sisakulint Document #

Before moving on, please consider giving us a GitHub star. Thank you!

GitHub - sisaku-security/sisakulint: CI-Friendly static linter with autofix, SAST, semantic analysis for GitHub Actions

CI-Friendly static linter with autofix, SAST, semantic analysis for GitHub Actions - sisaku-security/sisakulint

github.com

Achievements #

Black Hat Asia 2025 - The World’s Premier Technical Security Conference in Singapore. ref: Arsenal
CODEBLUE 2024 - The Largest Security Conferences in Japan. ref: cybertamago

What is sisakulint? #

sisakulint is a static and fast SAST (Static Application Security Testing) tool for GitHub Actions. It automatically validates YAML workflow files according to security guidelines provided by GitHub.

Why GitHub Actions Security Matters #

GitHub Actions has become the de facto standard for CI/CD in open source projects. However, workflow files often contain security vulnerabilities that can lead to:

Supply chain attacks - Malicious code injection through compromised dependencies
Credential leaks - Exposed secrets in logs or artifacts
Privilege escalation - Overly permissive GITHUB_TOKEN permissions
Code injection - Untrusted input executed as code via ${{ }} expressions

These vulnerabilities are frequently exploited in real-world attacks, making automated security scanning essential.

Key Capabilities #

Static analysis with OWASP Top 10 CI/CD Security Risks compliance
Semantic analysis for detecting complex vulnerability patterns
Automatic security feature validation
SARIF format output for reviewdog integration
Auto-fix support for common security issues
CI-friendly design with fast execution

Main Tool Features #

id rule - ID collision detection for jobs and environment variables
credentials rule - Hardcoded credentials detection using Rego
commit-sha rule - Validates commit SHA usage in actions
permissions rule - Permission scope and value validation
workflow-call rule - Reusable workflow call validation
timeout-minutes rule - Ensures timeout-minutes is set
action-list rule - Action allowlist/blocklist enforcement
untrusted-checkout rule - Detects checkout of untrusted PR code
code-injection-critical - Detects code injection in privileged triggers
code-injection-medium - Detects code injection in normal triggers
envvar-injection-critical - Environment variable injection in privileged triggers
envvar-injection-medium - Environment variable injection in normal triggers
envpath-injection-critical - PATH injection in privileged triggers
envpath-injection-medium - PATH injection in normal triggers
artifact-poisoning-critical - Artifact poisoning detection (critical)
artifact-poisoning-medium - Artifact poisoning detection (medium)
cache-poisoning rule - Cache poisoning vulnerability detection
cache-poisoning-poisonable-step - Poisonable step detection after unsafe checkout
conditional rule - Validates conditional expressions
deprecated-commands rule - Detects deprecated workflow commands
environment-variable rule - Environment variable name validation
expression rule - GitHub Actions expression syntax validation
improper-access-control rule - Detects label-based approval bypass vulnerabilities
job-needs rule - Job dependency validation
secret-exposure rule - Excessive secrets exposure detection
unmasked-secret-exposure rule - Detects unmasked secrets in logs
bot-conditions rule - Validates bot actor conditions in workflows
known-vulnerable-actions rule - Detects actions with known vulnerabilities
archived-uses rule - Detects usage of archived/deprecated actions
impostor-commit rule - Detects impostor commit attacks
ref-confusion rule - Detects ref confusion vulnerabilities
unsound-contains rule - Detects unsafe contains() usage in conditions
self-hosted-runners rule - Self-hosted runner security validation
unpinned-images rule - Detects unpinned container images
artipacked rule - Detects artipacked vulnerability patterns
obfuscation rule - Detects obfuscated code in workflows
untrusted-checkout-to-ctou-critical - Critical TOCTOU vulnerabilities in checkout
untrusted-checkout-to-ctou-high - High severity TOCTOU vulnerabilities in checkout

Install #

macOS #

$ brew tap sisaku-security/homebrew-sisakulint
$ brew install sisakulint

Linux #

Download from the release page:

$ cd <directory where sisakulint binary is located>
$ mv ./sisakulint /usr/local/bin/sisakulint

Usage #

# Basic usage
$ sisakulint

# With debug output
$ sisakulint -debug

# Auto-fix (dry-run to preview changes)
$ sisakulint -fix dry-run

# Auto-fix (apply changes)
$ sisakulint -fix on

# SARIF output for reviewdog
$ sisakulint -format "{{sarif .}}"

OWASP CI/CD Top 10 Mapping #

OWASP Risk	Description	sisakulint Rules
CICD-SEC-01	Insufficient Flow Control Mechanisms	improper-access-control, bot-conditions
CICD-SEC-02	Inadequate Identity and Access Management	permissions, secret-exposure, unmasked-secret-exposure
CICD-SEC-03	Dependency Chain Abuse	known-vulnerable-actions, archived-uses, impostor-commit, ref-confusion
CICD-SEC-04	Poisoned Pipeline Execution (PPE)	code-injection-, envvar-injection-, envpath-injection-, untrusted-checkout-, unsound-contains
CICD-SEC-05	Insufficient PBAC (Pipeline-Based Access Controls)	self-hosted-runners
CICD-SEC-06	Insufficient Credential Hygiene	credentials
CICD-SEC-07	Insecure System Configuration	timeout-minutes, deprecated-commands
CICD-SEC-08	Ungoverned Usage of 3rd Party Services	action-list, commit-sha, unpinned-images
CICD-SEC-09	Improper Artifact Integrity Validation	artifact-poisoning-, cache-poisoning-, artipacked
CICD-SEC-10	Insufficient Logging and Visibility	obfuscation

OWASP Top 10 CI/CD Security Risks | OWASP Foundation

OWASP Top 10 CI/CD Security Risks project helps defenders identify focus areas for securing their CI/CD ecosystem.

owasp.org

Architecture #

sisakulint automatically searches for YAML files in the .github/workflows directory. The parser builds an AST and traverses it to apply security and best practice rules. Results are output using a custom error formatter, with SARIF support for CI/CD integration.