--path | -p | . | Path to the local repository or directory to scan. |
--file | -f | unset | Scan a single specific workflow file. Overrides --path. |
--git | -g | unset | GitHub repository to scan. Accepts owner/repo or a full URL. Triggers a git clone --depth 1 into a temp directory. |
--org | | unset | Scan every repository owned by a GitHub org or user, fetching workflows over the API (no cloning). Requires a token. --fail-on applies to the aggregate. See Scan an entire organization. |
--output | -o | console | Output format. One of console, json, or sarif (SARIF 2.1.0 for GitHub code scanning). |
--fail-on | -s | MEDIUM | Severity threshold for exit code 1. One of HIGH, MEDIUM, LOW, INFO, or NONE. See exit codes. |
--ruleset | -r | all | Which rules to apply. all includes best-practice checks; owasp keeps only CICD-SEC-*. |
--min-confidence | | LOW | Drop findings below this confidence: HIGH, MEDIUM, or LOW. Confidence is how sure the check is the finding is real (heuristic checks like typosquat matching or secret-name patterns are MEDIUM), orthogonal to severity (how bad it would be). The default keeps everything. |
--persona | | regular | Noise tier. regular runs the high-signal security checks; pedantic adds hygiene nits (missing timeouts, job-level continue-on-error); auditor adds everything, including checks that are informational on their own (self-hosted runner usage). |
--keep-temp | | false | When using -g, keep the temporary clone directory after the scan. Useful for inspecting what was scanned. |
--fix | | false | Attempt to automatically fix detected issues in place. See Auto-fix. Not supported with -g. |
--audit-pins | | false | Force the online supply-chain audits of pinned actions (known-vulnerable, impostor-commit, ref/version-mismatch, typosquat) even when no token is available, accepting GitHub’s 60-requests/hour anonymous limit. You rarely need this: the audits run automatically whenever a token is present. |
--offline | | false | Disable every network-backed audit — online pin audits and repository-settings checks — guaranteeing no API traffic. Only the git clone for -g targets remains. |