Find and auto-fix security vulnerabilities in GitHub Actions #
52 security rules. 38+ auto-fixes. Taint propagation. 100% detection on GitHub Security Lab advisories.
$ brew tap sisaku-security/homebrew-sisakulint
$ brew install sisakulint
What is sisakulint? #
sisakulint is a static and fast SAST (Static Application Security Testing) tool for GitHub Actions. It automatically validates YAML workflow files according to security guidelines provided by GitHub.
Why GitHub Actions Security Matters #
GitHub Actions has become the de facto standard for CI/CD in open source projects. However, workflow files often contain security vulnerabilities that can lead to:
- Supply chain attacks - Malicious code injection through compromised dependencies
- Credential leaks - Exposed secrets in logs or artifacts
- Privilege escalation - Overly permissive GITHUB_TOKEN permissions
- Code injection - Untrusted input executed as code via
${{ }}expressions
These vulnerabilities are frequently exploited in real-world attacks, making automated security scanning essential.
Key Capabilities #
| Capability | Description |
|---|---|
| Taint Propagation | Tracks untrusted input across steps, jobs, and reusable workflows. No other GitHub Actions scanner does this. |
| Auto-Fix (38+ rules) | Don’t just report — fix. Automatically remediate 38+ security issues. |
| Supply Chain Detection | Impostor commits, ref confusion, vulnerable actions. CVSS 9.8 coverage. |
| OWASP CI/CD Top 10 | Full coverage of the OWASP CI/CD Top 10 Security Risks. |
| SARIF Output | Native SARIF format for reviewdog and GitHub Code Scanning integration. |
| CI-Friendly | Fast execution designed for CI/CD pipelines. |
Validated Against Real-World Vulnerabilities #
| Benchmark | Detection Rate |
|---|---|
| GitHub Security Lab (GHSL) advisories | 100% (18/18) |
| GitHub Security Advisories (GHSA) | 81.6% (31/38) |
Affected projects include: PX4-Autopilot, vets-api, weaviate, harvester, nrwl/nx, ag-grid
Existing Tools and Their Limitations #
GitHub Actions has become the de facto CI/CD platform, yet the security tooling landscape remains fragmented. Each tool addresses a different slice of the problem — no single tool previously combined deep semantic analysis with deterministic auto-fix and supply chain coverage.
| Capability | actionlint | zizmor | StepSecurity | Semgrep | GH Advanced Security | AI Security Agents* | sisakulint |
|---|---|---|---|---|---|---|---|
| Security-focused rules | Limited | 24 | N/A (runtime) | Yes | Yes | AI-based (no static rules) | Yes (52 rules) |
| Taint propagation | No | No | No | Yes (Pro) | Yes | Partial | Yes |
| Supply chain detection | No | Limited | No | Limited | Limited | Limited | Yes (CVSS 9.8) |
| Multi-step analysis | No | No | No | Limited | Yes | Yes | Yes |
| Auto-fix (target code) | No | No | N/A | Limited | Yes (Copilot Autofix) | Yes | Yes (38+ rules) |
*AI Security Agents: Claude Code Security (Anthropic, Feb 2026), Codex Security (OpenAI, Mar 2026). Both use AI-based detection — when a false positive occurs, there is no specific rule to trace or fix.
actionlint focuses on syntax validation and best practices. zizmor is security-focused but limited to single-step pattern matching. StepSecurity takes a complementary runtime hardening approach via network restrictions and permissions. AI Security Agents represent a new class of tool that excels at finding novel vulnerabilities but cannot participate in a deterministic, self-healing loop.
Two Levels of Automated Fixing #
It is important to distinguish two levels of automated fixing in security tooling:
Level 1: Target code autofix. Systems like GitHub Copilot Autofix, SapFix, Getafix, and the newest AI agents (Claude Code Security, Codex Security) fix bugs in application code flagged by scanners. sisakulint itself has 38+ deterministic autofix rules at this level.
