GitHub Actions security auditing

Harden workflows before they haunt you.

Ghast is a command-line security scanner for GitHub Actions workflows. It finds poisoned pipeline execution, command injection, exposed secrets, unpinned actions, permissive tokens, and other CI/CD supply-chain risks.

15+ security and best-practice checks
4 report formats: console, JSON, SARIF, HTML
1 command to auto-fix common issues

What it catches

Practical CI/CD guardrails.

Ghast focuses on the workflow mistakes that turn automation into an attack path: unsafe triggers, script injection, broad credentials, mutable dependencies, and hard-to-review pipeline drift.

Detect poisoned pipelines

Flag dangerous combinations such as privileged pull request triggers that run attacker-controlled code with access to secrets or write-scoped tokens.

Reduce credential blast radius

Check for explicit least-privilege permissions, secret exposure patterns, and token practices that can leak or over-empower GitHub credentials.

Pin the supply chain

Identify mutable third-party action references so teams can move toward commit-SHA pinning and avoid unexpected upstream changes.

Fix common findings

Use dry-run, automatic, or interactive remediation modes to add timeouts, tighten permissions, update deprecated actions, and apply safe defaults.

Report for humans and tools

Emit readable console output for local triage, JSON for automation, SARIF for GitHub Code Scanning, or HTML for shareable review artifacts.

Configure by repository

Tune enabled checks, severities, default timeouts, deprecated action replacements, and auto-fix behavior with a small YAML configuration file.

Quick start

Install, scan, remediate.

Install Ghast from PyPI or from source, then point it at any repository containing GitHub Actions workflow files under .github/workflows.

  1. Install from PyPI pip install ghast
  2. Scan a repository ghast scan /path/to/repo
  3. Apply safe automatic fixes ghast fix /path/to/repo --dry-run
  4. Generate SARIF for code scanning ghast scan /path/to/repo --output sarif --output-file ghast-results.sarif

Built-in coverage

Rules that map to real workflow risk.

Severity levels help prioritize remediation, from critical poisoned pipeline execution findings down to low-noise workflow hardening recommendations.

Rule Category Severity Purpose
poisoned_pipeline_execution Security Critical Detect privileged workflows that may run untrusted pull request code.
permissions Security High Require explicit, least-privilege GitHub token permissions.
command_injection Security High Find unsafe interpolation of untrusted contexts into shell commands.
environment_injection Security High Flag untrusted values flowing into environment variables.
token_security Security High Detect risky token and secret exposure patterns.
action_pinning Security Medium Encourage commit-SHA pinning for third-party actions.
deprecated_actions Best practice Medium Suggest supported replacements for old action versions.
timeout, shell_specification, workflow_name Best practice Low Improve maintainability, reliability, and reviewability of workflows.

CI-ready

Make security checks part of every change.

Run Ghast locally during workflow development, in pre-merge automation, or as a scheduled guardrail that produces SARIF and fails builds at your chosen severity threshold.

Fail on serious findings

Use severity thresholds to decide when a pipeline should fail while still surfacing lower-priority findings for backlog hardening.

Keep audit artifacts

Store HTML reports for security reviews or upload SARIF to GitHub Code Scanning so workflow findings live beside application code alerts.