Automic VaultAutomic Vault

brew

Install ghalint with Homebrew, Nix

GitHub Actions linter. Version 1.5.6 via Homebrew; verified 2026-06-07.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install ghalint

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#ghalint

nixpkgs package indexes · pkgs/by-name/gh/ghalint/package.nix · source: api.github.com

overview

Package summary

GitHub Actions linter

Commands and aliases

  • ghalint

history

Project history and usage

ghalint is a Go command-line linter for GitHub Actions workflow files and action metadata. It turns a small set of CI security practices into repeatable checks that can fail a build before a workflow grants broad permissions, exposes secrets through environment variables, or depends on mutable third-party action references.

Project history

Shunsuke Suzuki published the first ghalint releases in January 2023. The README describes the tool as a linter for GitHub Actions security best practices, and its policy documents show the early focus: explicit job permissions, avoiding broad read-all or write-all permissions, limiting inherited secrets, and pinning actions to full-length commit SHAs.

The project later documented a port to the lintnet module ecosystem, connecting ghalint's original GitHub Actions rule set with a broader Jsonnet-powered linting framework. That migration path suggests the project became both a standalone binary and a policy corpus that could be reused by another linter.

Adoption history

ghalint is a niche security tool rather than a general CI parser. Its adoption path is package-manager friendly: the official install guide lists Homebrew, Scoop, aqua, mise, GitHub Releases, and `go install`, while Homebrew exposes it as a one-command formula. That distribution pattern fits teams that want a small CI hardening check without installing a larger platform.

How it is used

Practitioners run `ghalint run` from a repository root to inspect workflow files under `.github/workflows`, or `ghalint run-action` for `action.yaml` and `action.yml` files. A `ghalint.yaml` configuration file can disable selected policies for named workflows, jobs, or actions when a repository has an intentional exception.

Why package nerds care

For package maintainers, ghalint is notable because it packages CI supply-chain advice as a fast local executable. It complements tools such as actionlint by concentrating on security posture: minimum permissions, safe secret handling, pinned action references, and checkout credential handling.

Timeline

  • 2023: v0.1.0 was published on GitHub Releases.
  • 2023: Early policy docs covered job permissions, workflow secrets, inherited secrets, and immutable action references.
  • After 2023: The README documented a ghalint module for lintnet.

Related projects

  • lintnet reuses the ghalint policy domain in a general-purpose Jsonnet linter.
  • pinact is referenced by ghalint documentation as a helper for converting GitHub Actions tags to full-length commit SHAs.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
ghalintcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.5.6
manager updated2026-06-07
local dataok
upstreamcurrent
latest detectedv1.5.6

https://github.com/suzuki-shunsuke/ghalint

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:ghalint
Version1.5.6
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/ghalint
Homepagehttps://github.com/suzuki-shunsuke/ghalint
Repositoryhttps://github.com/suzuki-shunsuke/ghalint
Upstream docshttps://github.com/suzuki-shunsuke/ghalint#readme
LicenseMIT
Source archivehttps://github.com/suzuki-shunsuke/ghalint/archive/refs/tags/v1.5.6.tar.gz
Last updated2026-06-07T13:07:14+09:00
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameghalint
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

ghalint

nix profile install nixpkgs#ghalint
  • normalized package name match
  • Matched by: Ghalint
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/gh/ghalint/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment