ghasec

command module
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 26, 2026 License: MIT Imports: 2 Imported by: 0

README

ghasec

GitHub Release CI Go Report Card LICENSE

Catch security risks in your GitHub Actions workflows.

ghasec

Installation

Homebrew

$ brew install koki-develop/tap/ghasec

Go

$ go install github.com/koki-develop/ghasec@latest

Docker

$ docker run --rm -v "$(pwd):/mnt" ghcr.io/koki-develop/ghasec:latest

GitHub Releases

Download the binary for your platform from the Releases page.

GitHub Actions

  • ghasec-action - A GitHub Action to run ghasec.
  • setup-ghasec - A GitHub Action to install ghasec. Use this if you want to run ghasec with custom options.

Usage

$ ghasec --help
Catch security risks in your GitHub Actions workflows.

Usage:
  ghasec [files...] [flags]

Flags:
      --format string   output format ("default", "github-actions", or "markdown") (default "default")
  -h, --help            help for ghasec
      --no-color        disable colored output
      --online          enable rules that require network access
  -v, --version         version for ghasec

When run without arguments, ghasec automatically discovers .github/workflows/*.yml|yaml and **/action.yml|yaml files in the current directory.

$ ghasec

You can also specify files explicitly:

$ ghasec example.yml

Online Rules

Some rules require network access to the GitHub API. Use the --online flag to enable them:

$ ghasec --online

The GitHub API is subject to rate limiting. Set the GITHUB_TOKEN environment variable to use a higher rate limit:

$ GITHUB_TOKEN=ghp_... ghasec --online

Markdown Format

Use --format markdown to produce Markdown output. Each diagnostic includes the source line, a description of why the issue matters, and how to fix it:

$ ghasec --format markdown

This format is useful for AI agents like Claude Code or Cursor — pass the output directly and let the agent fix the issues autonomously.

Ignoring Rules

Add a # ghasec-ignore: <rule-name> comment above the line to suppress a specific diagnostic:

# ghasec-ignore: unpinned-action
- uses: actions/checkout@v6

Multiple rules can be separated by commas:

# ghasec-ignore: unpinned-action, checkout-persist-credentials
- uses: actions/checkout@v6

Omit the rule name to suppress all diagnostics on the line:

# ghasec-ignore
- uses: actions/checkout@v6

Rules

See Rules for the full list of available rules.

License

MIT

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
cmd
formula command
gen command
Package cron validates 5-field POSIX cron expressions as used by GitHub Actions.
 Package cron validates 5-field POSIX cron expressions as used by GitHub Actions.
checkout-persist-credentials
dangerous-checkout
default-permissions
deprecated-commands
impostor-commit
invalid-action
invalid-expression
invalid-workflow
job-all-permissions
job-timeout-minutes
mismatched-sha-tag
missing-sha-ref-comment
script-injection
unpinned-action

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.