checkov: Scan GitHub Actions Workflows
checkov -d . --framework github_actions scans your workflow files for hardcoded secrets, unpinned actions, and risky permissions using Checkov's built-in Actions policies.
Checkov is best known for IaC, but it ships a github_actions framework that audits workflows. This page covers just the Actions-scanning usage; for the broader checkov IaC scan and skip/soft-fail flags see the existing checkov modules.
What it does
checkov with --framework github_actions parses .github/workflows/*.yml and evaluates them against CKV_GHA_* policies: unpinned actions, use of secrets in run blocks, missing permissions, and self-hosted runner risks. It reports passed and failed checks.
Common usage
checkov -d . --framework github_actions
checkov -f .github/workflows/ci.yml --framework github_actions
checkov -d . --framework github_actions -o sarif
checkov -d . --framework github_actions --skip-check CKV_GHA_7Options
| Flag | What it does |
|---|---|
| --framework github_actions | Restrict scanning to the Actions framework |
| -d <dir> / -f <file> | Directory or single file to scan |
| -o <format> | Output format: cli, json, sarif, junitxml |
| --skip-check <id> | Skip a specific CKV_GHA_* check |
| --soft-fail | Report findings but exit 0 |
| --compact | Shorter output |
In CI
Run checkov with the github_actions framework in a security PR check and upload SARIF to code scanning. It overlaps with zizmor on unpinned-action findings; pick one as the gate and use the other for depth to avoid duplicate noise.
Common errors in CI
A failed check reads Check: CKV_GHA_7: "The build output cannot be affected by user parameters ..." with FAILED for resource: and a file:line. A nonzero exit fails the job unless --soft-fail. checkov: command not found means it is not installed (pip install checkov). See the checkov modules for skip-check and baseline details.