Script Valley
CI/CD with GitHub Actions
Security and Best PracticesLesson 6.4

How to scan workflows for security issues with actionlint

actionlint, static analysis for workflows, common workflow errors, expression syntax checking, shellcheck integration, CI integration for actionlint, fixing lint errors

What is actionlint?

actionlint static analysis pipeline

actionlint is a static analysis tool that checks GitHub Actions workflow files for errors and security issues before they reach production. It catches problems that the GitHub runtime only reveals at execution time.

What actionlint Detects

Expression syntax errors (${{ }} typos), shellcheck violations in run steps, missing required inputs, undefined step IDs, invalid event names, and potential script injection patterns.

Running actionlint in CI

name: Lint Workflows

on:
  push:
    paths:
      - '.github/workflows/**'

jobs:
  actionlint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run actionlint
        uses: rhysd/actionlint@v1
        with:
          ignore: 'SC2086'   # optional: ignore specific shellcheck rules

Trigger this workflow only when workflow files change using paths filtering. The rhysd/actionlint action installs the binary and shellcheck automatically. Run actionlint locally during development: brew install actionlint on macOS or download the binary from the GitHub releases page.

Up next

How to manage workflow secrets rotation and audit in GitHub Actions

Sign in to track progress