ci-workflow-linter

What problem does it solve?

Production-grade CI workflow security + hygiene linter for GitHub Actions / GitLab CI / CircleCI / Buildkite / Azure Pipelines / Jenkins. Scans for secret-leak risk (token echo, env print), third-party action pinning (SHA vs. mutable tag), GITHUB_TOKEN permissions (least-priv), timeout discipline, concurrent-run handling, cache-key staleness, expression injection via PR titles / bodies, untrusted-input handling, workflow-dispatch validation, OIDC federation setup, self-hosted runner config. Pulls GitHub Actions security-hardening + OWASP CI/CD Top 10 + OpenSSF Scorecard + StepSecurity catalog live. Read-only.

Core Features & Use Cases

• Live guidance fetch from security docs (GitHub Actions security-hardening, OWASP CI/CD Top 10, OpenSSF Scorecard, StepSecurity catalog).
• Each finding includes source citations and explicit remediation guidance.
• Read-only analysis with structured, reproducible output and strict permission model.

Quick Start

Run the linter against your repository's CI workflows to generate a comprehensive security audit.