GitHub Actions Security Scanner - Scan your GitHub Actions workflows for security vulnerabilities using OpenSSF Scorecard.
- 🔍 Comprehensive Scanning: Scan single repositories, entire organizations, or user accounts
- 📊 Multiple Report Formats: JSON, HTML, CSV, and Markdown reports
- 📦 Inventory Tracking: Keep track of all your repos and their security scores over time
- 🚀 Easy Integration: Use as CLI tool or GitHub Action
- ⚡ Parallel Execution: Fast scanning with concurrent repository processing
- 🎯 Focused Checks: Run specific security checks or all OpenSSF Scorecard checks
- 📈 Beautiful Reports: Visual HTML reports with risk scoring and detailed findings
ActionsGuard leverages OpenSSF Scorecard to check for:
- Dangerous Workflows: Detects potentially dangerous patterns in GitHub Actions
- Token Permissions: Ensures proper token permission configuration
- Pinned Dependencies: Verifies dependencies are pinned to specific versions
- And 15+ additional security checks
Important: ActionsGuard requires OpenSSF Scorecard to be installed first.
Recommended: Using Homebrew (macOS & Linux)
brew install scorecardAlternative: Download Binary Manually
Click to expand manual installation instructions
# macOS (Apple Silicon)
curl -L -o scorecard https://github.com/ossf/scorecard/releases/latest/download/scorecard_darwin_arm64
chmod +x scorecard
sudo mv scorecard /usr/local/bin/scorecard
# macOS (Intel)
curl -L -o scorecard https://github.com/ossf/scorecard/releases/latest/download/scorecard_darwin_amd64
chmod +x scorecard
sudo mv scorecard /usr/local/bin/scorecard
# Linux
curl -L -o scorecard https://github.com/ossf/scorecard/releases/latest/download/scorecard_linux_amd64
chmod +x scorecard
sudo mv scorecard /usr/local/bin/scorecardVerify Installation:
scorecard versionpip3 install actionsguardFor contributing or local development:
# Clone the repository
git clone https://github.com/cybrking/actions-guard.git
cd actions-guard
# Create virtual environment (recommended)
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install in development mode
pip3 install -e .
# Verify installation
actionsguard --versionOption A: Fine-grained Token (Recommended)
Create at: https://github.com/settings/personal-access-tokens/new
Permissions needed:
- Repository permissions:
- Actions: Read
- Contents: Read
- Metadata: Read
- Organization permissions (for org scanning):
- Members: Read
export GITHUB_TOKEN="github_pat_your_token_here"Option B: Classic Token
Create at: https://github.com/settings/tokens/new
Scopes needed:
repo(for private repos) orpublic_repo(for public repos only)read:org(for organization scanning)
export GITHUB_TOKEN="ghp_your_token_here"If you're scanning your own private repos, you MUST use repo scope (not just public_repo). If you see "0 repositories found", your token likely doesn't have the right permissions.
Quick test:
# Check if your token can see your repos
actionsguard debug --user your-usernameThe debug command will:
- Show which user you're authenticated as
- Display your token scopes
- List all repositories your token can see
- Explain why repos might be filtered out
actionsguard scan --repo owner/repository# Scan an entire organization
actionsguard scan --org your-organization
# Scan a user account (e.g., your personal repos)
actionsguard scan --user cybrking# Scan a single repository
actionsguard scan --repo kubernetes/kubernetes
# Scan entire organization
actionsguard scan --org my-org
# Scan a user account (personal repos)
actionsguard scan --user your-user
# Scan with custom token
actionsguard scan --repo owner/repo --token ghp_xxxxxxxxxxxx# Exclude specific repositories
actionsguard scan --org my-org --exclude repo1,repo2
actionsguard scan --user your-user --exclude forked-repo
# Only scan specific repositories
actionsguard scan --org my-org --only important-repo,critical-repo
actionsguard scan --user your-user --only my-critical-project
# Run specific security checks
actionsguard scan --org my-org --checks Dangerous-Workflow,Token-Permissions
# Run all Scorecard checks
actionsguard scan --org my-org --all-checks# Change output directory
actionsguard scan --org my-org --output ./security-reports
# Generate specific report formats
actionsguard scan --org my-org --format json,html
# Fail on critical issues (useful for CI/CD)
actionsguard scan --org my-org --fail-on-critical# Adjust parallel scan workers (default: 5)
actionsguard scan --org my-org --parallel 10Add ActionsGuard to your workflow:
name: Security Scan
on:
schedule:
- cron: '0 0 * * 0' # Weekly on Sunday
workflow_dispatch:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Run ActionsGuard
uses: your-username/actionsguard@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
org-name: my-organization
fail-on-critical: true
- name: Upload Reports
uses: actions/upload-artifact@v3
with:
name: security-reports
path: reports/| Input | Description | Required | Default |
|---|---|---|---|
github-token |
GitHub token for API access | Yes | - |
org-name |
Organization to scan | No | Current repo org |
repo-name |
Single repository to scan | No | - |
exclude-repos |
Comma-separated repos to exclude | No | - |
only-repos |
Only scan these repos | No | - |
checks |
Specific checks to run | No | Dangerous-Workflow,Token-Permissions,Pinned-Dependencies |
all-checks |
Run all checks | No | false |
output-format |
Report formats | No | html,json,csv,markdown |
fail-on-critical |
Fail if critical issues found | No | false |
| Output | Description |
|---|---|
reports-path |
Path to generated reports |
critical-count |
Number of critical issues |
overall-score |
Average security score |
summary |
JSON scan summary |
Beautiful, interactive HTML report with:
- Executive summary with metrics
- Color-coded risk levels
- Collapsible sections for easy navigation
- Direct links to documentation
- Mobile-responsive design
Machine-readable JSON with complete scan data:
{
"total_repos": 50,
"successful_scans": 48,
"failed_scans": 2,
"average_score": 7.2,
"critical_count": 3,
"results": [...]
