Skip to content
Latchkey

checkov: Scan GitHub Actions Workflows

checkov -d . --framework github_actions scans your workflow files for hardcoded secrets, unpinned actions, and risky permissions using Checkov's built-in Actions policies.

Checkov is best known for IaC, but it ships a github_actions framework that audits workflows. This page covers just the Actions-scanning usage; for the broader checkov IaC scan and skip/soft-fail flags see the existing checkov modules.

What it does

checkov with --framework github_actions parses .github/workflows/*.yml and evaluates them against CKV_GHA_* policies: unpinned actions, use of secrets in run blocks, missing permissions, and self-hosted runner risks. It reports passed and failed checks.

Common usage

Terminal
checkov -d . --framework github_actions
checkov -f .github/workflows/ci.yml --framework github_actions
checkov -d . --framework github_actions -o sarif
checkov -d . --framework github_actions --skip-check CKV_GHA_7

Options

FlagWhat it does
--framework github_actionsRestrict scanning to the Actions framework
-d <dir> / -f <file>Directory or single file to scan
-o <format>Output format: cli, json, sarif, junitxml
--skip-check <id>Skip a specific CKV_GHA_* check
--soft-failReport findings but exit 0
--compactShorter output

In CI

Run checkov with the github_actions framework in a security PR check and upload SARIF to code scanning. It overlaps with zizmor on unpinned-action findings; pick one as the gate and use the other for depth to avoid duplicate noise.

Common errors in CI

A failed check reads Check: CKV_GHA_7: "The build output cannot be affected by user parameters ..." with FAILED for resource: and a file:line. A nonzero exit fails the job unless --soft-fail. checkov: command not found means it is not installed (pip install checkov). See the checkov modules for skip-check and baseline details.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →