https://github.com/koki-develop/ghasec
🫴 Catch security risks in your GitHub Actions workflows.
https://github.com/koki-develop/ghasec
github-actions security
Last synced: 11 days ago
JSON representation
🫴 Catch security risks in your GitHub Actions workflows.
- Host: GitHub
- URL: https://github.com/koki-develop/ghasec
- Owner: koki-develop
- License: mit
- Created: 2026-03-18T12:56:57.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2026-04-11T05:34:04.000Z (17 days ago)
- Last Synced: 2026-04-11T07:21:41.363Z (17 days ago)
- Topics: github-actions, security
- Language: Go
- Homepage:
- Size: 1.08 MB
- Stars: 27
- Watchers: 0
- Forks: 0
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
ghasec
Catch security risks in your GitHub Actions workflows.
## Installation
### Homebrew
```console
$ brew install koki-develop/tap/ghasec
```
### Go
```console
$ go install github.com/koki-develop/ghasec@latest
```
### Docker
```console
$ docker run --rm -v "$(pwd):/mnt" ghcr.io/koki-develop/ghasec:latest
```
### GitHub Releases
Download the binary for your platform from the [Releases](https://github.com/koki-develop/ghasec/releases/latest) page.
### GitHub Actions
- [ghasec-action](https://github.com/koki-develop/ghasec-action) - A GitHub Action to run ghasec.
- [setup-ghasec](https://github.com/koki-develop/setup-ghasec) - A GitHub Action to install ghasec. Use this if you want to run ghasec with custom options.
## Usage
```console
$ ghasec --help
Catch security risks in your GitHub Actions workflows.
Usage:
ghasec [files...] [flags]
Flags:
--format string output format ("default", "github-actions", "markdown", or "sarif") (default "default")
-h, --help help for ghasec
--no-color disable colored output
--online enable rules that require network access
-v, --version version for ghasec
```
When run without arguments, ghasec automatically discovers `.github/workflows/*.yml|yaml` and `**/action.yml|yaml` files in the current directory.
```console
$ ghasec
```
You can also specify files explicitly:
```console
$ ghasec example.yml
```
### Online Rules
Some rules require network access to the GitHub API. Use the `--online` flag to enable them:
```console
$ ghasec --online
```
The GitHub API is subject to [rate limiting](https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api). Set the `GHASEC_GITHUB_TOKEN` or `GITHUB_TOKEN` environment variable to use a higher rate limit:
```console
$ GHASEC_GITHUB_TOKEN=ghp_... ghasec --online
```
### Markdown Format
Use `--format markdown` to produce Markdown output. Each diagnostic includes the source line, a description of why the issue matters, and how to fix it:
```console
$ ghasec --format markdown
```
This format is useful for AI agents like Claude Code or Cursor — pass the output directly and let the agent fix the issues autonomously.
### SARIF Format
Use `--format sarif` to produce [SARIF 2.1.0](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) output. This enables integration with [reviewdog](https://github.com/reviewdog/reviewdog), GitHub Code Scanning, and other SARIF-consuming tools.
### Ignoring Rules
Add a `# ghasec-ignore: ` comment above the line to suppress a specific diagnostic:
```yaml
# ghasec-ignore: unpinned-action
- uses: actions/checkout@v6
```
Multiple rules can be separated by commas:
```yaml
# ghasec-ignore: unpinned-action, checkout-persist-credentials
- uses: actions/checkout@v6
```
Omit the rule name to suppress all diagnostics on the line:
```yaml
# ghasec-ignore
- uses: actions/checkout@v6
```
## Rules
See [Rules](./rules/README.md) for the full list of available rules.
## License
[MIT](./LICENSE)