SkillAgentSearch skills...

Ghasec

🫴 Catch security risks in your GitHub Actions workflows.

GenerateConvertImprove

Install / Use

/learn @koki-develop/Ghasec
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<h1 align="center"> ghasec </h1> <p align="center"> <a href="https://github.com/koki-develop/ghasec/releases/latest"><img src="https://img.shields.io/github/v/release/koki-develop/ghasec" alt="GitHub Release"></a> <a href="https://github.com/koki-develop/ghasec/actions/workflows/ci.yml"><img src="https://img.shields.io/github/actions/workflow/status/koki-develop/ghasec/ci.yml?branch=main&label=ci" alt="CI"></a> <a href="https://goreportcard.com/report/github.com/koki-develop/ghasec"><img src="https://goreportcard.com/badge/github.com/koki-develop/ghasec" alt="Go Report Card"></a> <a href="./LICENSE"><img src="https://img.shields.io/github/license/koki-develop/ghasec" alt="LICENSE"></a> </p> <p align="center"> <i> Catch security risks in your GitHub Actions workflows. </i> </p> <p align="center"> <img src="./docs/screenshot.png" alt="ghasec" width="800"> </p>

Installation

Homebrew

$ brew install koki-develop/tap/ghasec

Go

$ go install github.com/koki-develop/ghasec@latest

Docker

$ docker run --rm -v "$(pwd):/mnt" ghcr.io/koki-develop/ghasec:latest

GitHub Releases

Download the binary for your platform from the Releases page.

GitHub Actions

  • ghasec-action - A GitHub Action to run ghasec.
  • setup-ghasec - A GitHub Action to install ghasec. Use this if you want to run ghasec with custom options.

Usage

$ ghasec --help
Catch security risks in your GitHub Actions workflows.

Usage:
  ghasec [files...] [flags]

Flags:
      --format string   output format ("default", "github-actions", "markdown", or "sarif") (default "default")
  -h, --help            help for ghasec
      --no-color        disable colored output
      --online          enable rules that require network access
  -v, --version         version for ghasec

When run without arguments, ghasec automatically discovers .github/workflows/*.yml|yaml and **/action.yml|yaml files in the current directory.

$ ghasec

You can also specify files explicitly:

$ ghasec example.yml

Online Rules

Some rules require network access to the GitHub API. Use the --online flag to enable them:

$ ghasec --online

The GitHub API is subject to rate limiting. Set the GHASEC_GITHUB_TOKEN or GITHUB_TOKEN environment variable to use a higher rate limit:

$ GHASEC_GITHUB_TOKEN=ghp_... ghasec --online

Markdown Format

Use --format markdown to produce Markdown output. Each diagnostic includes the source line, a description of why the issue matters, and how to fix it:

$ ghasec --format markdown

This format is useful for AI agents like Claude Code or Cursor — pass the output directly and let the agent fix the issues autonomously.

SARIF Format

Use --format sarif to produce SARIF 2.1.0 output. This enables integration with reviewdog, GitHub Code Scanning, and other SARIF-consuming tools.

Ignoring Rules

Add a # ghasec-ignore: <rule-name> comment above the line to suppress a specific diagnostic:

# ghasec-ignore: unpinned-action
- uses: actions/checkout@v6

Multiple rules can be separated by commas:

# ghasec-ignore: unpinned-action, checkout-persist-credentials
- uses: actions/checkout@v6

Omit the rule name to suppress all diagnostics on the line:

# ghasec-ignore
- uses: actions/checkout@v6

Rules

See Rules for the full list of available rules.

License

MIT

koki-develop

View profile

View on GitHub
GitHub Stars26
CategoryDevelopment
Updated2h ago
Forks0
koki-develop/ghasec

Languages

Go

Security Score

95/100

Audited on Apr 7, 2026

No findings