Level 2: Scanner self-correction. Our system operates at a fundamentally different level: it fixes the scanner’s own detection rule logic, not target code. When sisakulint produces a false positive, the orchestration system reads the semantic context of the target repository and delegates root cause analysis to an agentic AI. This creates a self-healing loop — each fix permanently improves the scanner’s detection capability.
Security Rules (52 rules) #
Code Injection & Expression Safety #
- code-injection-critical - Detects code injection in privileged triggers
- code-injection-medium - Detects code injection in normal triggers
- envvar-injection-critical - Environment variable injection in privileged triggers
- envvar-injection-medium - Environment variable injection in normal triggers
- envpath-injection-critical - PATH injection in privileged triggers
- envpath-injection-medium - PATH injection in normal triggers
- argument-injection rule - Detects command-line argument injection
- output-clobbering rule - Detects output clobbering vulnerabilities via $GITHUB_OUTPUT
- unsound-contains rule - Detects unsafe contains() usage in conditions
- expression rule - GitHub Actions expression syntax validation
Supply Chain & Dependency Security #
- commit-sha rule - Validates commit SHA usage in actions
- known-vulnerable-actions rule - Detects actions with known vulnerabilities
- archived-uses rule - Detects usage of archived/deprecated actions
- impostor-commit rule - Detects impostor commit attacks
- ref-confusion rule - Detects ref confusion vulnerabilities
- unpinned-images rule - Detects unpinned container images
- action-list rule - Action allowlist/blocklist enforcement
- dependabot-github-actions rule - Checks Dependabot configuration for GitHub Actions ecosystem
Credential & Secret Protection #
- credentials rule - Hardcoded credentials detection using Rego
- secret-exposure rule - Excessive secrets exposure detection
- unmasked-secret-exposure rule - Detects unmasked secrets in logs
- secret-exfiltration rule - Detects secret exfiltration via network commands
- secrets-in-artifacts rule - Detects sensitive data in artifact uploads
- secrets-inherit rule - Detects excessive secrets inheritance
- artipacked rule - Detects artipacked vulnerability patterns
Pipeline Poisoning & Artifact Integrity #
- untrusted-checkout rule - Detects checkout of untrusted PR code
- untrusted-checkout-to-ctou-critical - Critical TOCTOU vulnerabilities in checkout
- untrusted-checkout-to-ctou-high - High severity TOCTOU vulnerabilities in checkout
- artifact-poisoning-critical - Artifact poisoning detection (critical)
- artifact-poisoning-medium - Artifact poisoning detection (medium)
- cache-poisoning rule - Cache poisoning vulnerability detection
- cache-poisoning-poisonable-step - Poisonable step detection after unsafe checkout
- reusable-workflow-taint rule - Detects untrusted inputs in reusable workflows
Triggers & Access Control #
- dangerous-triggers-critical rule - Detects privileged triggers without mitigations
- dangerous-triggers-medium rule - Detects privileged triggers with partial mitigations
- permissions rule - Permission scope and value validation
- bot-conditions rule - Validates bot actor conditions in workflows
- improper-access-control rule - Detects label-based approval bypass vulnerabilities
- self-hosted-runners rule - Self-hosted runner security validation
- request-forgery rule - Detects SSRF vulnerabilities in workflows
AI Agent Security #
- ai-action-unrestricted-trigger rule - Detects AI actions allowing any user to trigger execution
- ai-action-excessive-tools rule - Detects dangerous tool grants to AI agents in untrusted triggers
- ai-action-prompt-injection rule - Detects untrusted input interpolated into AI agent prompts
Workflow Quality & Best Practices #
- id rule - ID collision detection for jobs and environment variables
- timeout-minutes rule - Ensures timeout-minutes is set
- workflow-call rule - Reusable workflow call validation
- conditional rule - Validates conditional expressions
- deprecated-commands rule - Detects deprecated workflow commands
- environment-variable rule - Environment variable name validation
- job-needs rule - Job dependency validation
