Install | Policies | How to use | Configuration
GitHub Actions linter for security best practices.
$ ghalint run
ERRO[0000] read a workflow file error="parse a workflow file as YAML: yaml: line 10: could not find expected ':'" program=ghalint version= workflow_file_path=.github/workflows/release.yaml
ERRO[0000] github.token should not be set to workflow's env env_name=GITHUB_TOKEN policy_name=workflow_secrets program=ghalint version= workflow_file_path=.github/workflows/test.yaml
ERRO[0000] secret should not be set to workflow's env env_name=DATADOG_API_KEY policy_name=workflow_secrets program=ghalint version= workflow_file_path=.github/workflows/test.yamlghalint is a command line tool to check GitHub Actions Workflows anc action.yaml for security policy compliance.
- job_permissions: All jobs should have
permissions - deny_read_all_permission:
read-allpermission should not be used - deny_write_all_permission:
write-allpermission should not be used - deny_inherit_secrets:
secrets: inheritshould not be used - workflow_secrets: Workflow should not set secrets to environment variables
- job_secrets: Job should not set secrets to environment variables
- deny_job_container_latest_image: Job's container image tag should not be
latest - action_ref_should_be_full_length_commit_sha: action's ref should be full length commit SHA
- github_app_should_limit_repositories: GitHub Actions issueing GitHub Access tokens from GitHub Apps should limit repositories
- github_app_should_limit_permissions: GitHub Actions issueing GitHub Access tokens from GitHub Apps should limit permissions
- action_ref_should_be_full_length_commit_sha: action's ref should be full length commit SHA
- github_app_should_limit_repositories: GitHub Actions issueing GitHub Access tokens from GitHub Apps should limit repositories
- github_app_should_limit_permissions: GitHub Actions issueing GitHub Access tokens from GitHub Apps should limit permissions
- action_shell_is_required:
shellis required ifrunis set
- Homebrew:
brew install suzuki-shunsuke/ghalint/ghalintscoop bucket add suzuki-shunsuke https://github.com/suzuki-shunsuke/scoop-bucket
scoop install ghalintaqua g -i suzuki-shunsuke/ghalint- Download a pre-built binary from GitHub Releases and locate an executable binary
ghalintinPATH
Run the command ghalint run on the repository root directory.
ghalint runThen ghalint validates workflow files ^\.github/workflows/.*\.ya?ml$.
Run the command ghalint run-action.
ghalint run-actionThe alias act is available.
ghalint actThen ghalint validates action files ^action\.ya?ml$ on the current directory.
You can also specify file paths.
ghalint act foo/action.yaml bar/action.ymlConfiguration file path: ^\.?ghalint\.ya?ml$
You can specify the configuration file with the command line option -config (-c) or the environment variable GHALINT_CONFIG.
ghalint -c foo.yaml runYou can exclude the policy job_secrets and action_ref_should_be_full_length_commit_sha.
e.g.
excludes:
- policy_name: job_secrets
workflow_file_path: .github/workflows/actionlint.yaml
job_name: actionlint
- policy_name: action_ref_should_be_full_length_commit_sha
action_name: slsa-framework/slsa-github-generator
- policy_name: github_app_should_limit_repositories
workflow_file_path: .github/workflows/test.yaml
job_name: test
step_id: create_tokenRequired. You can exclude only the following policies.
GHALINT_CONFIG: Configuration file pathGHALINT_LOG_LEVEL: Log level One ofpanic,fatal,error,warn,warning,info(default),debug,traceGHALINT_LOG_COLOR: Configure log color. One ofauto(default),always, andnever.
💡 If you want to enable log color in GitHub Actions, please try GHALINT_LOG_COLOR=always
env:
GHALINT_LOG_COLOR: alwaysAS IS
TO BE
ghalint reads GitHub Actions Workflows ^\.github/workflows/.*\.ya?ml$ and validates them.
If there are violatation ghalint outputs error logs and fails.
If there is no violation ghalint succeeds.