHUB_TOKEN environment variable to use a higher rate limit:

$ GHASEC_GITHUB_TOKEN=ghp_... ghasec --online

Markdown Format

Use --format markdown to produce Markdown output. Each diagnostic includes the source line, a description of why the issue matters, and how to fix it:

$ ghasec --format markdown

This format is useful for AI agents like Claude Code or Cursor — pass the output directly and let the agent fix the issues autonomously.

SARIF Format

Use --format sarif to produce SARIF 2.1.0 output. This enables integration with reviewdog, GitHub Code Scanning, and other SARIF-consuming tools.

Ignoring Rules

Add a # ghasec-ignore: <rule-name> comment above the line to suppress a specific diagnostic:

# ghasec-ignore: unpinned-action
- uses: actions/checkout@v6

Multiple rules can be separated by commas:

# ghasec-ignore: unpinned-action, checkout-persist-credentials
- uses: actions/checkout@v6

Omit the rule name to suppress all diagnostics on the line:

# ghasec-ignore
- uses: actions/checkout@v6

Rules

See Rules for the full list of available rules.

License

MIT

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
analyzer
cmd
formula command
gen command
cron Package cron validates 5-field POSIX cron expressions as used by GitHub Actions.	Package cron validates 5-field POSIX cron expressions as used by GitHub Actions.
diagnostic
discover
expression
git
github
ignore
parser
progress
renderer
rules
actor-bot-check
archived-action
broad-secret-env
checkout-persist-credentials
dangerous-checkout
default-permissions
deprecated-commands
impostor-commit
invalid-action
invalid-expression
invalid-workflow
job-all-permissions
job-timeout-minutes
mismatched-sha-tag
missing-app-token-permissions
missing-sha-ref-comment
script-injection
secrets-inherit
unpinned-action
unpinned-container
update
workflow

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL