This document was generated by an AI powered coding agent and provides a comparison of GitHub Actions workflow file linting tools.
- Actionlint: Static checker for GitHub Actions workflow files with syntax validation and best practices
- Poutine: Supply chain security scanner for detecting risks in CI/CD pipelines
- Octoscan: Security scanner for GitHub Actions workflows focusing on vulnerability detection
- Zizmor: Security audit tool for GitHub Actions workflows
| Audit/Rule | Actionlint | Poutine | Octoscan | Zizmor |
|---|---|---|---|---|
| Syntax & Structure Validation | ||||
| Unexpected/Invalid keys | ✅ | |||
| Missing required keys | ✅ | |||
| Key duplicates | ✅ | |||
| Empty mappings validation | ✅ | |||
| Incorrect value types | ✅ | |||
| Expression syntax validation | ✅ | |||
| Type checking in expressions | ✅ | |||
| Context and function validation | ✅ | |||
| Availability of contexts and special functions | ✅ | |||
| Matrix object validation | ✅ | |||
| Job dependencies validation | ✅ | |||
| CRON syntax validation | ✅ | |||
| Glob pattern validation | ✅ | |||
| Shell name validation | ✅ | |||
| Job and step ID uniqueness | ✅ | |||
| ID naming convention checks | ✅ | |||
| Environment variable name validation | ✅ | |||
| Action metadata syntax validation | ✅ | |||
| Outdated popular actions detection | ✅ | |||
| Code Quality & Linting | ||||
| Shellcheck integration | ✅ | ✅ | ||
| Pyflakes integration | ✅ | |||
| Anonymous workflow/action detection | ✅ | |||
| Security - Injection & Code Execution | ||||
| Template/Expression injection | ✅ | ✅ | ✅ | ✅ |
| Script injection detection | ✅ | ✅ | ||
| Arbitrary code execution risks | ✅ | |||
| Command injection via GITHUB_ENV/OUTPUT | ✅ | ✅ | ||
| Obfuscated code detection | ✅ | |||
| Security - Credentials & Secrets | ||||
| Hardcoded credentials detection | ✅ | ✅ | ||
| Hardcoded container credentials | ✅ | |||
| Excessive secret sharing | ✅ | ✅ | ||
| Secret inheritance issues | ✅ | |||
| Unredacted secrets detection | ✅ | |||
| Artipacked (git credential storage) | ✅ | |||
| Security - Permissions & Access | ||||
| Excessive permissions | ✅ | ✅ | ||
| Default permissions on risky events | ✅ | |||
| Workflow permissions validation | ✅ | |||
| Action input validation | ✅ | |||
| Popular action inputs validation | ✅ | |||
| Security - Dependencies & Supply Chain | ||||
| Known vulnerable actions | ✅ | ✅ | ✅ | |
| Unpinned/Unpinnable actions | ✅ | ✅ | ||
| Unpinned container images | ✅ | |||
| Stale action references | ✅ | |||
| Local/unverified actions | ✅ | ✅ | ||
| Repository jacking detection | ✅ | |||
| Impostor commits detection | ✅ | |||
| Ref confusion detection | ✅ | |||
| Cache poisoning detection | ✅ | |||
| Security - Workflow Triggers & Events | ||||
| Dangerous triggers (pull_request_target) | ✅ | |||
| Dangerous checkout detection | ✅ | |||
| Pull requests on self-hosted runners | ✅ | |||
| Security - Runner & Environment | ||||
| Self-hosted runner detection | ✅ | ✅ | ||
| Runner label validation | ✅ | ✅ | ||
| Unsecure commands (ACTIONS_ALLOW_UNSECURE_COMMANDS) | ✅ | ✅ | ||
| CI debug mode detection | ✅ | |||
| Security - Conditions & Logic | ||||
| Always-true conditions | ✅ | ✅ | ||
| Bot identity checks | ✅ | ✅ | ||
| Confused deputy auto-merge | ✅ | |||
| Unsound conditions | ✅ | |||
| Unsound contains usage | ✅ | |||
| Other Security Checks | ||||
| Dangerous artifact uploads | ✅ | |||
| Dangerous write operations | ✅ | |||
| OIDC action detection (debug) | ✅ | |||
| External trigger detection (debug) | ✅ | |||
| JS exec detection (debug) | ✅ | |||
| Unverified script execution | ✅ | |||
| Build platform vulnerabilities | ✅ | |||
| Forbidden action uses (allowlist/denylist) | ✅ | |||
| Use trusted publishing | ✅ | |||
| Deprecated Features | ||||
| Deprecated command detection | ✅ | |||
| Workflow Structure | ||||
| Reusable workflow validation | ✅ | |||
| Workflow call syntax | ✅ | |||
| Workflow dispatch event input validation | ✅ | |||
| Webhook event validation | ✅ | |||
| Contextual typing for inputs/secrets objects | ✅ | |||
| Cyclic dependency detection | ✅ | |||
| TOTAL CHECKS | 36 | 13 | 17 | 25 |
- Actionlint focuses primarily on syntax validation, type checking, and workflow correctness
- Poutine targets supply chain security and CI/CD pipeline risks
- Octoscan specializes in security vulnerability detection with emphasis on injection attacks and credential exposure (includes some debug rules marked above)
- Zizmor provides comprehensive security auditing with focus on both common and subtle security issues
For comprehensive coverage, it's recommended to use all four tools in combination as they complement each other:
- Use Actionlint for syntax validation and catching configuration errors early
- Use Octoscan and Zizmor for thorough security vulnerability detection
- Use Poutine for supply chain and dependency security analysis
While both Octoscan and Zizmor focus on security vulnerability detection, they have distinct strengths and approaches:
- Template/Expression injection detection: Both tools detect code injection risks
- Credential detection: Both identify hardcoded credentials and related security issues
- Known vulnerable actions: Both check for actions with known security vulnerabilities
- Bot identity checks: Both validate bot-based conditions
- Insecure commands: Both detect dangerous workflow command usage
- Repository jacking detection: Validates that external actions point to valid GitHub users/organizations
- Dangerous checkout detection: Identifies risky checkout patterns in privileged contexts
- Artifact security: Checks for dangerous artifact uploads and sensitive file exposure
- Debug capabilities: Includes specialized debug rules for OIDC, external triggers, and JS execution
- Dangerous write operations: Detects unsafe writes to
$GITHUB_OUTPUTand$GITHUB_ENV
- Comprehensive supply chain security: More extensive checks for unpinned images, stale references, impostor commits
- Advanced credential security: Includes artipacked detection, credential persistence, unredacted secrets, secret inheritance, and hardcoded container credentials
- Sophisticated workflow analysis: Detects ref confusion, cache poisoning, and dangerous triggers like
pull_request_target - Permission granularity: More detailed excessive permissions analysis
- Action lifecycle management: Checks for forbidden action uses (allowlist/denylist) and obfuscated code
- Advanced condition analysis: Detects unsound conditions and unsafe contains usage
- Publishing security: Includes trusted publishing recommendations
- Use both tools together for maximum security coverage, as they complement each other well
- Octoscan excels at detecting immediate security vulnerabilities and dangerous patterns
- Zizmor provides deeper supply chain analysis and sophisticated attack vector detection
- Together they provide comprehensive coverage of GitHub Actions security risks