- cache-bloat rule - Detects cache bloat with cache/restore and cache/save
- obfuscation rule - Detects obfuscated code in workflows
Install #
macOS #
$ brew tap sisaku-security/homebrew-sisakulint
$ brew install sisakulint
Linux #
Download from the release page:
$ cd <directory where sisakulint binary is located>
$ mv ./sisakulint /usr/local/bin/sisakulint
Usage #
# Basic usage (scans .github/workflows/ in current directory)
$ sisakulint
# Remote scan — scan any GitHub repository without cloning
$ sisakulint -remote owner/repo
# Auto-fix (dry-run to preview changes)
$ sisakulint -fix dry-run
# Auto-fix (apply changes)
$ sisakulint -fix on
# SARIF output for reviewdog / GitHub Code Scanning
$ sisakulint -format "{{sarif .}}"
# With debug output
$ sisakulint -debug
OWASP CI/CD Top 10 Mapping #
| OWASP Risk | Description | sisakulint Rules |
|---|---|---|
| CICD-SEC-01 | Insufficient Flow Control Mechanisms | improper-access-control, bot-conditions, unsound-contains, ai-action-unrestricted-trigger |
| CICD-SEC-02 | Inadequate Identity and Access Management | permissions |
| CICD-SEC-03 | Dependency Chain Abuse | known-vulnerable-actions, archived-uses, impostor-commit, ref-confusion, reusable-workflow-taint |
| CICD-SEC-04 | Poisoned Pipeline Execution (PPE) | dangerous-triggers-*, code-injection-*, envvar-injection-*, envpath-injection-*, output-clobbering-*, argument-injection-*, untrusted-checkout-*, request-forgery-*, ai-action-prompt-injection |
| CICD-SEC-05 | Insufficient PBAC | self-hosted-runners, ai-action-excessive-tools |
| CICD-SEC-06 | Insufficient Credential Hygiene | credentials, artipacked, secrets-in-artifacts, secret-exfiltration, secret-exposure, unmasked-secret-exposure, secrets-inherit |
| CICD-SEC-07 | Insecure System Configuration | timeout-minutes, deprecated-commands, cache-bloat |
| CICD-SEC-08 | Ungoverned Usage of 3rd Party Services | action-list, commit-sha, unpinned-images, dependabot-github-actions |
| CICD-SEC-09 | Improper Artifact Integrity Validation | artifact-poisoning-*, cache-poisoning-* |
| CICD-SEC-10 | Insufficient Logging and Visibility | obfuscation |
FAQ #
How is sisakulint different from actionlint? actionlint is an excellent syntax and best-practice linter for GitHub Actions. sisakulint builds on that foundation with 52 security-focused rules, taint propagation across steps and jobs, and 38+ auto-fixes. If actionlint is a spell checker, sisakulint is a security auditor.
How is it different from zizmor? zizmor performs single-step pattern matching. sisakulint tracks data flow across multiple steps, jobs, and reusable workflows via taint propagation — catching vulnerabilities that single-step analysis fundamentally cannot detect (e.g., TOCTOU in checkout-to-use chains, cross-job secret exfiltration).
Will it slow down my CI? No. sisakulint is designed for CI/CD pipelines and completes in seconds even on large monorepo workflow files. SARIF output integrates directly with reviewdog and GitHub Code Scanning.
What about false positives? sisakulint achieves 100% detection on GitHub Security Lab advisories with a low false positive rate. Our Level 2 self-correction system continuously improves rule precision — when a false positive is confirmed, the scanner’s own detection logic is automatically fixed and regression-tested.
Can’t AI agents (Claude Code Security, Codex Security) replace a static linter? AI agents excel at finding novel, context-dependent vulnerabilities. However, they operate non-deterministically — when a false positive occurs, there is no specific rule to trace, debug, or fix. sisakulint provides deterministic, reproducible results with traceable rules, while our self-healing architecture bridges the gap by using AI to improve the rules themselves.
Architecture #
sisakulint automatically searches for YAML files in the .github/workflows directory. The parser builds an AST and traverses it to apply security and best practice rules. Results are output using a custom error formatter, with SARIF support for CI/CD integration.
Achievements #
- Black Hat USA 2026 - The World’s Premier Technical Security Conference in Las Vegas.
- Black Hat Asia 2025 - The World’s Premier Technical Security Conference in Singapore. ref: Arsenal