Detect poisoned pipelines
Flag dangerous combinations such as privileged pull request triggers that run attacker-controlled code with access to secrets or write-scoped tokens.
GitHub Actions security auditing
Ghast is a command-line security scanner for GitHub Actions workflows. It finds poisoned pipeline execution, command injection, exposed secrets, unpinned actions, permissive tokens, and other CI/CD supply-chain risks.
What it catches
Ghast focuses on the workflow mistakes that turn automation into an attack path: unsafe triggers, script injection, broad credentials, mutable dependencies, and hard-to-review pipeline drift.
Flag dangerous combinations such as privileged pull request triggers that run attacker-controlled code with access to secrets or write-scoped tokens.
Check for explicit least-privilege permissions, secret exposure patterns, and token practices that can leak or over-empower GitHub credentials.
Identify mutable third-party action references so teams can move toward commit-SHA pinning and avoid unexpected upstream changes.
Use dry-run, automatic, or interactive remediation modes to add timeouts, tighten permissions, update deprecated actions, and apply safe defaults.
Emit readable console output for local triage, JSON for automation, SARIF for GitHub Code Scanning, or HTML for shareable review artifacts.
Tune enabled checks, severities, default timeouts, deprecated action replacements, and auto-fix behavior with a small YAML configuration file.
Quick start
Install Ghast from PyPI or from source, then point it at any repository containing
GitHub Actions workflow files under .github/workflows.
pip install ghast
ghast scan /path/to/repo
ghast fix /path/to/repo --dry-run
ghast scan /path/to/repo --output sarif --output-file ghast-results.sarif
Built-in coverage
Severity levels help prioritize remediation, from critical poisoned pipeline execution findings down to low-noise workflow hardening recommendations.
| Rule | Category | Severity | Purpose |
|---|---|---|---|
poisoned_pipeline_execution |
Security | Critical | Detect privileged workflows that may run untrusted pull request code. |
permissions |
Security | High | Require explicit, least-privilege GitHub token permissions. |
command_injection |
Security | High | Find unsafe interpolation of untrusted contexts into shell commands. |
environment_injection |
Security | High | Flag untrusted values flowing into environment variables. |
token_security |
Security | High | Detect risky token and secret exposure patterns. |
action_pinning |
Security | Medium | Encourage commit-SHA pinning for third-party actions. |
deprecated_actions |
Best practice | Medium | Suggest supported replacements for old action versions. |
timeout, shell_specification, workflow_name |
Best practice | Low | Improve maintainability, reliability, and reviewability of workflows. |
CI-ready
Run Ghast locally during workflow development, in pre-merge automation, or as a scheduled guardrail that produces SARIF and fails builds at your chosen severity threshold.
Use severity thresholds to decide when a pipeline should fail while still surfacing lower-priority findings for backlog hardening.
Store HTML reports for security reviews or upload SARIF to GitHub Code Scanning so workflow findings live beside application code alerts.