}Spreadsheet-compatible format for analysis in Excel or Google Sheets:
Repository,URL,Score,Risk Level,Critical Issues,High Issues,...
owner/repo1,https://...,6.5,MEDIUM,0,2,...GitHub-flavored markdown with emojis and collapsible sections, perfect for:
- GitHub Issues
- Pull Request comments
- Documentation
GITHUB_TOKEN: GitHub personal access tokenACTIONSGUARD_OUTPUT_DIR: Default output directoryACTIONSGUARD_CHECKS: Default checks to run
0: Success, no critical issues1: Critical issues found (with--fail-on-critical)2: Error during execution
# Clone repository
git clone https://github.com/cybrking/actions-guard.git
cd actions-guard
# Create virtual environment
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install development dependencies
pip3 install -e ".[dev]"pytest tests/ -v --cov=actionsguard# Format code
black actionsguard/ tests/
# Lint
flake8 actionsguard/ tests/
# Type checking
mypy actionsguard/- name: Security Scan
run: |
pip3 install actionsguard
actionsguard scan --org ${{ github.repository_owner }} --fail-on-criticalsecurity_scan:
script:
- pip3 install actionsguard
- actionsguard scan --org my-org --fail-on-critical
artifacts:
paths:
- reports/stage('Security Scan') {
steps {
sh 'pip3 install actionsguard'
sh 'actionsguard scan --org my-org --fail-on-critical'
publishHTML([
reportDir: 'reports',
reportFiles: 'report.html',
reportName: 'Security Report'
])
}
}For detailed troubleshooting guides, see:
- Token Issues: docs/TROUBLESHOOTING_TOKEN.md
- General Guide: docs/TOKEN_GUIDE.md
1. Scorecard Command Not Found
Error: OpenSSF Scorecard not foundSolution: Install scorecard using Homebrew:
brew install scorecard
# Verify installation
scorecard versionIf you don't have Homebrew, install it from https://brew.sh or see the manual installation instructions in the Prerequisites section above.
2. GitHub API Rate Limit
Error: GitHub API rate limit exceededSolution:
- Wait for rate limit reset (check:
curl -H "Authorization: token YOUR_TOKEN" https://api.github.com/rate_limit) - Use a different token
- Authenticated requests have higher limits (5000/hour vs 60/hour)
3. Organization Access Denied
Error: No permission to access organizationSolution:
- For Fine-grained tokens: Ensure "Members: Read" permission is granted under Organization permissions
- For Classic tokens: Ensure your token has the
read:orgscope - Verify you're a member of the organization or have appropriate access
4. Python Project Not Found
ERROR: file:///path does not appear to be a Python projectSolution: Make sure you're in the correct directory (should contain setup.py and pyproject.toml):
cd actions-guard # Navigate to the cloned repository
pip3 install -e .Contributions are welcome! Please see CONTRIBUTING.md for details.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- OpenSSF Scorecard - The security checks engine
- PyGithub - GitHub API wrapper
- Click - CLI framework
- Rich - Terminal formatting
- SARIF output for GitHub Security tab
- Comparison mode for regression detection
- Auto-create GitHub Issues for critical findings
- Custom security check plugins
- Web UI for report visualization
- Integration with more CI/CD platforms
Made with ❤️ by Travis Felder
If you find ActionsGuard useful, please consider giving it a ⭐ on GitHub!