Google Git
Sign in
apache/infrastructure-gha-workflow-scanner/refs/heads/main
commit
c961b0aea5697f9a7d03f8f6d0fc8e9b139bfd32
[log]
author
Daniel Gruno <humbedooh@apache.org>
Tue Feb 24 15:49:26 2026 +0100
committer
GitHub <noreply@github.com>
Tue Feb 24 15:49:26 2026 +0100
tree
9210ce3627a371fdbdfb84c78e788c9029955fc9
parent
9609e85485b313870bbd8916960dc5c954f417e0 [diff]
parent
30c4df3d19abbfc0ddee2c328297fc51aefaba4b [diff]
Merge pull request #17 from apache/dfoulks/exceptions

Dfoulks/exceptions
tree: 9210ce3627a371fdbdfb84c78e788c9029955fc9
  1. .github/
  2. gha_scanner/
  3. tests/
  4. .asf.yaml
  5. .gitignore
  6. exceptions.yaml
  7. gha-workflow-scanner.example
  8. Pipfile
  9. Pipfile.lock
  10. pipservice-gha-workflow-scanner.service
  11. README.md
  12. scanner.py
README.md

ASF GitHub Actions Workflow Scanner

Setting up

pipenv install

REQUIRES: a Read-Only GitHub token

Copy the gha-workflow-scanner.example file to gha-workflow-scanner.yaml Edit gha-workflow-scanner.yaml Optionally, use a different file with these values and pass it to scanner.py with -c/--config.

Testing

This product uses pytest. Ensure that checks run after modification. e.g.: pytest tests/checks.py

will test the configured checks.

Starting

pipenv run python3 ./scanner.py

Logging

The policy scanner logs to logs/gha_scanner.log by default.

Description

When started as a service, the scanner will check GitHub Actions Workflows for compliance with our policy checks. If a workflow in the scanned repository is found to be non-compliant, an email will be sent to the owning PMC and infrastructure.