GHAST: GitHub Actions Security Analysis Tool

Scan Your GitHub Actions for Common Security Bad Practices

Hello, World! I’ve released a new tool called ghast that allows you to evaluate the security posture of your GitHub Actions. Currently, there are 13 available checks: some of them identify behavior that should be avoided altogether, while others only serve as warnings to highlight potential security risks associated with a behavior:

1. check_for_3p_actions_without_hash
2. check_for_allow_unsecure_commands
3. check_for_cache_action_usage
4. check_for_dangerous_write_permissions
5. check_for_inline_script
6. check_for_pull_request_target
7. check_for_script_injection
8. check_for_self_hosted_runners
9. check_for_aws_configure_credentials_non_oidc
10. check_for_pull_request_create_or_approve
11. check_for_remote_script
12. check_for_upload_download_artifact_action
13. check_for_non_github_managed_actions