A 300-Line GitHub Actions Security Linter: Five Rules That Catch the CVE Patterns

A 300-Line GitHub Actions Security Linter: Five Rules That Catch the CVE Patterns A focused TypeScript CLI that finds the five .github/workflows/*.yml anti-patterns that account for most real-world Actions compromises — and only those. SARIF 2.1.0 output for GitHub code scanning. actionlint is excellent. If you want a comprehensive GitHub Actions validator — YAML schema, expression type-checking, embedded shellcheck — it is unambiguously the right answer. actionguard occupies a different niche.