Google Git
Sign in
apache/infrastructure-gha-workflow-scanner/refs/heads/sebbASF-patch-1
commit
8508f5d3de822be9cf6022abee6cd6748f26f003
[log]
author
Sebb <sebbASF@users.noreply.github.com>
Sat Jan 10 09:01:02 2026 +0000
committer
GitHub <noreply@github.com>
Sat Jan 10 09:01:02 2026 +0000
tree
5ca83f15dea02ee332c6c337a4198d0a5b0a79dc
parent
550729ae4ab852826fa24c22ff5dce0e4a904b15 [diff]
Reduce log noise
1 file changed
tree: 5ca83f15dea02ee332c6c337a4198d0a5b0a79dc
  1. gha_scanner/
  2. tests/
  3. .asf.yaml
  4. .gitignore
  5. gha-workflow-scanner.example
  6. Pipfile
  7. Pipfile.lock
  8. pipservice-gha-workflow-scanner.service
  9. README.md
  10. scanner.py
README.md

ASF GitHub Actions Workflow Scanner

Setting up

pipenv install

REQUIRES: a Read-Only GitHub token

Copy the gha-workflow-scanner.example file to gha-workflow-scanner.yaml Edit gha-workflow-scanner.yaml Optionally, use a different file with these values and pass it to scanner.py with -c/--config.

Testing

This product uses pytest. Ensure that checks run after modification. e.g.: pytest tests/checks.py

will test the configured checks.

Starting

pipenv run python3 ./scanner.py

Logging

The policy scanner logs to logs/gha_scanner.log by default.

Description

When started as a service, the scanner will check GitHub Actions Workflows for compliance with our policy checks. If a workflow in the scanned repository is found to be non-compliant, an email will be sent to the owning PMC and infrastructure.