GitHub Actions linter
MIT License
Install | Policies | How to use | Configuration
GitHub Actions linter for security best practices.
$ ghalint run
ERRO[0000] read a workflow file error="parse a workflow file as YAML: yaml: line 10: could not find expected ':'" program=ghalint version= workflow_file_path=.github/workflows/release.yaml
ERRO[0000] github.token should not be set to workflow's env env_name=GITHUB_TOKEN policy_name=workflow_secrets program=ghalint version= workflow_file_path=.github/workflows/test.yaml
ERRO[0000] secret should not be set to workflow's env env_name=DATADOG_API_KEY policy_name=workflow_secrets program=ghalint version= workflow_file_path=.github/workflows/test.yaml
ghalint is a command line tool to check GitHub Actions Workflows anc action.yaml for security policy compliance.
lintnet is a general purpose linter powered by Jsonnet. We've ported ghalint to the lintnet module, so you can migrate ghalint to lintnet!
permissions
read-all
permission should not be usedwrite-all
permission should not be usedsecrets: inherit
should not be usedlatest
shell
is required if run
is setbrew install suzuki-shunsuke/ghalint/ghalint
scoop bucket add suzuki-shunsuke https://github.com/suzuki-shunsuke/scoop-bucket
scoop install ghalint
aqua g -i suzuki-shunsuke/ghalint
ghalint
in PATH
Run the command ghalint run
on the repository root directory.
ghalint run
Then ghalint validates workflow files ^\.github/workflows/.*\.ya?ml$
.
Run the command ghalint run-action
.
ghalint run-action
The alias act
is available.
ghalint act
Then ghalint validates action files ^action\.ya?ml$
on the current directory.
You can also specify file paths.
ghalint act foo/action.yaml bar/action.yml
Configuration file path: ^\.?ghalint\.ya?ml$
You can specify the configuration file with the command line option -config (-c)
or the environment variable GHALINT_CONFIG
.
ghalint -c foo.yaml run
You can disable the following policies.
e.g.
excludes:
- policy_name: deny_inherit_secrets
workflow_file_path: .github/workflows/actionlint.yaml
job_name: actionlint
- policy_name: job_secrets
workflow_file_path: .github/workflows/actionlint.yaml
job_name: actionlint
- policy_name: action_ref_should_be_full_length_commit_sha
action_name: slsa-framework/slsa-github-generator
- policy_name: github_app_should_limit_repositories
workflow_file_path: .github/workflows/test.yaml
job_name: test
step_id: create_token
GHALINT_CONFIG
: Configuration file pathGHALINT_LOG_LEVEL
: Log level One of panic
, fatal
, error
, warn
, warning
, info
(default), debug
, trace
GHALINT_LOG_COLOR
: Configure log color. One of auto
(default), always
, and never
.💡 If you want to enable log color in GitHub Actions, please try GHALINT_LOG_COLOR=always
env:
GHALINT_LOG_COLOR: always
AS IS
TO BE
ghalint reads GitHub Actions Workflows ^\.github/workflows/.*\.ya?ml$
and validates them.
If there are violatation ghalint outputs error logs and fails.
If there is no violation ghalint succeeds.